Go Back   Exetools > General > General Discussion


Thread Tools Display Modes
Old 07-27-2022, 21:09
foosaa foosaa is offline
Join Date: Dec 2005
Posts: 106
Rept. Given: 36
Rept. Rcvd 12 Times in 10 Posts
Thanks Given: 167
Thanks Rcvd at 84 Times in 32 Posts
foosaa Reputation: 14
Need help community

Hello Friends,

Need some directions or suggestions. Currently tasked at reversing a dot net executable, but it is obfuscated. Tried De4Dot but it does not reverse or provide something meaningful to process.

DnSpy produces the decompiled source code which is filled with functions, variables starting with #=<long names>. Any idea which obfuscator was used in this case? I'm just trying to see if anyone could quickly guide in getting the name of the obfuscator so that I could proceed in that direction to reverse it.

Some sample code to understand the above description :
private static void #=zGud5JR$F5ZC4Uc23DVuPuwd27lFw(byte[] #=zHs8_4ViFvF5a2_w0qCR6llOqSSXU, int #=zgkLn5h$uSaTrZRI6KiV4dTI5c$kb, byte[] #=zDaQZNdRiqOTXtrgat4kX3ushtupG)
		int i = 0;
		int num = 0;
		int num2 = 128;
		int num3 = #=zDaQZNdRiqOTXtrgat4kX3ushtupG.Length;
		while (i < num3)
			if ((num2 <<= 1) == 256)
				num2 = 1;
				num = (int)#=zHs8_4ViFvF5a2_w0qCR6llOqSSXU[#=zgkLn5h$uSaTrZRI6KiV4dTI5c$kb++];
			if ((num & num2) != 0)
				int num4 = (#=zHs8_4ViFvF5a2_w0qCR6llOqSSXU[#=zgkLn5h$uSaTrZRI6KiV4dTI5c$kb] >> 2) + 3;
				int num5 = (((int)#=zHs8_4ViFvF5a2_w0qCR6llOqSSXU[#=zgkLn5h$uSaTrZRI6KiV4dTI5c$kb] << 8) | (int)#=zHs8_4ViFvF5a2_w0qCR6llOqSSXU[#=zgkLn5h$uSaTrZRI6KiV4dTI5c$kb + 1]) & 1023;
				#=zgkLn5h$uSaTrZRI6KiV4dTI5c$kb += 2;
				int num6 = i - num5;
				if (num6 < 0)
				while (--num4 >= 0 && i < num3)
					#=zDaQZNdRiqOTXtrgat4kX3ushtupG[i++] = #=zDaQZNdRiqOTXtrgat4kX3ushtupG[num6++];
				#=zDaQZNdRiqOTXtrgat4kX3ushtupG[i++] = #=zHs8_4ViFvF5a2_w0qCR6llOqSSXU[#=zgkLn5h$uSaTrZRI6KiV4dTI5c$kb++];
Thank you so much for reading and helping.
Reply With Quote
Old 07-31-2022, 06:31
0xall0c 0xall0c is offline
Join Date: Mar 2018
Posts: 68
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 28
Thanks Rcvd at 67 Times in 36 Posts
0xall0c Reputation: 4
better would be if you post the binary, btw rename the tokens first, remove constant expressions and re organise the code blocks. everything metioned is implemented in de4dot, checkout the code and change according to this obfuscation pattern.
Reply With Quote
The Following User Says Thank You to 0xall0c For This Useful Post:
tonyweb (07-31-2022)
Old 08-22-2022, 03:47
lahma lahma is offline
Join Date: Jul 2016
Location: US
Posts: 14
Rept. Given: 0
Rept. Rcvd 4 Times in 2 Posts
Thanks Given: 5
Thanks Rcvd at 39 Times in 9 Posts
lahma Reputation: 4
foosa, what debugger/disassembler did you copy/paste this sample code from? Was it dnSpy or something different? Sometimes it is possible to identify the obfuscator, or at least narrow down the possibilities, just by looking at the way the code is obfuscated in dnSpy. As 0xall0c mentioned, it would be much better if you posted the binary, but even just a screenshot of the binary opened in dnSpy would be better than what you've provided. I could give you a variety of deobfuscator utilities to try but most are built for specific obfuscators so we need to determine that first.
Reply With Quote
Old 08-23-2022, 02:38
Zeokat Zeokat is offline
Join Date: Dec 2017
Posts: 90
Rept. Given: 0
Rept. Rcvd 14 Times in 10 Posts
Thanks Given: 401
Thanks Rcvd at 260 Times in 64 Posts
Zeokat Reputation: 14
As other pointed, without the binary or more information is hard tell you something.

Maybe is a custom ofuscator, that's why supply the binary (or de program name if it can be downloaded) is the best option to get an answer.

Anyway, you can run Detect It Easy by h0rs and check the output: https://forum.exetools.com/showthread.php?t=18882

Hope it helps.
Reply With Quote
The Following User Says Thank You to Zeokat For This Useful Post:
niculaita (08-23-2022)

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

All times are GMT +8. The time now is 18:36.

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )