EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-21-2017, 04:23
yologuy yologuy is offline
Friend
 
Join Date: Nov 2016
Posts: 5
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
yologuy Reputation: 0
Starting .net deobfuscating

Hello everyone. I don't really know if it's a good place or not for this kind of stuff since all forums seem to be more about release than help thread.
So if it's not in the mentality of the board fel free to remove my topic.

Ok let's start. I'm currently working into a .net dll wich is obfuscated.
To be clear I already did some reversing in .net but nothing fenzy since I don't know .net but only python / C++.

Of course I tried De4dot which in all my previous crack worked very well. And with Reflector / reflexil I easily fix it.
But not this time. So I have to dig a more deeper into this shit

Class name / Method name / String are encrypted, basicly everything is encrypted. You can look this screen, everything is like that
hxxp://img15.hostingpics.net/pics/482373WTF.jpg

So I come here for asking some help about where to start in this kind of work? Coz I'm totally lost. Is there any api method to trace?
Do you have any clue for finding which obfuscator is used? (I don't really know but it's a pretty big plugin 500$/y so they could have implement their own obfuscator it will not surprise me at all)
I can share the dll if needed but I really want to understand this shit. So if you just post me the dll cleaned I will be happy but it's kinda useless for me.

Thanks in advance.

Last edited by yologuy; 04-21-2017 at 04:30.
Reply With Quote
  #2  
Old 04-21-2017, 04:42
YuqseLx YuqseLx is offline
Friend
 
Join Date: Jan 2016
Location: Turkey
Posts: 5
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 20
Thanks Rcvd at 1 Time in 1 Post
YuqseLx Reputation: 0
de4dot say to you which obfuscator is used i think. If i'm not wrong it's crypto obfuscator. What's the de4dot says about that? Or giving any error?
Reply With Quote
  #3  
Old 04-21-2017, 05:05
yologuy yologuy is offline
Friend
 
Join Date: Nov 2016
Posts: 5
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
yologuy Reputation: 0
He just told me Detected Unknow Obfuscator. So it's why I need to do it manually
hxxp://img15.hostingpics.net/pics/219005ornatrix.jpg
Anyway thanks for answering !

Btw it's the last version from hxxp://forum.exetools.com/showthread.php?t=13951&pp=40&page=5
Reply With Quote
  #4  
Old 04-21-2017, 05:14
YuqseLx YuqseLx is offline
Friend
 
Join Date: Jan 2016
Location: Turkey
Posts: 5
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 20
Thanks Rcvd at 1 Time in 1 Post
YuqseLx Reputation: 0
If you send dll i want to look it
Reply With Quote
  #5  
Old 04-21-2017, 05:40
yologuy yologuy is offline
Friend
 
Join Date: Nov 2016
Posts: 5
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
yologuy Reputation: 0
hxxps://www.sendspace.com/file/idd2ll
Reply With Quote
  #6  
Old 04-21-2017, 10:17
H4vC H4vC is offline
Friend
 
Join Date: Jan 2017
Posts: 26
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 3
Thanks Rcvd at 18 Times in 9 Posts
H4vC Reputation: 1
Eazobfuscator v3 (or something that really looks like it).
It should be easy to understand once cleaned with de4dot, you can check it out with dnspy.

Last edited by H4vC; 04-21-2017 at 10:22.
Reply With Quote
  #7  
Old 04-22-2017, 00:54
yologuy yologuy is offline
Friend
 
Join Date: Nov 2016
Posts: 5
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
yologuy Reputation: 0
Do you tagged it only by visual coz you know it or there is something that indicate you it's this obf? Anyway thanks for the reply !
Reply With Quote
  #8  
Old 04-22-2017, 02:07
H4vC H4vC is offline
Friend
 
Join Date: Jan 2017
Posts: 26
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 3
Thanks Rcvd at 18 Times in 9 Posts
H4vC Reputation: 1
The method obfuscation #=encoded== is pretty telling.
Reply With Quote
  #9  
Old 04-23-2017, 23:59
yologuy yologuy is offline
Friend
 
Join Date: Nov 2016
Posts: 5
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
yologuy Reputation: 0
Searching a bit for Eazobfuscator deobf, I get something A bit more understable with StringDecryptor from CodeCracker and with de4dot. But that fucked all the string since now they are all eguals to "X0X". But with that I'm able to rename all the methode/class wich is usefull !

Then anyclue for string decryption would be appreciate. Thanks in advance !

EDIT: Ok looks like I success to unpack it with string decryption using
Code:
de4dot-x64.exe MyDll --strtyp delegate --strtok 06000198

For other peoples. I firstly run de4dot without anystring decryption(like that I can easily track wich method is used).
After I look at some GetEnvironmentVariable(which are called with a string).
And I saw all string are called by smethod_0(). So I simpy go to this function check his token with dnSpy And re run de4dot for string decryption.

Can be stupid but is there a way for Go to a specific token into dnSpy or reflector?
And is it possible to just add comment into a source code? It will really help me for reversing .

Anyway thanks you a lot guys !

Last edited by yologuy; 04-24-2017 at 01:17.
Reply With Quote
  #10  
Old 04-29-2017, 16:38
tonyweb tonyweb is offline
Family
 
Join Date: Jan 2009
Posts: 104
Rept. Given: 138
Rept. Rcvd 79 Times in 27 Posts
Thanks Given: 497
Thanks Rcvd at 73 Times in 42 Posts
tonyweb Reputation: 79
@yologuy
Nice work. Thanks for your "solution-sharing"

In DnSpy you can, of course, reach a specific MD token with CTRL+D (Go to MD token ... ) and enter the method token.
Remember to enter always the '0x' prefix

About comments/remarks ... you could try to add a feature-request on de4dot main page.
But, I guess it won't be a top priority for 0xd4d

Regards,
Tony
__________________
Want to learn unpacking ... but I'm too stupid
Reply With Quote
The Following 3 Users Say Thank You to tonyweb For This Useful Post:
niculaita (04-29-2017), TechLord (04-30-2017)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hiya - Nub just starting out - advice? Wirestealth General Discussion 3 01-15-2010 00:04
Starting a debugging session with Flexlm lmgrd and a vendor specific daemon zaratustra General Discussion 14 12-30-2005 19:55
Newbie Starting out with CrypKey DrPete General Discussion 2 07-29-2004 13:28


All times are GMT +8. The time now is 06:08.


ICP05004977
vBulletin Security provided by vBSecurity v2.2.0 (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX