#151
|
|||
|
|||
Hi,
does someone seen smth like below? looks strange for me as it is about standard type..... d:\>de4dot.exe -v xxxxx de4dot v3.1.41592.3405 Copyright (C) 2011-2014 de4dot@gmail.com Detected Babel .NET xx .............. ERROR: ERROR: ERROR: Caught an exception: ERROR: ERROR: ------------------------------------------------------------------------------ ERROR: Message: ERROR: Could not find method '.ctor' in type 'System.Double[,]' ERROR: Type: ERROR: System.ApplicationException ERROR: ------------------------------------------------------------------------------ ERROR: ERROR: Try the latest version! |
#152
|
|||
|
|||
System.Double[,] is a type that is auto-generated at runtime by the CLR so it's impossible to find the constructor in any assembly (in this case mscorlib). You might need to update ImageReader.cs.
|
The Following User Says Thank You to 0xd4d For This Useful Post: | ||
sendersu (05-25-2015) |
#153
|
|||
|
|||
unable to find binaries, so here is current compiled version from git
Code:
git clone https://github.com/0xd4d/de4dot.git cd de4dot git submodule init git submodule update --recursive msbuild de4dot.sln /t:Build /p:Configuration=Release Code:
http://www8.zippyshare.com/v/vJPSzM2o/file.html |
The Following User Says Thank You to Av0id For This Useful Post: | ||
#154
|
|||
|
|||
Quote:
you said correct thing, but I'm a bit confused and thinking about right mitigation of this kind of issue... here is the case - http://prntscr.com/7a28hl we are reading the instruction, it wants to create the Double [][] array, but no one has that type anywhere...... of course we could not simulate the work of mscorlib (it creates this type in runtime?) so we can't also return null from the reading method...... or we could and have to create the type of Double[][] in runtime then return the ref to it's ctor?...... Please advice thanks |
#155
|
|||
|
|||
Try to create a Double[][], something like: var theSig = new SZArraySig(new SZArraySig(module.CorLib.Double)). If you need a ITypeDefOrRef instead of a TypeSig, call theSig.ToTypeDefOrRef().
|
The Following User Says Thank You to 0xd4d For This Useful Post: | ||
sendersu (05-28-2015) |
#156
|
|||
|
|||
I'm trying to proceed w/lookup of ".ctor" method but can't figoure out how to...
here is what I"ve got so far: http://prntscr.com/7avz3z theSig looks good: theSig = {System.Double[][]} as well as: i2 = {System.Double[][]} also, I'm confused regarding this fact as on picture: td = {System.Double} so generally, I need to ask for advice once again.... thanks in advance |
#157
|
|||
|
|||
There's no Double[][] type until runtime so you can't resolve it at all. Check the structures in the decrypter class and see if you can find the method you need to decrypt.
|
The Following User Says Thank You to 0xd4d For This Useful Post: | ||
sendersu (05-30-2015) |
#158
|
|||
|
|||
thanks for reply, more questions to understand that I'm moving in the right direction:
>There's no Double[][] type until runtime so you can't resolve it at all it means that if I'm working with such a method (that operates w/runtime only types) I'll not be able to decrypt that method at all? >Check the structures in the decrypter class and see if you can find the method you need to decrypt. 1) am I right supposing that all I could do - is to detect such a method(s) that use runtime types and just to skip those in the iterator? 2) are you referring here to the Babel_NET.MethodsDecrypter.decrypt() routine? in my case I"m having 101 methods inside GetEncryptedMethods() list 3) of course I'll be able to identify the method that the tool fails to decrypt, whats the next step then... eg: http://prntscr.com/7b5tum the last one is the faulty one now, having that for example I"ll skip the method that is using runtime type (imageReader.Restore(current.FullName, current.method) how then I'll be able to inspect the source code of it later on? it is possible to have for example 99.9% of methods decrypted and just some - left as is?... again, I"m just trying to understand the tactics here... thanks for your time and assitance, 0xd4d! Last edited by sendersu; 05-31-2015 at 00:36. Reason: +pic |
#159
|
|||
|
|||
It's a method reference, so just convert it from a BabelMethodReference to a MethodRef. You know the owner type, Double[][]. The rest of the info is in BabelMethodReference.
|
The Following User Says Thank You to 0xd4d For This Useful Post: | ||
sendersu (05-31-2015) |
#160
|
||||
|
||||
Any known problem or solutions with DeapSea 3.5 please?. This is the latest recursive update from my namesake. There is a missing resource language file in my test exe. If I use --ds-rsrc False then the ERROR ERROR goes, but I get one warning "WARNING: Could not find resource Test File.lang".
Git F:\Utils\de4dot>de4dot-x64 -f "E:\Test File.exe" -o "E:\Test File2.exe" de4dot v3.1.41592.3405 Copyright (C) 2011-2014 de4dot@gmail.com Latest version and source code: https://github.com/0xd4d/de4dot 21 deobfuscator modules loaded! Detected DeepSea 3.5 (E:\Test File.exe) Cleaning E:\Test File.exe Renaming all obfuscated symbols ERROR: ERROR: ERROR: ERROR: Hmmmm... something didn't work. Try the latest version. F:\Utils\de4dot> |
#161
|
|||
|
|||
That's a warning from the renamer, so try --dont-rename or just ignore the warning msg. Maybe it's still runnable?
|
#162
|
||||
|
||||
Ain't it possible to get a verbose output of error
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm." Today I whispered in the devils ear, "I am the storm." |
#163
|
|||
|
|||
Command: de4dot.exe -f "D:\xxks\EXAMTEACHER.exe" -o "D:\xxks\EXAMTEACHER_de4dot.exe"
Output: de4dot v3.1.41592.3405 Copyright (C) 2011-2014 de4dot@gmail.com Latest version and source code: https://github.com/0xd4d/de4dot 21 deobfuscator modules loaded! Detected Dotfuscator 12345:1:2:4.2.5000.27554 (D:\xxks\EXAMTEACHER.exe) Cleaning D:\xxks\EXAMTEACHER.exe WARNING: Could not deobfuscate method 06000185. Hello, E.T.: System.ApplicationException Renaming all obfuscated symbols Saving D:\xxks\EXAMTEACHER_de4dot.exe ERROR: Error calculating max stack value. If the method's obfuscated, set CilBody.KeepOldMaxStack or MetaDataOptions.Flags (KeepOldMaxStack, global option) to ignore this error. Otherwise fix your generated CIL code so it conforms to the ECMA standard. ERROR: Instruction operand is null ERROR: Operand is not a local/arg ERROR: Instruction is null ERROR: Target instruction is too far away for a short branch. Use the long branch or call CilBody.SimplifyBranches() and CilBody.OptimizeBranches() Ignored 7741 warnings/errors Use -v/-vv option or set environment variable SHOWALLMESSAGES=1 to see all messages Why? |
#164
|
|||
|
|||
@speedboy
Try de4dot fixed by ivancitooz http://rghost.net/8kVDPKcfc It has several obfuscators updated |
The Following 3 Users Say Thank You to cachito For This Useful Post: | ||
#165
|
|||
|
|||
It is not X86!
|
Tags |
de4dot, deobfusacator |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
[C#] De4Dot GUI | V0K3 | Source Code | 2 | 04-17-2015 06:07 |