DeSmart - Deobfuscator

rongchaua · #1 04-25-2008, 02:32 PM

Hi all,
I have just finished an obfuscator for {SmartAssembly}. I need some tests for it. You can download it here. Please login to view content.

http://rongchaua.net/tools-mainmenu-...-smartassembly

I have tested it with crackme of LibX. It can restore all of source code in readable form.
http://rongchaua.net/Web/Tmp/TestRun_patch.zip

If you have a file obfuscated with {SA} and no time to test, then upload it somewhere and give me link. I need more files to test this tool.

@Kurapica and UFO: It will be great if you can send me a file packed with the newest version of {SA}. I can not bring {SA} run on my machine.

.

Regards.
rongchaua.

Kurapica · #2 04-25-2008, 02:51 PM

This is cool shit !!

I always wanted to code this shit but I'm too lazy as you know !!

Anyway this is something I coded and used SA 3.0 to protect.

http://www.filesend.net/download.php...8b9d3ec644448e

Enjoy

rongchaua · #3 04-25-2008, 04:05 PM

@Kurapica:Thank for you file. I have tested your file with my tools. I think I should make some mirror improvements.
@all: I am waiting more files obfuscated with {SA}.

Kurapica · #4 04-25-2008, 04:28 PM

This is another target for you rongchaua !

It's a DLL file not exe

Enjoy...

MOID · #5 04-25-2008, 07:59 PM

Good:

String decryption.
Renaming. I like that it has button1_Click, is that automatic?

Bad:

Control flow deobfuscation

Sometimes control flow deobfuscation doesn't work and leaves obfuscated code (for instance Namespace_02.Class_02.ctor), sometimes it leaves broken code! For example Namespace_02.Class_02.Method_02 in your version:

Code:

public static byte[] Method_02()
{
    // This item is obfuscated and can not be translated.
    byte[] destinationArray = new byte[Field_08.Length];
    Array.Copy(Field_08, destinationArray, Field_08.Length);
    int num = 0;
    if (num >= destinationArray.Length)
    {
        return destinationArray;
    }
}

Good version:

Code:

public static byte[] Method_2()
{
    byte[] destinationArray = new byte[Field_8.Length];
    Array.Copy(Field_8, destinationArray, Field_8.Length);
    for (int i = 0; i < destinationArray.Length; i++)
    {
        destinationArray[i] = (byte) (destinationArray[i] ^ 0x40);
    }
    return destinationArray;
}

Here's my deobfuscated version of LibX's crackme, with my control flow deobfuscator and Kurapica's renamer:
http://rapidshare.com/files/110427787/my_TestRun.exe

rongchaua · #6 04-26-2008, 06:39 PM

I have updated some mirror improvement. It still can not make all functions into readable form but it now actual status. I did my best.

.
Regards.

rongchaua · #7 04-30-2008, 02:58 PM

Version 1.0.0.4 is out. See link above.
Restore up to 99% source code to readable form.
Support {SA} version 1,2,3.

Kurapica · #8 05-01-2008, 06:34 AM

Thanks for the update.

Why should I register to download !! It's annoying ???!!

would be nice if you post here or on FileSend.net

rongchaua · #9 05-01-2008, 01:28 PM

Hi Kurapica,
I don't want that too. Please read this post to understand why I must activate Login section.

http://rongchaua.net/blog/Reverse_En...CA_Yes_it_does

Regards.

rongchaua · #10 05-30-2008, 03:18 PM

Version 1.0.0.5 is out.
- Add Update Function.
- Use same GUI as the other.
- Fix mirror bugs.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode