Exetools - Need help community

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Need help community (https://forum.exetools.com/showthread.php?t=20208)

Need help community

Hello Friends,

Need some directions or suggestions. Currently tasked at reversing a dot net executable, but it is obfuscated. Tried De4Dot but it does not reverse or provide something meaningful to process.

DnSpy produces the decompiled source code which is filled with functions, variables starting with #=<long names>. Any idea which obfuscator was used in this case? I'm just trying to see if anyone could quickly guide in getting the name of the obfuscator so that I could proceed in that direction to reverse it.

Some sample code to understand the above description :

Code:

private static void #=zGud5JR$F5ZC4Uc23DVuPuwd27lFw(byte[] #=zHs8_4ViFvF5a2_w0qCR6llOqSSXU, int #=zgkLn5h$uSaTrZRI6KiV4dTI5c$kb, byte[] #=zDaQZNdRiqOTXtrgat4kX3ushtupG)

        {

                int i = 0;

                int num = 0;

                int num2 = 128;

                int num3 = #=zDaQZNdRiqOTXtrgat4kX3ushtupG.Length;

                while (i < num3)

                {

                        if ((num2 <<= 1) == 256)

                        {

                                num2 = 1;

                                num = (int)#=zHs8_4ViFvF5a2_w0qCR6llOqSSXU[#=zgkLn5h$uSaTrZRI6KiV4dTI5c$kb++];

                        }

                        if ((num & num2) != 0)

                        {

                                int num4 = (#=zHs8_4ViFvF5a2_w0qCR6llOqSSXU[#=zgkLn5h$uSaTrZRI6KiV4dTI5c$kb] >> 2) + 3;

                                int num5 = (((int)#=zHs8_4ViFvF5a2_w0qCR6llOqSSXU[#=zgkLn5h$uSaTrZRI6KiV4dTI5c$kb] << 8) | (int)#=zHs8_4ViFvF5a2_w0qCR6llOqSSXU[#=zgkLn5h$uSaTrZRI6KiV4dTI5c$kb + 1]) & 1023;

                                #=zgkLn5h$uSaTrZRI6KiV4dTI5c$kb += 2;

                                int num6 = i - num5;

                                if (num6 < 0)

                                {

                                        return;

                                }

                                while (--num4 >= 0 && i < num3)

                                {

                                        #=zDaQZNdRiqOTXtrgat4kX3ushtupG[i++] = #=zDaQZNdRiqOTXtrgat4kX3ushtupG[num6++];

                                }

                        }

                        else

                        {

                                #=zDaQZNdRiqOTXtrgat4kX3ushtupG[i++] = #=zHs8_4ViFvF5a2_w0qCR6llOqSSXU[#=zgkLn5h$uSaTrZRI6KiV4dTI5c$kb++];

                        }

                }

        }

Thank you so much for reading and helping.

better would be if you post the binary, btw rename the tokens first, remove constant expressions and re organise the code blocks. everything metioned is implemented in de4dot, checkout the code and change according to this obfuscation pattern.

foosa, what debugger/disassembler did you copy/paste this sample code from? Was it dnSpy or something different? Sometimes it is possible to identify the obfuscator, or at least narrow down the possibilities, just by looking at the way the code is obfuscated in dnSpy. As 0xall0c mentioned, it would be much better if you posted the binary, but even just a screenshot of the binary opened in dnSpy would be better than what you've provided. I could give you a variety of deobfuscator utilities to try but most are built for specific obfuscators so we need to determine that first.

As other pointed, without the binary or more information is hard tell you something.

Maybe is a custom ofuscator, that's why supply the binary (or de program name if it can be downloaded) is the best option to get an answer.

Anyway, you can run Detect It Easy by h0rs and check the output: https://forum.exetools.com/showthread.php?t=18882

Hope it helps.