Page 1 of 2 12 LastLast
Results 1 to 15 of 22

Thread: .NET DeObfuscator

  1. #1
    Blacklist Hunter Kurapica's Avatar
    Join Date
    Jun 2008
    Location
    JIT compiler
    Posts
    102

    .NET DeObfuscator

    This is a tool to deobfuscate names only in Assemblies, It doesn't deobfuscate control-flow.
    Attached Files Attached Files

  2. #2
    Registered User
    Join Date
    Jan 2008
    Posts
    163
    Blog Entries
    19
    Kurapica, I haven't tried it. But how can you deobfuscate names? It's a one way process. You can only rename them to names that can be compiled again after being decompiled. Do you mean that?

  3. #3
    Blacklist Hunter Kurapica's Avatar
    Join Date
    Jun 2008
    Location
    JIT compiler
    Posts
    102
    This tool is supposed to make our life easier when exploring in Reflector, so the deobfuscated assembly in most cases won't run and it's meant to be used in Reflector for analysis only.

    What this tool does is that it renames Classes and other member of assembly like Procedures and Fucntion into more understandable names for easier analysis, for example it renames a Class of type Form to "Class10_Form" instead of "xhfkd9oekfpklgpf" as we see in assemblies obfuscated with xenocode or any other obfuscator, I didn't want it to release it at first, but when I added type detection to renaming process it became more useful.

    I hope it's useful for every one.

  4. #4
    Registered User
    Join Date
    Jan 2008
    Posts
    163
    Blog Entries
    19
    The type renaming method is a good idea.

    BUT there are some serious bugs. You rename even special methods (which aren't obfuscated) like cctor, property methods (get/set) etc. These methods need their name to be intact. Otherwise after the renaming you'll have an assembly which can't run. And the decompiling process becomes even more difficult, how you can see from the images:



    Even if considering only the decompilation process, it gets harder to understand the code when such clear names are missing, not easier.

    You should fix this behaviour considering the type flags.
    Last edited by Daniel Pistelli; June 12th, 2008 at 08:09.

  5. #5
    Blacklist Hunter Kurapica's Avatar
    Join Date
    Jun 2008
    Location
    JIT compiler
    Posts
    102
    Otherwise after the renaming you'll have an assembly which can't run
    so the deobfuscated assembly in most cases won't run and it's meant to be used in Reflector for analysis only.
    Thanks for the tips and I will try to fix these issues in next release.
    Life can only be understood backwards but It must be read forwards

    http://board.b-at-s.info
    http://portal.b-at-s.info/news.php

  6. #6
    Registered User
    Join Date
    Jan 2008
    Posts
    163
    Blog Entries
    19
    Yes, I read that, but since it depends only on that issue, it can be fixed and assembly will be able to run.

    You're welcome.

  7. #7
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    CRCETL:
    http://www.woodmann.com/collaborative/tools/index.php/.NET_DeObfuscator


    Hey Kurapica, thanks for all the nice tools, and welcome to the board.

    If it would be in any way possible, could you just add a few extra words of description about the tools you upload (like the very nice description you gave above to Daniel)? That would make them so much more valuable for everyone I think!
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  8. #8
    Blacklist Hunter Kurapica's Avatar
    Join Date
    Jun 2008
    Location
    JIT compiler
    Posts
    102
    Thanks for the tips... :-)

    I will add more description next times.
    Life can only be understood backwards but It must be read forwards

    http://board.b-at-s.info
    http://portal.b-at-s.info/news.php

  9. #9
    Blacklist Hunter Kurapica's Avatar
    Join Date
    Jun 2008
    Location
    JIT compiler
    Posts
    102

    Version 0.5

    What's new

    1 - Faster algo
    2 - Excludes certain members for better renaming
    3 - Minor bug fixes

    Bug reports are welcome
    Attached Files Attached Files
    Life can only be understood backwards but It must be read forwards

    http://board.b-at-s.info
    http://portal.b-at-s.info/news.php

  10. #10
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Nice. CRCETL entry updated.

    Please note that you can (and are very welcome to) update the CRCETL entries for your tools yourself when you release an update, simply press the edit button at the bottom of the tool's page, enter the new info and presto, it's updated!
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  11. #11
    squalito
    Guest
    Hello,

    What a great tool !!
    Why I didn't find it before doing myself the deobfuscation of xenocode assemblies
    Hmm do you manage no printable chars ? (xenocode obfuscation create a lot of non printable chars)

    I'v tried it on an assembly created with xenocode and it does a great job, and déobfuscate maybe 90% of the code (not the control flow indeed)

    Well thanks a ton for this tool
    Last edited by squalito; June 30th, 2008 at 05:40.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Blacklist Hunter Kurapica's Avatar
    Join Date
    Jun 2008
    Location
    JIT compiler
    Posts
    102
    Wow ... :-D
    I'm happy some one found it useful !!

    and déobfuscate maybe 90% of the code
    I didn't understand what you meant by 90% because it's supposed to fully rename all members up to 100%

    Well thanks a ton for this tool
    Thanks for the nice words
    Life can only be understood backwards but It must be read forwards

    http://board.b-at-s.info
    http://portal.b-at-s.info/news.php

  13. #13
    squalito
    Guest
    for example

    public void Procedure_12(Class_24_Office2007Form ֑, Class_28_Object ֖, string ߏ, string ࢳ)
    {
    string str;
    string[] strArray;
    DateTime time;
    this.Field_28 = ֑;
    this.Field_30 = ֖;
    this.Field_31 = ߏ;
    I think defined ressources keep there @@#\ name
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    Thanks for the help Kurapica!
    Last edited by FrankRizzo; September 4th, 2008 at 19:51. Reason: question no longer relevant.

  15. #15
    thateam
    Guest
    Thanks a lot Kurapica !
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •