Jump to content
Tuts 4 You
gholam.illidan

.Net Manual Deobfuscating

Recommended Posts

gholam.illidan

is there any tut or e-book for .net manual unpacking and deobfuscating? (google == nothing)


and some e-book on .net DataStructure.


 


my .net cracking skill is verywell but im sucks in deobfuscating.


 


tnx


Share this post


Link to post
gholam.illidan

https://github.com/XenocodeRCE?tab=repositories

 

You can use dnlib, it's very strong. I may help you, not step by step, but I may.

 

First. tnx for replaying

 

Secound. i saw the link and dnlib library, but i didnt know even the basics of deobfuscating. (i think these are useful when i know how to deobfuscate an assembly manually, then i use dnlib to write its deobfuscator. am i right?)

 

Third. should i start with native unpacking or not?, cause there is lot of tuts here.

Share this post


Link to post
XenocodeRCE

Ok so I'll try to reply;


 


  1. Deobfuscation is more simple than Obfuscation. In fact, when you want to obfuscate a file, you have to think about how to encrypt things, where to put this method, how to call this one etc. Deobfuscating is more like looking at a road map, you have everything, the good layout, you only have to do the path in reverse.
  2. First of all you have to know about C# and programming. You can't reverse a path on a road map if you can't read it. Same for deobfuscation.
  3. It's past midnight here and I have exams this week. I may try to write a few lines about how to process, call it "ebook" if you want; for you this week-end.
  4. Learn. But please practice also, that's maybe the most important part.
  • Like 3

Share this post


Link to post
gholam.illidan

ok,


 


i know c# well, i tried to deobfuscate and crack almost every .net files that i have just to learn even a little. so i learned things in cracking, but in deobfuscation i am just a dumbass  :|


 


i saw some tuts on how to deobfuscate some of obfuscators but i cant understand what exactle they do, so i just memorize the steps and do them like a BOT.


 


for mention i missed my first exam that was 2days ago just because i was wake all night tring to crack a file protected with ConfEx 5, the only progress that i made was bypassing the packer.


 


i will practice even more, at the end: thanks (a real Thanks ;)) for helping me.

Share this post


Link to post
Derberux

you must understand the IL code.


 


of course you cannot start with Confuser ex 5 to start, download phoenix by daniel pistelli, and try to protect a program.


 


manual deobfuscation is not something complex, you have just to analyze the IL code, read the ECMA 335 or ISO/IEC 23271:2012


 


the way to learn is practice and interest.


 


btw, i wrote a tutorial some tme ago about how to decrypt constants manually.


 


 


.NET Decrypt constants manually using PowerShell1.pdf

  • Like 8

Share this post


Link to post
gholam.illidan

.Alcatraz3222


i know ilcode as much as i can crack almost every clean assembly, and yes confex in really big for me. (i didnt know which obfuscator is the easiest, so anytime im in the mood i just pick one obfuscator and try hard to deobfuscate it by myself, cause i have to start from somewhere, sadly no success yet :|)


 


btw, i googled the cli ebooks and downloaded them, ill read them after my exams finished.


 


thanks for your tut that was so clear and useful.


Edited by gholam.illidan (see edit history)

Share this post


Link to post
SameerRaj

@Alcatraz3222 does using powershell can decrypt any constant obfuscated with any obfuscator??? :help

Share this post


Link to post
cob_258

@SameerRaj some obfuscators use the calling method token to decrypt constants, the token is obtained with StackFrame, I'm not sure that you can simulate the stack with powershell so it appears that in this case it won't work.

 

Share this post


Link to post
TheProxy RE

Watch ubbelol tutorials on YouTube it will be helpful. I starter with these.

after watching these i reccomend u to try deobing Yano Obfuscator sunce its sample 

  • Like 1

Share this post


Link to post
turkverisoft

this video secret?

Share this post


Link to post
kao

@turkverisoft: Ubbelol removed all his videos years ago. They are gone.

Share this post


Link to post
Hayokuma
Posted (edited)

Here's the old content of Ubbelol.

 

Edited by Teddy Rogers
Uploaded all the old content in Downloads... (see edit history)
  • Like 2

Share this post


Link to post
kao

@Hayokuma: that's awesome, thank you! Ubbelol made 7 videos and you uploaded 2. Do you have the remaining ones as well? 

Share this post


Link to post
Sangavi
1 hour ago, TheProxy RE said:

Okay asked ubbe to make videos public again it should be fine now
https://www.youtube.com/user/UbbeLoLHF/videos

The videos were available earlier also. I downloaded them in the past.

Share this post


Link to post
kao

Cool, thank you! I didn't know he's still around. :)

 

Share this post


Link to post
ubbelol
12 hours ago, kao said:

Cool, thank you! I didn't know he's still around.

 

Still around, but not really doing any RE nowadays. :)

It truly is weird hearing yourself on video 8 years later..

  • Like 1

Share this post


Link to post
Kurapica
3 hours ago, ubbelol said:

Still around, but not really doing any RE nowadays. :)

It truly is weird hearing yourself on video 8 years later..

Nice to see you again, we are all getting older now :D

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...