de4dot - Deobfuscator for .NET

[kao]

It's a mixed-mode assembly, meaning it contains both managed and native code. It is not obfuscated in any way, so - no need to run de4dot on it. Removing native code will remove most of its functionality, so don't do that.

Such assemblies are not supported by most of the crackers tools, your best bet probably is to use disassembler for analysis + hex editor for patching.

[Marton]

I will take your suggestion. Thanks Kao for looking at it!

[iceface]

I use latest version v1.2.3 Deobfuscator .net assembly.
the assembly is .NET Reactor Protected.

cmd-> de4dot.exe -f <my exe file> -p dr

I don't dump this File.

Stack trace:
在 Mono.Cecil.MetadataBuilder.LookupToken(IMetadataTo kenProvider provider) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1972
在 Mono.Cecil.Cil.CodeWriter.WriteOperand(Instruction instruction) 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 281
在 Mono.Cecil.Cil.CodeWriter.WriteInstructions() 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 172
在 Mono.Cecil.Cil.CodeWriter.WriteResolvedMethodBody( MethodDefinition method) 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 134
在 Mono.Cecil.Cil.CodeWriter.WriteMethodBody(MethodDe finition method) 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 76
在 Mono.Cecil.MetadataBuilder.AddMethod(MethodDefinit ion method) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1410
在 Mono.Cecil.MetadataBuilder.AddMethods(TypeDefiniti on type) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1404
在 Mono.Cecil.MetadataBuilder.AddType(TypeDefinition type) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1240
在 Mono.Cecil.MetadataBuilder.AddTypeDefs() 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1213
在 Mono.Cecil.MetadataBuilder.BuildTypes() 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1070
在 Mono.Cecil.MetadataBuilder.BuildModule() 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 852
在 Mono.Cecil.ModuleWriter.<BuildMetadata>b__0(Metada taBuilder builder, MetadataReader _) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 135
在 Mono.Cecil.ModuleDefinition.Read[TItem,TRet](TItem item, Func`3 read) 位置 C:\work\de4dot\cecil\Mono.Cecil\ModuleDefinition.c s:行号 823
在 Mono.Cecil.ModuleWriter.BuildMetadata(ModuleDefini tion module, MetadataBuilder metadata) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 134
在 Mono.Cecil.ModuleWriter.WriteModuleTo(ModuleDefini tion module, Stream stream, WriterParameters parameters) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 110
在 Mono.Cecil.ModuleDefinition.Write(Stream stream, WriterParameters parameters) 位置 C:\work\de4dot\cecil\Mono.Cecil\ModuleDefinition.c s:行号 986
在 Mono.Cecil.ModuleDefinition.Write(String fileName, WriterParameters parameters) 位置 C:\work\de4dot\cecil\Mono.Cecil\ModuleDefinition.c s:行号 975
在 de4dot.AssemblyModule.save(String newFilename, Boolean updateMaxStack) 位置 C:\work\de4dot\de4dot.code\AssemblyModule.cs:行号 45
在 de4dot.ObfuscatedFile.save() 位置 C:\work\de4dot\de4dot.code\ObfuscatedFile.cs:行号 264
在 de4dot.FilesDeobfuscator.saveAllFiles(IEnumerable` 1 allFiles) 位置 C:\work\de4dot\de4dot.code\FilesDeobfuscator.cs:行号 347
在 de4dot.FilesDeobfuscator.deobfuscateAll() 位置 C:\work\de4dot\de4dot.code\FilesDeobfuscator.cs:行号 114
在 de4dot.FilesDeobfuscator.doIt() 位置 C:\work\de4dot\de4dot.code\FilesDeobfuscator.cs:行号 72
在 de4dot.Program.main(StartUpArch startUpArch, String[] args) 位置 C:\work\de4dot\de4dot.code\Program.cs:行号 56


ERROR: Caught an exception:

------------------------------------------------------------------------------
Message:
Member 'System.RuntimeTypeHandle Class63::smethod_0(System.Int32)' is declared in another module and needs to be imported
Type:
System.ArgumentException
------------------------------------------------------------------------------

Try the latest version before reporting this problem!


I should resolve this problem??

[ldh0227]

Thank you for make this program!

Through this tool was able to solve the 'Babel Obfuscator' problem.

[sparpacillon]

as newbie of dotnet reversing i have to say: 0XD4D you made a great tool .) Thank you mate

[Tyrus]

0xd4d
Thank you for your work!
When can we expect DNGuard HVM?

[Predator]

[Please DO NOT reply to yourself, use the Edit button to edit your post]

I'm really impressed by this awesome work!

I reverse win32pe for many years, but the dotnet only by half year.
I am really interested in the approach you use on reversing obfuscation.
what logic do you follow? What software you use (reflector, Dile etc...)
crack a dotnet exe with reflexil it is easy but reverse obfuscation is another thing.
thanks

[0xd4d]

New version: 2.0.0

de4dot has moved from github to bitbucket. New site info:

https://bitbucket.org/0xd4d/de4dot
https://bitbucket.org/0xd4d/de4dot/downloads

• Updated support for most obfuscators. The rest will be supported later.
• de4dot is now using dnlib instead of Mono.Cecil since Mono.Cecil can't handle obfuscated files
• Mixed mode (eg. C++/CLI) assemblies are now supported
• dnlib is much more stable so if you can execute an assembly, dnlib can load and save it
• Preserving the important metadata tokens is now possible 100% of the time. The old hack I used with Mono.Cecil worked most of the time, but only for the "def" tables.
• Junk at the end of #Blob signatures can now be saved (--preserve-sig-data)
• You can now disable renaming certain things. Eg., when deobfuscating Confuser protected assemblies, try --keep-names d (keep delegate field names, but rename everything else)
• --keep-types no longer preserves MD tokens.
• New command line options: --keep-names, --dont-create-params, --preserve-tokens, --preserve-table, --preserve-strings, --preserve-us, --preserve-blob, --preserve-sig-data
• The actual Win32 resources (not the whole .rsrc) section is copied to the output. Mono.Cecil copied the whole section.
• When decrypting methods dynamically, the target's CLR version and CPU architecture is loaded instead of always defaulting to latest CLR version.

[user1]

Thank You!

[Git]

Keep up the good work 0xd4d, many thankls.

Git