de4dot - Deobfuscator for .NET

[ZeNiX]

Links updated

[riverstore]

New version de4dot 2.0.1 was out

Code:

https://bitbucket.org/0xd4d/de4dot/downloads/de4dot-2.0.1.zip

[mdj]

New version: 2.0.1

https://bitbucket.org/0xd4d/de4dot
https://bitbucket.org/0xd4d/de4dot/downloads

[0xd4d]

2.0.2: bug fix. Sometimes a few SmartAssembly encrypted strings weren't decrypted.
https://bitbucket.org/0xd4d/de4dot/downloads

[s0me0n3]

Nicely done. Any chance to see updated Xenocode Postbuild support? Or any chance to apply a special command line? I don't get the help description cause english isn't my native language. Support via pm? Can provide you with alot info if you could help updating the deobfuscator.

[0xd4d]

Xenocode Postbuild? What isn't supported already? It has string encryption and cflow obfuscation. Use eg. DotNetDumper to dump assemblies from memory.

[s0me0n3]

Nah, meant better string decryption. It may be that some apps I wanna crack don't are fully decrypted cause some routines are missing or the standard command line is just not enough what brings me back to my question: Is there any special command line which strings to decrypt in which way? Or do you want some help updating? I am not the coder I just can explain things. BTW: I don't get it with the /help switch (don't understand the use), some strings are still crypted.

[0xd4d]

PM me a link (eg. installer link) to those Xenocode obfuscated assemblies where string decryption doesn't work. Could be a slightly different version from the ones I've seen.
Also who uses Xenocode Postbuild anymore?

[Kameo]

Thanks for the share, it's working great.

[giv]

Quote:

Originally Posted by Kameo

Thanks for the share, it's working great.

It's not about sharing mate, it's free by definition this software.

Hope to support Confuser

[giv]

Quote:

Originally Posted by heima911

Hope to support Confuser

///////////////////// Keyz World-Dev.com - to DDC Team //////////////////////

Unpacking confuser v1.9 max settings enabled.
first download the msil decryptor.

http://uppit.com/irrah14pjhm6/Simple_MSIL_Decryptor.zip
http://uppit.com/qinahamvavsw/1_msil_fix12.rar
Now Just browse the confused assembly... its important to check on the use loadlibrary, then click on decrypt..

You still cant browse on the methods when you open it on SAE dont use reflector coz that was a trash as simple as that.

So here's the next step..

Download this: universal fixer, if you dont have..

http://uppit.com/tmkcdyz2fc2h/Universal_Fixer.zip

Browse the decryted assembly, then click on fix just use default.. wait for the tool to fix the program, remember that it will takes a longer time to do its job since we know that confuser sucks it also defend on the program size.. seeing on the statistic of the fixer that it successfully fixed and save the assembly on a directory signals us that it already done on its job...

open it on SAE and feel happy to browse on those methods and you gonna see those il codes... Smile

but the last problem is that it wont run.. Mad ?

so here's the solution... on SAE search for the word "broken file" it will be found by the decompiler and go to the first il code of that method,copy its RVA address.

open the fixed file on CFF EXPLORER..

http://www.ntcore.com/exsuite.php

input the RVA ADDRESS on the rva box on the cff explorer and it will give you its offset address of the file, then change the bytes on that offset with this hex byte value 2A (IN SImple word, we ret that method, we just only use hexbyte patching.), and maybe wait also for my search and replace byte patcher to easily do this or someone can generate it or just program the tool.

run the file, and it will run now... so cheers..

the strings are still encrypted, but there is a tool named dotnet tracer, to help you crack easy as like you are blind.. Tongue

de4dot can also cleaned the fixed the running assembly, so newbie cracker will now wont have problem on confuser..

AND SO, CONFUSER WILL NOW ENDS.. Enjoy
Keyz / Jejus.

Quote:

http://pastebin.com/TABT1xPm

[sendersu]

MaxSea 4.1 has some minor issues (eg: protector left the virtual specifier for nonvirtual methods of Form, etc)

[0xd4d]

de4dot v2.0.3 https://bitbucket.org/0xd4d/de4dot/

• Updated CryptoObfuscator deobfuscator code
• Updated Xenocode deobfuscator code
• Next version (v2.1) should support the remaining obfuscators I haven't updated yet

Quote:

Originally Posted by sendersu

MaxSea 4.1 has some minor issues (eg: protector left the virtual specifier for nonvirtual methods of Form, etc)

MaxSea is the love child of MaxtoCode and DeepSea?

[sendersu]

sorry mate, you cought me
Detected DeepSea 4.1 is the right line

wow, you are great researcher, thanks for update
and oh, 4351 downloads for 202, good rocket lunch for new site

if you are interesting, here is the before and after of what I was writing about:

before (with issues)

internal virtual TableLayoutPanel vmethod_0()
{
return this.tableLayoutPanel_0;
}

compiler shouts as:


Error 6 'x.SplashScreen1.vmethod_0()' is a new virtual member in sealed class 'x.SplashScreen1' ////



after (cleaned by hands)

internal TableLayoutPanel vmethod_0()
{
return this.tableLayoutPanel_0;
}