CodeExplorer Posted Monday at 06:53 PM Posted Monday at 06:53 PM (edited) de4dot deobfuscation problems I have an file protected by ConfuserEx, I de-obfuscated most of methods; but there is a problem with a method which is not obfuscated at all. Here is non working code: public static void DeobfuscateCflow(MethodDef meth) { for (int i = 0; i < 2; i++) { if (failedMethods.Contains(meth.MDToken.ToInt32())) continue; CfDeob = new BlocksCflowDeobfuscator(); Blocks blocks = new Blocks(meth); //List<Block> test = blocks.MethodBlocks.GetAllBlocks(); //MoveStloc_toStart(blocks); blocks.RemoveDeadBlocks(); blocks.RepartitionBlocks(); blocks.UpdateBlocks(); blocks.Method.Body.SimplifyBranches(); blocks.Method.Body.OptimizeBranches(); CfDeob.Initialize(blocks); //CfDeob.Deobfuscate(); // CfDeob.Add(new ControlFlow()); CfDeob.Add(new ControlFlowTest()) // CfDeob.Add(new Cflow()); CfDeob.Deobfuscate(); blocks.RepartitionBlocks(); IList<Instruction> instructions; IList<ExceptionHandler> exceptionHandlers; blocks.GetCode(out instructions, out exceptionHandlers); dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(instructions,exceptionHandlers); uint maxStack = 0; if (maxStackCalc.Calculate(out maxStack)) { //if (ControlFlow.modified) DotNetUtils.RestoreBody(meth, instructions, exceptionHandlers); //break; //else //DotNetUtils.RestoreBody(meth, meth.Body.Instructions, meth.Body.ExceptionHandlers); } Where ControlFlowTest is just this: class ControlFlowTest : BlockDeobfuscator { protected override bool Deobfuscate(Block block) { return false; } } if (hasCflow(method)) { DeobfuscateCflow(method); } else { DeobfuscateCflowSimple(method); } hasCflow just check if there is a switch instruction which it is so will return true. DeobfuscateCflowSimple it works perfectly for that method: public static void DeobfuscateCflowSimple(MethodDef meth) { BlocksCflowDeobfuscator cflowDeobfuscator = new BlocksCflowDeobfuscator(); IList<Instruction> allInstructions; IList<ExceptionHandler> allExceptionHandlers; Blocks blocks = new Blocks(meth); cflowDeobfuscator.Initialize(blocks); cflowDeobfuscator.Deobfuscate(); blocks.RepartitionBlocks(); blocks.GetCode(out allInstructions, out allExceptionHandlers); dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(allInstructions,allExceptionHandlers); uint maxStack = 0; if (maxStackCalc.Calculate(out maxStack)) { DotNetUtils.RestoreBody(meth, allInstructions, allExceptionHandlers); } else { if (!failedMethods.Contains(meth.MDToken.ToInt32())) { Console.WriteLine("Still obfuscated method token: "+meth.MDToken.ToInt32().ToString("X8")); Console.WriteLine("Still obfuscated method: "+meth.ToString()+";"); failedMethods.Add(meth.MDToken.ToInt32()); } } } I'm using de4dot.blocks 3.1.41592.3405 and dnlib.dll 1.6.0.0 Does anyone known how to fix the above problems, Maybe this is just on outdated dnlib/de4dot.blocks problem; anyway will be great if someone could share new dnlib.dll/de4dot.blocks. Edited Monday at 07:15 PM by CodeExplorer 1
extonoxt Posted Monday at 08:31 PM Posted Monday at 08:31 PM I 1 hour ago, CodeExplorer said: de4dot deobfuscation problems I have an file protected by ConfuserEx, I de-obfuscated most of methods; but there is a problem with a method which is not obfuscated at all. Here is non working code: public static void DeobfuscateCflow(MethodDef meth) { for (int i = 0; i < 2; i++) { if (failedMethods.Contains(meth.MDToken.ToInt32())) continue; CfDeob = new BlocksCflowDeobfuscator(); Blocks blocks = new Blocks(meth); //List<Block> test = blocks.MethodBlocks.GetAllBlocks(); //MoveStloc_toStart(blocks); blocks.RemoveDeadBlocks(); blocks.RepartitionBlocks(); blocks.UpdateBlocks(); blocks.Method.Body.SimplifyBranches(); blocks.Method.Body.OptimizeBranches(); CfDeob.Initialize(blocks); //CfDeob.Deobfuscate(); // CfDeob.Add(new ControlFlow()); CfDeob.Add(new ControlFlowTest()) // CfDeob.Add(new Cflow()); CfDeob.Deobfuscate(); blocks.RepartitionBlocks(); IList<Instruction> instructions; IList<ExceptionHandler> exceptionHandlers; blocks.GetCode(out instructions, out exceptionHandlers); dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(instructions,exceptionHandlers); uint maxStack = 0; if (maxStackCalc.Calculate(out maxStack)) { //if (ControlFlow.modified) DotNetUtils.RestoreBody(meth, instructions, exceptionHandlers); //break; //else //DotNetUtils.RestoreBody(meth, meth.Body.Instructions, meth.Body.ExceptionHandlers); } Where ControlFlowTest is just this: class ControlFlowTest : BlockDeobfuscator { protected override bool Deobfuscate(Block block) { return false; } } if (hasCflow(method)) { DeobfuscateCflow(method); } else { DeobfuscateCflowSimple(method); } hasCflow just check if there is a switch instruction which it is so will return true. DeobfuscateCflowSimple it works perfectly for that method: public static void DeobfuscateCflowSimple(MethodDef meth) { BlocksCflowDeobfuscator cflowDeobfuscator = new BlocksCflowDeobfuscator(); IList<Instruction> allInstructions; IList<ExceptionHandler> allExceptionHandlers; Blocks blocks = new Blocks(meth); cflowDeobfuscator.Initialize(blocks); cflowDeobfuscator.Deobfuscate(); blocks.RepartitionBlocks(); blocks.GetCode(out allInstructions, out allExceptionHandlers); dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(allInstructions,allExceptionHandlers); uint maxStack = 0; if (maxStackCalc.Calculate(out maxStack)) { DotNetUtils.RestoreBody(meth, allInstructions, allExceptionHandlers); } else { if (!failedMethods.Contains(meth.MDToken.ToInt32())) { Console.WriteLine("Still obfuscated method token: "+meth.MDToken.ToInt32().ToString("X8")); Console.WriteLine("Still obfuscated method: "+meth.ToString()+";"); failedMethods.Add(meth.MDToken.ToInt32()); } } } I'm using de4dot.blocks 3.1.41592.3405 and dnlib.dll 1.6.0.0 Does anyone known how to fix the above problems, Maybe this is just on outdated dnlib/de4dot.blocks problem; anyway will be great if someone could share new dnlib.dll/de4dot.blocks. I dont know how to fix. But I do have dnlib 3.5. It is actually from mobile46 de4dot clone. blocks is the same version. https://workupload.com/file/CCVa5XdSLhZ 1
jackyjask Posted Monday at 09:29 PM Posted Monday at 09:29 PM why not using last one? https://github.com/0xd4d/dnlib/releases/tag/v4.5.0 but having lots of sex with old crap of 20 yearss old?? 2 hours ago, CodeExplorer said: and dnlib.dll 1.6.0.0 last one it has dozens of fixes from that olddd dusty buildd.... 1
extonoxt Posted Monday at 10:02 PM Posted Monday at 10:02 PM (edited) 36 minutes ago, jackyjask said: why not using last one? https://github.com/0xd4d/dnlib/releases/tag/v4.5.0 but having lots of sex with old crap of 20 yearss old?? last one it has dozens of fixes from that olddd dusty buildd.... dnlib45 will not compile directly with mobile46 de4dot. I think that is de4dot latest or there any other newer version Edited Monday at 10:10 PM by extonoxt 1
cachito Posted Tuesday at 12:17 AM Posted Tuesday at 12:17 AM It is not hard to update dnlib, maybe 8/10 fixes on de4dot and it will work. Tomorrow I will share my updated de4dot-cex with you. 3
CodeExplorer Posted Tuesday at 09:53 AM Author Posted Tuesday at 09:53 AM I don't think dnlib.dll is the problem, I've updated it to dnlib 3.3.2.0. de4dot.blocks.dll seems to be problem and I don't think it gonna be any de4dot that will work, Here is test file: https://workupload.com/file/kcxGNgKgS3u Is there any way to disable control flow deobfuscation for de4dot ??? 1
extonoxt Posted Tuesday at 10:10 AM Posted Tuesday at 10:10 AM 21 minutes ago, CodeExplorer said: I don't think dnlib.dll is the problem, I've updated it to dnlib 3.3.2.0. de4dot.blocks.dll seems to be problem and I don't think it gonna be any de4dot that will work, Here is test file: https://workupload.com/file/kcxGNgKgS3u Is there any way to disable control flow deobfuscation for de4dot ??? can you post the original 1
CodeExplorer Posted Tuesday at 10:22 AM Author Posted Tuesday at 10:22 AM Original file: https://workupload.com/file/2BbZRYkPGzy 1
extonoxt Posted Tuesday at 10:38 AM Posted Tuesday at 10:38 AM (edited) This is for stopWorkingAfter_de4dot For every single run "Enter License Code" gives different "Invalid token" Exception Edited Tuesday at 11:00 AM by extonoxt 1
CodeExplorer Posted Tuesday at 10:49 AM Author Posted Tuesday at 10:49 AM In my case is just complain about dna.dll not being found when I click on "Enter License Code". https://ibb.co/N2yXKDfx 1
extonoxt Posted Tuesday at 11:01 AM Posted Tuesday at 11:01 AM 12 minutes ago, CodeExplorer said: In my case is just complain about dna.dll not being found when I click on "Enter License Code". https://ibb.co/N2yXKDfx I get that for the original too 1
extonoxt Posted Tuesday at 11:20 AM Posted Tuesday at 11:20 AM There is another dll is used in memory. Take a look https://workupload.com/file/UUu5VDPBfC3 1
Ben_Dover Posted Tuesday at 11:47 AM Posted Tuesday at 11:47 AM (edited) I suspect it isn't complete? If you DL the latest version there is a DNA.dll included, but not the one that "suits" the executable you have. v1.2.2.83 seems no longer available on the Interwebz. v1.2.3.87 (hibrec.dll is obfuscated): https://mega.nz/file/3kRRxSZA#y98k7mBJKpygPxFu5Txi_-l9iDnyN3GzYxzjTVb3z-I 42 minutes ago, extonoxt said: There is another dll is used in memory. Take a look https://workupload.com/file/UUu5VDPBfC3 I believe this is the resource file? Edited Tuesday at 12:03 PM by Ben_Dover 1
CodeExplorer Posted Tuesday at 11:59 AM Author Posted Tuesday at 11:59 AM 36 minutes ago, extonoxt said: There is another dll is used in memory. Take a look https://workupload.com/file/UUu5VDPBfC3 That's assembly with resources. From what I could see they are more files missing not just DNA.dll. 2
CodeExplorer Posted Tuesday at 12:45 PM Author Posted Tuesday at 12:45 PM Here is missing dll: https://workupload.com/file/Qr36PMtf4fs directory lib to be placed next to HibernationRecon.exe. 1
CreateAndInject Posted Wednesday at 01:26 PM Posted Wednesday at 01:26 PM (edited) Updated in the following Edited yesterday at 02:29 AM by CreateAndInject 2
CodeExplorer Posted Wednesday at 05:49 PM Author Posted Wednesday at 05:49 PM Same problem with: // Token: 0x0200011D RID: 285 [CompilerGenerated] private sealed class VB$StateMachine_11_ParseCommandLineParameter : IEnumerable<KeyValuePair<string, IEnumerable<string>>>, IEnumerator<KeyValuePair<string, IEnumerable<string>>>, IDisposable, IEnumerable, IEnumerator { // Arsenal.ImageMounter.IO.ConsoleSupport.VB$StateMachine_11_ParseCommandLineParameter // Token: 0x06000EBF RID: 3775 RVA: 0x00041558 File Offset: 0x0003F758 [CompilerGenerated] bool IEnumerator.MoveNext() { that method gets corrupted after control flow de-obfuscation. Also tried with: de4dot.exe --no-cflow-deob no good luck. 1
jackyjask Posted Wednesday at 09:13 PM Posted Wednesday at 09:13 PM 3 hours ago, CodeExplorer said: gets corrupted what exactly? 1
CreateAndInject Posted yesterday at 01:38 AM Posted yesterday at 01:38 AM (edited) Fixed unpacked.zip Edited yesterday at 02:39 AM by CreateAndInject 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now