Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #151  
Old 05-24-2015, 21:41
sendersu sendersu is online now
VIP
 
Join Date: Oct 2010
Posts: 1,066
Rept. Given: 332
Rept. Rcvd 223 Times in 115 Posts
Thanks Given: 234
Thanks Rcvd at 512 Times in 288 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Hi,
does someone seen smth like below?
looks strange for me as it is about standard type.....

d:\>de4dot.exe -v xxxxx

de4dot v3.1.41592.3405 Copyright (C) 2011-2014 de4dot@gmail.com
Detected Babel .NET xx

..............

ERROR:
ERROR:
ERROR: Caught an exception:
ERROR:
ERROR: ------------------------------------------------------------------------------
ERROR: Message:
ERROR: Could not find method '.ctor' in type 'System.Double[,]'
ERROR: Type:
ERROR: System.ApplicationException
ERROR: ------------------------------------------------------------------------------
ERROR:
ERROR: Try the latest version!
Reply With Quote
  #152  
Old 05-25-2015, 00:54
0xd4d 0xd4d is offline
Lo*eXeTools*rd
 
Join Date: Mar 2012
Posts: 78
Rept. Given: 12
Rept. Rcvd 308 Times in 44 Posts
Thanks Given: 2
Thanks Rcvd at 175 Times in 24 Posts
0xd4d Reputation: 300-399 0xd4d Reputation: 300-399 0xd4d Reputation: 300-399 0xd4d Reputation: 300-399
System.Double[,] is a type that is auto-generated at runtime by the CLR so it's impossible to find the constructor in any assembly (in this case mscorlib). You might need to update ImageReader.cs.
Reply With Quote
The Following User Says Thank You to 0xd4d For This Useful Post:
sendersu (05-25-2015)
  #153  
Old 05-27-2015, 16:46
Av0id Av0id is offline
VIP
 
Join Date: Jan 2006
Posts: 399
Rept. Given: 112
Rept. Rcvd 111 Times in 69 Posts
Thanks Given: 0
Thanks Rcvd at 15 Times in 15 Posts
Av0id Reputation: 100-199 Av0id Reputation: 100-199
unable to find binaries, so here is current compiled version from git

Code:
git clone https://github.com/0xd4d/de4dot.git
cd de4dot
git submodule init
git submodule update --recursive
msbuild de4dot.sln /t:Build /p:Configuration=Release
Code:
http://www8.zippyshare.com/v/vJPSzM2o/file.html
Reply With Quote
The Following User Says Thank You to Av0id For This Useful Post:
  #154  
Old 05-28-2015, 01:53
sendersu sendersu is online now
VIP
 
Join Date: Oct 2010
Posts: 1,066
Rept. Given: 332
Rept. Rcvd 223 Times in 115 Posts
Thanks Given: 234
Thanks Rcvd at 512 Times in 288 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Quote:
Originally Posted by 0xd4d View Post
System.Double[,] is a type that is auto-generated at runtime by the CLR so it's impossible to find the constructor in any assembly (in this case mscorlib). You might need to update ImageReader.cs.
0xd4d,
you said correct thing, but I'm a bit confused and thinking about right mitigation of this kind of issue...
here is the case -
http://prntscr.com/7a28hl
we are reading the instruction, it wants to create the Double [][] array,
but no one has that type anywhere......
of course we could not simulate the work of mscorlib (it creates this type in runtime?)
so we can't also return null from the reading method......

or we could and have to create the type of Double[][] in runtime then return the ref to it's ctor?......
Please advice
thanks
Reply With Quote
  #155  
Old 05-28-2015, 08:21
0xd4d 0xd4d is offline
Lo*eXeTools*rd
 
Join Date: Mar 2012
Posts: 78
Rept. Given: 12
Rept. Rcvd 308 Times in 44 Posts
Thanks Given: 2
Thanks Rcvd at 175 Times in 24 Posts
0xd4d Reputation: 300-399 0xd4d Reputation: 300-399 0xd4d Reputation: 300-399 0xd4d Reputation: 300-399
Try to create a Double[][], something like: var theSig = new SZArraySig(new SZArraySig(module.CorLib.Double)). If you need a ITypeDefOrRef instead of a TypeSig, call theSig.ToTypeDefOrRef().
Reply With Quote
The Following User Says Thank You to 0xd4d For This Useful Post:
sendersu (05-28-2015)
  #156  
Old 05-30-2015, 04:36
sendersu sendersu is online now
VIP
 
Join Date: Oct 2010
Posts: 1,066
Rept. Given: 332
Rept. Rcvd 223 Times in 115 Posts
Thanks Given: 234
Thanks Rcvd at 512 Times in 288 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
I'm trying to proceed w/lookup of ".ctor" method but can't figoure out how to...
here is what I"ve got so far:

http://prntscr.com/7avz3z

theSig looks good:
theSig = {System.Double[][]}
as well as:
i2 = {System.Double[][]}


also, I'm confused regarding this fact as on picture:
td = {System.Double}

so generally, I need to ask for advice once again....
thanks in advance
Reply With Quote
  #157  
Old 05-30-2015, 16:53
0xd4d 0xd4d is offline
Lo*eXeTools*rd
 
Join Date: Mar 2012
Posts: 78
Rept. Given: 12
Rept. Rcvd 308 Times in 44 Posts
Thanks Given: 2
Thanks Rcvd at 175 Times in 24 Posts
0xd4d Reputation: 300-399 0xd4d Reputation: 300-399 0xd4d Reputation: 300-399 0xd4d Reputation: 300-399
There's no Double[][] type until runtime so you can't resolve it at all. Check the structures in the decrypter class and see if you can find the method you need to decrypt.
Reply With Quote
The Following User Says Thank You to 0xd4d For This Useful Post:
sendersu (05-30-2015)
  #158  
Old 05-31-2015, 00:24
sendersu sendersu is online now
VIP
 
Join Date: Oct 2010
Posts: 1,066
Rept. Given: 332
Rept. Rcvd 223 Times in 115 Posts
Thanks Given: 234
Thanks Rcvd at 512 Times in 288 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
thanks for reply, more questions to understand that I'm moving in the right direction:

>There's no Double[][] type until runtime so you can't resolve it at all
it means that if I'm working with such a method (that operates w/runtime only types)
I'll not be able to decrypt that method at all?

>Check the structures in the decrypter class and see if you can find the method you need to decrypt.
1) am I right supposing that all I could do - is to detect such a method(s) that use runtime types and just to skip those in the iterator?
2) are you referring here to the Babel_NET.MethodsDecrypter.decrypt() routine?
in my case I"m having 101 methods inside GetEncryptedMethods() list

3) of course I'll be able to identify the method that the tool fails to decrypt, whats the next step then...
eg: http://prntscr.com/7b5tum the last one is the faulty one

now, having that for example I"ll skip the method that is using runtime type (imageReader.Restore(current.FullName, current.method)
how then I'll be able to inspect the source code of it later on?

it is possible to have for example 99.9% of methods decrypted and just some - left as is?...

again, I"m just trying to understand the tactics here...
thanks for your time and assitance, 0xd4d!

Last edited by sendersu; 05-31-2015 at 00:36. Reason: +pic
Reply With Quote
  #159  
Old 05-31-2015, 14:24
0xd4d 0xd4d is offline
Lo*eXeTools*rd
 
Join Date: Mar 2012
Posts: 78
Rept. Given: 12
Rept. Rcvd 308 Times in 44 Posts
Thanks Given: 2
Thanks Rcvd at 175 Times in 24 Posts
0xd4d Reputation: 300-399 0xd4d Reputation: 300-399 0xd4d Reputation: 300-399 0xd4d Reputation: 300-399
It's a method reference, so just convert it from a BabelMethodReference to a MethodRef. You know the owner type, Double[][]. The rest of the info is in BabelMethodReference.
Reply With Quote
The Following User Says Thank You to 0xd4d For This Useful Post:
sendersu (05-31-2015)
  #160  
Old 07-23-2015, 22:31
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,115
Rept. Given: 220
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 108
Thanks Rcvd at 216 Times in 124 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
Any known problem or solutions with DeapSea 3.5 please?. This is the latest recursive update from my namesake. There is a missing resource language file in my test exe. If I use --ds-rsrc False then the ERROR ERROR goes, but I get one warning "WARNING: Could not find resource Test File.lang".

Git


F:\Utils\de4dot>de4dot-x64 -f "E:\Test File.exe" -o "E:\Test File2.exe"

de4dot v3.1.41592.3405 Copyright (C) 2011-2014 de4dot@gmail.com
Latest version and source code: https://github.com/0xd4d/de4dot
21 deobfuscator modules loaded!

Detected DeepSea 3.5 (E:\Test File.exe)
Cleaning E:\Test File.exe
Renaming all obfuscated symbols
ERROR:
ERROR:
ERROR:
ERROR: Hmmmm... something didn't work. Try the latest version.

F:\Utils\de4dot>
Reply With Quote
  #161  
Old 07-24-2015, 05:24
0xd4d 0xd4d is offline
Lo*eXeTools*rd
 
Join Date: Mar 2012
Posts: 78
Rept. Given: 12
Rept. Rcvd 308 Times in 44 Posts
Thanks Given: 2
Thanks Rcvd at 175 Times in 24 Posts
0xd4d Reputation: 300-399 0xd4d Reputation: 300-399 0xd4d Reputation: 300-399 0xd4d Reputation: 300-399
That's a warning from the renamer, so try --dont-rename or just ignore the warning msg. Maybe it's still runnable?
Reply With Quote
  #162  
Old 07-24-2015, 05:26
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 281
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 138
Thanks Rcvd at 245 Times in 97 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Ain't it possible to get a verbose output of error
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm."

Today I whispered in the devils ear, "I am the storm."
Reply With Quote
  #163  
Old 09-02-2015, 10:59
speedboy
 
Posts: n/a
Command: de4dot.exe -f "D:\xxks\EXAMTEACHER.exe" -o "D:\xxks\EXAMTEACHER_de4dot.exe"
Output:

de4dot v3.1.41592.3405 Copyright (C) 2011-2014 de4dot@gmail.com
Latest version and source code: https://github.com/0xd4d/de4dot
21 deobfuscator modules loaded!

Detected Dotfuscator 12345:1:2:4.2.5000.27554 (D:\xxks\EXAMTEACHER.exe)
Cleaning D:\xxks\EXAMTEACHER.exe
WARNING: Could not deobfuscate method 06000185. Hello, E.T.: System.ApplicationException
Renaming all obfuscated symbols
Saving D:\xxks\EXAMTEACHER_de4dot.exe
ERROR: Error calculating max stack value. If the method's obfuscated, set CilBody.KeepOldMaxStack or MetaDataOptions.Flags (KeepOldMaxStack, global option) to ignore this error. Otherwise fix your generated CIL code so it conforms to the ECMA standard.
ERROR: Instruction operand is null
ERROR: Operand is not a local/arg
ERROR: Instruction is null
ERROR: Target instruction is too far away for a short branch. Use the long branch or call CilBody.SimplifyBranches() and CilBody.OptimizeBranches()
Ignored 7741 warnings/errors
Use -v/-vv option or set environment variable SHOWALLMESSAGES=1 to see all messages

Why?
Reply With Quote
  #164  
Old 09-02-2015, 12:34
cachito cachito is offline
Friend
 
Join Date: Aug 2015
Location: argentina
Posts: 58
Rept. Given: 0
Rept. Rcvd 12 Times in 8 Posts
Thanks Given: 162
Thanks Rcvd at 81 Times in 44 Posts
cachito Reputation: 13
@speedboy
Try de4dot fixed by ivancitooz
http://rghost.net/8kVDPKcfc

It has several obfuscators updated
Reply With Quote
The Following 3 Users Say Thank You to cachito For This Useful Post:
niculaita (09-02-2015), serseri_1453 (03-18-2017), the_beginner (10-17-2015)
  #165  
Old 09-02-2015, 14:04
speedboy
 
Posts: n/a
Quote:
Originally Posted by cachito View Post
@speedboy
Try de4dot fixed by ivancitooz
http://rghost.net/8kVDPKcfc

It has several obfuscators updated
It is not X86!
Reply With Quote
Reply

Tags
de4dot, deobfusacator

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[C#] De4Dot GUI V0K3 Source Code 2 04-17-2015 06:07


All times are GMT +8. The time now is 19:15.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )