Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-20-2024, 17:52
rkc3214 rkc3214 is offline
Friend
 
Join Date: Oct 2024
Posts: 4
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
rkc3214 Reputation: 0
Obfuscation for ninjascript

Hi everyone

I am a professional in finance, and I specialise in automated trading strategies and I've been doing work outside of my job for clients who want code obfuscation. Mostly for ninjatrader.

I have a background in c# but I have little to no experience with obfuscating code. My questions relate to, how best can I obfuscate my code and what tools can be used to bypass said obfuscation?

I'm aware of Agile.NET and i've come across virtualization but I do not understand if it can be applied to a compiled dll via ninjatrader. Any help would be appreciated.

my understanding is that the code can be deobfuscated, I just don't quite know how to piece it together.

Apologies if this post violates the rules. I can take it down if needed
Reply With Quote
  #2  
Old 10-20-2024, 18:01
sendersu sendersu is online now
VIP
 
Join Date: Oct 2010
Posts: 1,174
Rept. Given: 334
Rept. Rcvd 233 Times in 123 Posts
Thanks Given: 277
Thanks Rcvd at 568 Times in 316 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
There is a tool to remove agile - https://github.com/SychicBoy/AgileDotNetSlayer
(not sure if it takes care if the code is vt-zed)

regarding obf - I"d recommend VMP latest ver, its very strong and aggressive stuff and it suports .net + VT
Reply With Quote
  #3  
Old 10-21-2024, 18:57
rkc3214 rkc3214 is offline
Friend
 
Join Date: Oct 2024
Posts: 4
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
rkc3214 Reputation: 0
Quote:
Originally Posted by sendersu View Post
There is a tool to remove agile - https://github.com/SychicBoy/AgileDotNetSlayer
(not sure if it takes care if the code is vt-zed)

regarding obf - I"d recommend VMP latest ver, its very strong and aggressive stuff and it suports .net + VT
So i've tried the dotnetslayer but it could not handle the obfuscation

I've tried SMD for agile and it says it managed to decrypt x number of methods but going into dnspy showed nothing changed, file size was 1kb larger

Am I correct in saying that if an agile deobfuscator works, de4dot would then be used to de-virtualise?
Reply With Quote
  #4  
Old 10-21-2024, 19:45
sendersu sendersu is online now
VIP
 
Join Date: Oct 2010
Posts: 1,174
Rept. Given: 334
Rept. Rcvd 233 Times in 123 Posts
Thanks Given: 277
Thanks Rcvd at 568 Times in 316 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
No, de4dot is deprecated/archived
https://github.com/de4dot/de4dot
and not updated for 5 years already...
it was never able to devirt agile.net prot
Reply With Quote
  #5  
Old 10-21-2024, 20:05
rkc3214 rkc3214 is offline
Friend
 
Join Date: Oct 2024
Posts: 4
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
rkc3214 Reputation: 0
I am mistaken then, I was reading that regardless of the depreciation it would work. Silly to think that in hindsight

How would someone go about devitalisation then?
Reply With Quote
  #6  
Old 10-22-2024, 00:07
sendersu sendersu is online now
VIP
 
Join Date: Oct 2010
Posts: 1,174
Rept. Given: 334
Rept. Rcvd 233 Times in 123 Posts
Thanks Given: 277
Thanks Rcvd at 568 Times in 316 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
the only guy I know that is do it (on commercial basis) is the author of slayer apps - SychicBoy
Reply With Quote
  #7  
Old 10-22-2024, 08:47
rkc3214 rkc3214 is offline
Friend
 
Join Date: Oct 2024
Posts: 4
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
rkc3214 Reputation: 0
Quote:
Originally Posted by sendersu View Post
the only guy I know that is do it (on commercial basis) is the author of slayer apps - SychicBoy
So its not a common thing.

I am trying to deobfuscate a current dll and I wanted to ask how everything fits in

1. is SMD for agile a decrpyter or a deobfuscator, i assume decrypter explicitly.

2. if my dll was decrypted, I would then need to deobfuscate first or devirutalize? how does demutilating come into it or is it even a thing in my case?

I appreciate your patience
Reply With Quote
  #8  
Old 10-22-2024, 14:22
sendersu sendersu is online now
VIP
 
Join Date: Oct 2010
Posts: 1,174
Rept. Given: 334
Rept. Rcvd 233 Times in 123 Posts
Thanks Given: 277
Thanks Rcvd at 568 Times in 316 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Agile Slayer tool will tell you about options applied:
1) for code encryption:
"CODE ENCRYPTION HAS BEEN DETECTED, INCOMPLETE DEOBFUSCATION OF THE ASSEMBLY MAY RESULT."

2) for code virtualization:
"CODE VIRTUALIZATION HAS BEEN DETECTED, INCOMPLETE DEOBFUSCATION OF THE ASSEMBLY MAY RESULT."
Reply With Quote
The Following User Says Thank You to sendersu For This Useful Post:
niculaita (10-23-2024)
Reply

Tags
agile, ninjascript, obfuscation, virtualization

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 15:39.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )