.Net Manual Deobfuscating

[gholam.illidan]

is there any tut or e-book for .net manual unpacking and deobfuscating? (google == nothing)

and some e-book on .net DataStructure.

 

my .net cracking skill is verywell but im sucks in deobfuscating.

 

tnx

[XenocodeRCE]

https://github.com/XenocodeRCE?tab=repositories

 

You can use dnlib, it's very strong. I may help you, not step by step, but I may.

[gholam.illidan]

https://github.com/XenocodeRCE?tab=repositories

 

You can use dnlib, it's very strong. I may help you, not step by step, but I may.

 

First. tnx for replaying

 

Secound. i saw the link and dnlib library, but i didnt know even the basics of deobfuscating. (i think these are useful when i know how to deobfuscate an assembly manually, then i use dnlib to write its deobfuscator. am i right?)

 

Third. should i start with native unpacking or not?, cause there is lot of tuts here.

[XenocodeRCE]

Ok so I'll try to reply;

 

1. Deobfuscation is more simple than Obfuscation. In fact, when you want to obfuscate a file, you have to think about how to encrypt things, where to put this method, how to call this one etc. Deobfuscating is more like looking at a road map, you have everything, the good layout, you only have to do the path in reverse.
   
2. First of all you have to know about C# and programming. You can't reverse a path on a road map if you can't read it. Same for deobfuscation.
   
3. It's past midnight here and I have exams this week. I may try to write a few lines about how to process, call it "ebook" if you want; for you this week-end.
   
4. Learn. But please practice also, that's maybe the most important part.
   

[gholam.illidan]

ok,

 

i know c# well, i tried to deobfuscate and crack almost every .net files that i have just to learn even a little. so i learned things in cracking, but in deobfuscation i am just a dumbass  :|

 

i saw some tuts on how to deobfuscate some of obfuscators but i cant understand what exactle they do, so i just memorize the steps and do them like a BOT.

 

for mention i missed my first exam that was 2days ago just because i was wake all night tring to crack a file protected with ConfEx 5, the only progress that i made was bypassing the packer.

 

i will practice even more, at the end: thanks (a real Thanks ) for helping me.

[Derberux]

you must understand the IL code.

 

of course you cannot start with Confuser ex 5 to start, download phoenix by daniel pistelli, and try to protect a program.

 

manual deobfuscation is not something complex, you have just to analyze the IL code, read the ECMA 335 or ISO/IEC 23271:2012

 

the way to learn is practice and interest.

 

btw, i wrote a tutorial some tme ago about how to decrypt constants manually.

 

 

.NET Decrypt constants manually using PowerShell1.pdf

[gholam.illidan]

.Alcatraz3222

i know ilcode as much as i can crack almost every clean assembly, and yes confex in really big for me. (i didnt know which obfuscator is the easiest, so anytime im in the mood i just pick one obfuscator and try hard to deobfuscate it by myself, cause i have to start from somewhere, sadly no success yet :|)

 

btw, i googled the cli ebooks and downloaded them, ill read them after my exams finished.

 

thanks for your tut that was so clear and useful.

Edited June 11, 2015 by gholam.illidan

[SameerRaj]

@Alcatraz3222 does using powershell can decrypt any constant obfuscated with any obfuscator??? 

[cob_258]

@SameerRaj some obfuscators use the calling method token to decrypt constants, the token is obtained with StackFrame, I'm not sure that you can simulate the stack with powershell so it appears that in this case it won't work.

 

[TheProxy RE]

Watch ubbelol tutorials on YouTube it will be helpful. I starter with these.

after watching these i reccomend u to try deobing Yano Obfuscator sunce its sample 

[turkverisoft]

this video secret?

[kao]

@turkverisoft: Ubbelol removed all his videos years ago. They are gone.

[Hayokuma]

Here's the old content of Ubbelol.

 

Edited May 23, 2020 by Teddy Rogers
Uploaded all the old content in Downloads...

[kao]

@Hayokuma: that's awesome, thank you! Ubbelol made 7 videos and you uploaded 2. Do you have the remaining ones as well? 

[Hayokuma]

I haven't more videos from Ubbe, here's the full list BTW https://web.archive.org/web/20141008223240/https://www.youtube.com/user/UbbeLoLHF/

 

Videos are private in ubbe's channel, I guess he could share them with someone if requested.

[TheProxy RE]

Okay asked ubbe to make videos public again it should be fine now
https://www.youtube.com/user/UbbeLoLHF/videos

[Sangavi]

1 hour ago, TheProxy RE said:

Okay asked ubbe to make videos public again it should be fine now
https://www.youtube.com/user/UbbeLoLHF/videos

The videos were available earlier also. I downloaded them in the past.

[kao]

Cool, thank you! I didn't know he's still around.

 

[ubbelol]

12 hours ago, kao said:

Cool, thank you! I didn't know he's still around.

 

Still around, but not really doing any RE nowadays. :)

It truly is weird hearing yourself on video 8 years later..

[Kurapica]

3 hours ago, ubbelol said:

Still around, but not really doing any RE nowadays.

It truly is weird hearing yourself on video 8 years later..

Nice to see you again, we are all getting older now