From Collaborative RCE Tool Library

Jump to: navigation, search

.NET Deobfuscation Tools


Tool name: .NET DeObfuscator
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11810
Current version: 0.5
Last updated: June 11, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: This is a tool to deobfuscate names only in Assemblies, It doesn't deobfuscate control-flow.

This tool is supposed to make our life easier when exploring in Reflector, so the deobfuscated assembly in most cases won't run and it's meant to be used in Reflector for analysis only.

What this tool does is that it renames Classes and other member of assembly like Procedures and Fucntion into more understandable names for easier analysis, for example it renames a Class of type Form to "Class10_Form" instead of "xhfkd9oekfpklgpf" as we see in assemblies obfuscated with xenocode or any other obfuscator, I didn't want it to release it at first, but when I added type detection to renaming process it became more useful.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET Methods Parser
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://portal.b-at-s.info/download.php?view.463
Current version: 0.2
Last updated: July 19, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: A simple tool to analyze the "Methods" metadata table.
It has a good error and invalid data handling code so it will open most weird files.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Bad Net Opcodes Finder
Rating: 0.0 (0 votes)
Author: whoknows                        
Website: http://portal.b-at-s.info/download.php?view.439
Current version: 0.6 beta
Last updated: December 18, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: A tool used to fix a nasty anti-decompiler trick, the trick is based on using invalid opcodes to make the decompilation process impossible with tools like Reflector.
So you can use this tool to kill these nasty invalid opcodes and see the code again in Reflector, You will find a small video which explains how to use this tool.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: de4dot
Rating: 0.0 (0 votes)
Author: 0xd4d                        
Website: https://bitbucket.org/0xd4d/de4dot/
Current version: 2.0.3
Last updated: January 12, 2013
Direct D/L link: https://bitbucket.org/0xd4d/de4dot/downloads
License type: GPLv3
Description: de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly.

Features:
-Inline methods. Some obfuscators move small parts of a method to another static method and calls it.
-Decrypt strings statically or dynamically
-Decrypt other constants. Some obfuscators can also encrypt other constants, such as all integers, all doubles, etc.
-Decrypt methods statically or dynamically
-Remove proxy methods. Many obfuscators replace most/all call instructions with a call to a delegate. This delegate in turn calls the real method.
-Rename symbols. Even though most symbols can't be restored, it will rename them to human readable strings. Sometimes, some of the original names can be restored, though.
-Devirtualize virtualized code
-Decrypt resources. Many obfuscators have an option to encrypt .NET resources.
-Decrypt embedded files. Many obfuscators have an option to embed and possibly encrypt/compress other assemblies.
-Remove tamper detection code
-Remove anti-debug code
-Control flow deobfuscation. Many obfuscators modify the IL code so it looks like spaghetti code making it very difficult to understand the code.
-Restore class fields. Some obfuscators can move fields from one class to some other obfuscator created class.
-Convert a PE exe to a .NET exe. Some obfuscators wrap a .NET assembly inside a Win32 PE so a .NET decompiler can't read the file.
-Removes most/all junk classes added by the obfuscator.
-Fixes some peverify errors. Many of the obfuscators are buggy and create unverifiable code by mistake.
-Restore the types of method parameters and fields

Supported obfuscators/packers:
Agile.NET (aka CliSecure)
Babel.NET
CodeFort
CodeVeil
CodeWall
CryptoObfuscator
DeepSea Obfuscator
Dotfuscator
.NET Reactor
Eazfuscator.NET
Goliath.NET
ILProtector
MaxtoCode
MPRESS
Rummage
Skater.NET
SmartAssembly
Spices.Net
Xenocode
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dotNetTools Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 1.0
Last updated: November 8. 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/dotNetToolsWin32.msi
License type: Free
Description: dotNet Tools is a freeware suite that includes dotNet Sniffer, PvLog DeObfuscator and PvLog LicenseManagerKiller. dotNet Sniffer uses the .NET profiler API to save assemblies loaded from memory. PvLog Deobfuscator is a MSIL code optimizer that makes more readable obfuscated code. LicenseManagerKiller is a tool that removes LicenseProvider attributes in the assembly.
Also listed in: .NET Tools, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PvLog DeObfuscator Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 1.0
Last updated: November 8, 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/DeObfuscatorWin32.zip
License type: Free
Description: PvLog Deobfuscator is a MSIL code optimizer. One side effect of the optimizer is that it can make more readable obfuscated code. PvLog DeObfuscator can also rename the types and names of members to further improve readability. This tool does not require installation: you just need to run the executable. DeObfuscator is also available in 32 and 64 bit, but we recommend you use the version that corresponds to the architecture of the assembly to optimize. The assembly generated by Deobfusctator may not always run because of protective measures implemented in the assembly (protection against code modification), but should be able to load in reflector. NOTE: the attribute that prevents ILDASM is not removed by DeObfuscator... but it could !
Also listed in: .NET Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (20)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (22)
   Needs New Category  (3)