Jump to content
Tuts 4 You

de4dot deobfuscation problems


CodeExplorer

Recommended Posts

Posted (edited)

de4dot deobfuscation problems
I have an file protected by ConfuserEx,
I de-obfuscated most of methods;
but there is a problem with a method which is not obfuscated at all.
Here is non working code:

public static void DeobfuscateCflow(MethodDef meth)
        {
            for (int i = 0; i < 2; i++)
            {
                if (failedMethods.Contains(meth.MDToken.ToInt32()))
                    continue;
                             
                CfDeob = new BlocksCflowDeobfuscator();
                Blocks blocks = new Blocks(meth);
                //List<Block> test = blocks.MethodBlocks.GetAllBlocks();
                
                //MoveStloc_toStart(blocks);
                blocks.RemoveDeadBlocks();
                blocks.RepartitionBlocks();

                blocks.UpdateBlocks();
                blocks.Method.Body.SimplifyBranches();
                blocks.Method.Body.OptimizeBranches();
                CfDeob.Initialize(blocks);
                //CfDeob.Deobfuscate();
               // CfDeob.Add(new ControlFlow());
               CfDeob.Add(new ControlFlowTest())
                // CfDeob.Add(new Cflow());
                CfDeob.Deobfuscate();
                blocks.RepartitionBlocks();

                IList<Instruction> instructions;
                IList<ExceptionHandler> exceptionHandlers;
                
                blocks.GetCode(out instructions, out exceptionHandlers);
                
                dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(instructions,exceptionHandlers);
                uint maxStack = 0;
                if (maxStackCalc.Calculate(out maxStack))
                {

                    //if (ControlFlow.modified)
                    DotNetUtils.RestoreBody(meth, instructions, exceptionHandlers);
                    //break;
                    //else
                    //DotNetUtils.RestoreBody(meth, meth.Body.Instructions, meth.Body.ExceptionHandlers);
                    
                }

Where ControlFlowTest is just this:

    class ControlFlowTest : BlockDeobfuscator
    {
        protected override bool Deobfuscate(Block block)
        {
        return false;
        }
    }

 

if (hasCflow(method))
{
DeobfuscateCflow(method);
}
else
{
DeobfuscateCflowSimple(method);
}

hasCflow just check if there is a switch instruction which it is so will return true.
DeobfuscateCflowSimple it works perfectly for that method:

public static void DeobfuscateCflowSimple(MethodDef meth)
        {
            BlocksCflowDeobfuscator cflowDeobfuscator = new BlocksCflowDeobfuscator();
            IList<Instruction> allInstructions;
            IList<ExceptionHandler> allExceptionHandlers;
            Blocks blocks = new Blocks(meth);
            cflowDeobfuscator.Initialize(blocks);
            cflowDeobfuscator.Deobfuscate();
            blocks.RepartitionBlocks();
            blocks.GetCode(out allInstructions, out allExceptionHandlers);
            dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(allInstructions,allExceptionHandlers);
            uint maxStack = 0;
            if (maxStackCalc.Calculate(out maxStack))
            {
                DotNetUtils.RestoreBody(meth, allInstructions, allExceptionHandlers);
            }
            else
            {
                if (!failedMethods.Contains(meth.MDToken.ToInt32()))
                {
                    Console.WriteLine("Still obfuscated method token: "+meth.MDToken.ToInt32().ToString("X8"));
                    Console.WriteLine("Still obfuscated method: "+meth.ToString()+";");
                    failedMethods.Add(meth.MDToken.ToInt32());
                }
            }
        }

 

I'm using de4dot.blocks 3.1.41592.3405
and dnlib.dll 1.6.0.0
Does anyone known how to fix the above problems,
Maybe this is just on outdated dnlib/de4dot.blocks problem; anyway will be great if someone could share new dnlib.dll/de4dot.blocks.
 

Edited by CodeExplorer
  • Like 1
Posted

I

1 hour ago, CodeExplorer said:

de4dot deobfuscation problems
I have an file protected by ConfuserEx,
I de-obfuscated most of methods;
but there is a problem with a method which is not obfuscated at all.
Here is non working code:

public static void DeobfuscateCflow(MethodDef meth)
        {
            for (int i = 0; i < 2; i++)
            {
                if (failedMethods.Contains(meth.MDToken.ToInt32()))
                    continue;
                             
                CfDeob = new BlocksCflowDeobfuscator();
                Blocks blocks = new Blocks(meth);
                //List<Block> test = blocks.MethodBlocks.GetAllBlocks();
                
                //MoveStloc_toStart(blocks);
                blocks.RemoveDeadBlocks();
                blocks.RepartitionBlocks();

                blocks.UpdateBlocks();
                blocks.Method.Body.SimplifyBranches();
                blocks.Method.Body.OptimizeBranches();
                CfDeob.Initialize(blocks);
                //CfDeob.Deobfuscate();
               // CfDeob.Add(new ControlFlow());
               CfDeob.Add(new ControlFlowTest())
                // CfDeob.Add(new Cflow());
                CfDeob.Deobfuscate();
                blocks.RepartitionBlocks();

                IList<Instruction> instructions;
                IList<ExceptionHandler> exceptionHandlers;
                
                blocks.GetCode(out instructions, out exceptionHandlers);
                
                dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(instructions,exceptionHandlers);
                uint maxStack = 0;
                if (maxStackCalc.Calculate(out maxStack))
                {

                    //if (ControlFlow.modified)
                    DotNetUtils.RestoreBody(meth, instructions, exceptionHandlers);
                    //break;
                    //else
                    //DotNetUtils.RestoreBody(meth, meth.Body.Instructions, meth.Body.ExceptionHandlers);
                    
                }

Where ControlFlowTest is just this:

    class ControlFlowTest : BlockDeobfuscator
    {
        protected override bool Deobfuscate(Block block)
        {
        return false;
        }
    }

 

if (hasCflow(method))
{
DeobfuscateCflow(method);
}
else
{
DeobfuscateCflowSimple(method);
}

hasCflow just check if there is a switch instruction which it is so will return true.
DeobfuscateCflowSimple it works perfectly for that method:

public static void DeobfuscateCflowSimple(MethodDef meth)
        {
            BlocksCflowDeobfuscator cflowDeobfuscator = new BlocksCflowDeobfuscator();
            IList<Instruction> allInstructions;
            IList<ExceptionHandler> allExceptionHandlers;
            Blocks blocks = new Blocks(meth);
            cflowDeobfuscator.Initialize(blocks);
            cflowDeobfuscator.Deobfuscate();
            blocks.RepartitionBlocks();
            blocks.GetCode(out allInstructions, out allExceptionHandlers);
            dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(allInstructions,allExceptionHandlers);
            uint maxStack = 0;
            if (maxStackCalc.Calculate(out maxStack))
            {
                DotNetUtils.RestoreBody(meth, allInstructions, allExceptionHandlers);
            }
            else
            {
                if (!failedMethods.Contains(meth.MDToken.ToInt32()))
                {
                    Console.WriteLine("Still obfuscated method token: "+meth.MDToken.ToInt32().ToString("X8"));
                    Console.WriteLine("Still obfuscated method: "+meth.ToString()+";");
                    failedMethods.Add(meth.MDToken.ToInt32());
                }
            }
        }

 

I'm using de4dot.blocks 3.1.41592.3405
and dnlib.dll 1.6.0.0
Does anyone known how to fix the above problems,
Maybe this is just on outdated dnlib/de4dot.blocks problem; anyway will be great if someone could share new dnlib.dll/de4dot.blocks.
 

I dont know how to fix. But I do have dnlib 3.5. It is actually from mobile46 de4dot clone. blocks is the same version.

https://workupload.com/file/CCVa5XdSLhZ

 

 

  • Like 1
Posted (edited)
36 minutes ago, jackyjask said:

why not using last one?

https://github.com/0xd4d/dnlib/releases/tag/v4.5.0

 

but having lots of sex with old crap of 20 yearss old??

   

last one it has dozens of fixes from that olddd dusty buildd....

dnlib45 will not compile directly with mobile46 de4dot. I think that is de4dot latest  or there any other newer version :)

Edited by extonoxt
  • Like 1
Posted

It is not hard to update dnlib, maybe 8/10 fixes on de4dot and it will work.

Tomorrow I will share my updated de4dot-cex with you.

  • Like 3
Posted

I don't think dnlib.dll is the problem, I've updated it to dnlib 3.3.2.0.
de4dot.blocks.dll seems to be problem and I don't think it gonna be any de4dot that will work,
Here is test file:
https://workupload.com/file/kcxGNgKgS3u

Is there any way to disable control flow deobfuscation for de4dot ???
 

  • Like 1
Posted

use 

de4dot.exe --no-cflow-deob

 

  • Like 1
Posted

image.png.751dbfc2f1646d44016547ae542d6776.png

21 minutes ago, CodeExplorer said:

I don't think dnlib.dll is the problem, I've updated it to dnlib 3.3.2.0.
de4dot.blocks.dll seems to be problem and I don't think it gonna be any de4dot that will work,
Here is test file:
https://workupload.com/file/kcxGNgKgS3u

Is there any way to disable control flow deobfuscation for de4dot ???
 

can you post the original

  • Like 1
Posted (edited)

This is for stopWorkingAfter_de4dot

For every single run "Enter License Code" gives different  "Invalid token" Exception

image.png.8faf2d1eb35825ecbe9382bf53066337.png

image.png.371ad2dd5a502b53ddd6c73d1deb27f3.png

image.png.d4e374bd24e203fa5285cf3c12ef5d47.png

Edited by extonoxt
  • Like 1
Posted
12 minutes ago, CodeExplorer said:

In my case is just complain about dna.dll not being found when I click on "Enter License Code".
https://ibb.co/N2yXKDfx

I get that for the original too

  • Like 1
Posted (edited)

I suspect it isn't complete? If you DL the latest version there is a DNA.dll included, but not the one that "suits" the executable you have.

v1.2.2.83 seems no longer available on the Interwebz.

v1.2.3.87 (hibrec.dll is obfuscated):
https://mega.nz/file/3kRRxSZA#y98k7mBJKpygPxFu5Txi_-l9iDnyN3GzYxzjTVb3z-I

 

42 minutes ago, extonoxt said:

There is another dll is used in memory. Take a look

https://workupload.com/file/UUu5VDPBfC3

I believe this is the resource file?

Edited by Ben_Dover
  • Like 1
Posted
36 minutes ago, extonoxt said:

There is another dll is used in memory. Take a look

https://workupload.com/file/UUu5VDPBfC3

That's assembly with resources.

From what I could see they are more files missing not just DNA.dll.
 

  • Like 2
Posted (edited)

Updated in the following

 

Edited by CreateAndInject
  • Like 2
Posted

Same problem with:

// Token: 0x0200011D RID: 285
[CompilerGenerated]
private sealed class VB$StateMachine_11_ParseCommandLineParameter : IEnumerable<KeyValuePair<string, IEnumerable<string>>>, IEnumerator<KeyValuePair<string, IEnumerable<string>>>, IDisposable, IEnumerable, IEnumerator
{

// Arsenal.ImageMounter.IO.ConsoleSupport.VB$StateMachine_11_ParseCommandLineParameter
// Token: 0x06000EBF RID: 3775 RVA: 0x00041558 File Offset: 0x0003F758
[CompilerGenerated]
bool IEnumerator.MoveNext()
{

that method gets corrupted after control flow de-obfuscation.

Also tried with:
de4dot.exe --no-cflow-deob
no good luck.
 

  • Like 1
Posted
3 hours ago, CodeExplorer said:

gets corrupted

what exactly?

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...