Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

de4dot deobfuscation problems

CodeExplorer
CodeExplorer
in Programming and Coding

Featured Replies

Posted

de4dot deobfuscation problems
I have an file protected by ConfuserEx,
I de-obfuscated most of methods;
but there is a problem with a method which is not obfuscated at all.
Here is non working code: 

public static void DeobfuscateCflow(MethodDef meth)
        {
            for (int i = 0; i < 2; i++)
            {
                if (failedMethods.Contains(meth.MDToken.ToInt32()))
                    continue;
                             
                CfDeob = new BlocksCflowDeobfuscator();
                Blocks blocks = new Blocks(meth);
                //List<Block> test = blocks.MethodBlocks.GetAllBlocks();
                
                //MoveStloc_toStart(blocks);
                blocks.RemoveDeadBlocks();
                blocks.RepartitionBlocks();

                blocks.UpdateBlocks();
                blocks.Method.Body.SimplifyBranches();
                blocks.Method.Body.OptimizeBranches();
                CfDeob.Initialize(blocks);
                //CfDeob.Deobfuscate();
               // CfDeob.Add(new ControlFlow());
               CfDeob.Add(new ControlFlowTest())
                // CfDeob.Add(new Cflow());
                CfDeob.Deobfuscate();
                blocks.RepartitionBlocks();

                IList<Instruction> instructions;
                IList<ExceptionHandler> exceptionHandlers;
                
                blocks.GetCode(out instructions, out exceptionHandlers);
                
                dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(instructions,exceptionHandlers);
                uint maxStack = 0;
                if (maxStackCalc.Calculate(out maxStack))
                {

                    //if (ControlFlow.modified)
                    DotNetUtils.RestoreBody(meth, instructions, exceptionHandlers);
                    //break;
                    //else
                    //DotNetUtils.RestoreBody(meth, meth.Body.Instructions, meth.Body.ExceptionHandlers);
                    
                }

Where ControlFlowTest is just this:

    class ControlFlowTest : BlockDeobfuscator
    {
        protected override bool Deobfuscate(Block block)
        {
        return false;
        }
    }

 

if (hasCflow(method))
{
DeobfuscateCflow(method);
}
else
{
DeobfuscateCflowSimple(method);
}

hasCflow just check if there is a switch instruction which it is so will return true.
DeobfuscateCflowSimple it works perfectly for that method: 

public static void DeobfuscateCflowSimple(MethodDef meth)
        {
            BlocksCflowDeobfuscator cflowDeobfuscator = new BlocksCflowDeobfuscator();
            IList<Instruction> allInstructions;
            IList<ExceptionHandler> allExceptionHandlers;
            Blocks blocks = new Blocks(meth);
            cflowDeobfuscator.Initialize(blocks);
            cflowDeobfuscator.Deobfuscate();
            blocks.RepartitionBlocks();
            blocks.GetCode(out allInstructions, out allExceptionHandlers);
            dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(allInstructions,allExceptionHandlers);
            uint maxStack = 0;
            if (maxStackCalc.Calculate(out maxStack))
            {
                DotNetUtils.RestoreBody(meth, allInstructions, allExceptionHandlers);
            }
            else
            {
                if (!failedMethods.Contains(meth.MDToken.ToInt32()))
                {
                    Console.WriteLine("Still obfuscated method token: "+meth.MDToken.ToInt32().ToString("X8"));
                    Console.WriteLine("Still obfuscated method: "+meth.ToString()+";");
                    failedMethods.Add(meth.MDToken.ToInt32());
                }
            }
        }

 

I'm using de4dot.blocks 3.1.41592.3405
and dnlib.dll 1.6.0.0
Does anyone known how to fix the above problems,
Maybe this is just on outdated dnlib/de4dot.blocks problem; anyway will be great if someone could share new dnlib.dll/de4dot.blocks.
 

Edited by CodeExplorer

    • Like 1

    I

    1 hour ago, CodeExplorer said:

    de4dot deobfuscation problems
    I have an file protected by ConfuserEx,
    I de-obfuscated most of methods;
    but there is a problem with a method which is not obfuscated at all.
    Here is non working code: 

    public static void DeobfuscateCflow(MethodDef meth)
        {
            for (int i = 0; i < 2; i++)
            {
                if (failedMethods.Contains(meth.MDToken.ToInt32()))
                    continue;
                             
                CfDeob = new BlocksCflowDeobfuscator();
                Blocks blocks = new Blocks(meth);
                //List<Block> test = blocks.MethodBlocks.GetAllBlocks();
                
                //MoveStloc_toStart(blocks);
                blocks.RemoveDeadBlocks();
                blocks.RepartitionBlocks();

                blocks.UpdateBlocks();
                blocks.Method.Body.SimplifyBranches();
                blocks.Method.Body.OptimizeBranches();
                CfDeob.Initialize(blocks);
                //CfDeob.Deobfuscate();
               // CfDeob.Add(new ControlFlow());
               CfDeob.Add(new ControlFlowTest())
                // CfDeob.Add(new Cflow());
                CfDeob.Deobfuscate();
                blocks.RepartitionBlocks();

                IList<Instruction> instructions;
                IList<ExceptionHandler> exceptionHandlers;
                
                blocks.GetCode(out instructions, out exceptionHandlers);
                
                dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(instructions,exceptionHandlers);
                uint maxStack = 0;
                if (maxStackCalc.Calculate(out maxStack))
                {

                    //if (ControlFlow.modified)
                    DotNetUtils.RestoreBody(meth, instructions, exceptionHandlers);
                    //break;
                    //else
                    //DotNetUtils.RestoreBody(meth, meth.Body.Instructions, meth.Body.ExceptionHandlers);
                    
                }

Where ControlFlowTest is just this:

    class ControlFlowTest : BlockDeobfuscator
    {
        protected override bool Deobfuscate(Block block)
        {
        return false;
        }
    }

     

    if (hasCflow(method))
    {
    DeobfuscateCflow(method);
    }
    else
    {
    DeobfuscateCflowSimple(method);
    }

    hasCflow just check if there is a switch instruction which it is so will return true.
    DeobfuscateCflowSimple it works perfectly for that method: 

    public static void DeobfuscateCflowSimple(MethodDef meth)
        {
            BlocksCflowDeobfuscator cflowDeobfuscator = new BlocksCflowDeobfuscator();
            IList<Instruction> allInstructions;
            IList<ExceptionHandler> allExceptionHandlers;
            Blocks blocks = new Blocks(meth);
            cflowDeobfuscator.Initialize(blocks);
            cflowDeobfuscator.Deobfuscate();
            blocks.RepartitionBlocks();
            blocks.GetCode(out allInstructions, out allExceptionHandlers);
            dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(allInstructions,allExceptionHandlers);
            uint maxStack = 0;
            if (maxStackCalc.Calculate(out maxStack))
            {
                DotNetUtils.RestoreBody(meth, allInstructions, allExceptionHandlers);
            }
            else
            {
                if (!failedMethods.Contains(meth.MDToken.ToInt32()))
                {
                    Console.WriteLine("Still obfuscated method token: "+meth.MDToken.ToInt32().ToString("X8"));
                    Console.WriteLine("Still obfuscated method: "+meth.ToString()+";");
                    failedMethods.Add(meth.MDToken.ToInt32());
                }
            }
        }

     

    I'm using de4dot.blocks 3.1.41592.3405
    and dnlib.dll 1.6.0.0
    Does anyone known how to fix the above problems,
    Maybe this is just on outdated dnlib/de4dot.blocks problem; anyway will be great if someone could share new dnlib.dll/de4dot.blocks.
     

    I dont know how to fix. But I do have dnlib 3.5. It is actually from mobile46 de4dot clone. blocks is the same version.

    https://workupload.com/file/CCVa5XdSLhZ

     

     

    • Like 1

    why not using last one?

    https://github.com/0xd4d/dnlib/releases/tag/v4.5.0

     

    but having lots of sex with old crap of 20 yearss old??

       

    2 hours ago, CodeExplorer said:

    and dnlib.dll 1.6.0.0

    last one it has dozens of fixes from that olddd dusty buildd....

    • Like 1
    36 minutes ago, jackyjask said:

    why not using last one?

    https://github.com/0xd4d/dnlib/releases/tag/v4.5.0

     

    but having lots of sex with old crap of 20 yearss old??

       

    last one it has dozens of fixes from that olddd dusty buildd....

    dnlib45 will not compile directly with mobile46 de4dot. I think that is de4dot latest  or there any other newer version :)

    Edited by extonoxt

    • Like 1

    It is not hard to update dnlib, maybe 8/10 fixes on de4dot and it will work.

    Tomorrow I will share my updated de4dot-cex with you.

    • Like 4
    • Author

    I don't think dnlib.dll is the problem, I've updated it to dnlib 3.3.2.0.
    de4dot.blocks.dll seems to be problem and I don't think it gonna be any de4dot that will work,
    Here is test file:
    https://workupload.com/file/kcxGNgKgS3u

    Is there any way to disable control flow deobfuscation for de4dot ???
     

    • Like 1

    use  

    de4dot.exe --no-cflow-deob

     

    • Like 1

    image.png.751dbfc2f1646d44016547ae542d6776.png

    21 minutes ago, CodeExplorer said:

    I don't think dnlib.dll is the problem, I've updated it to dnlib 3.3.2.0.
    de4dot.blocks.dll seems to be problem and I don't think it gonna be any de4dot that will work,
    Here is test file:
    https://workupload.com/file/kcxGNgKgS3u

    Is there any way to disable control flow deobfuscation for de4dot ???
     

    can you post the original

    • Like 1

    This is for stopWorkingAfter_de4dot

    For every single run "Enter License Code" gives different  "Invalid token" Exception

    image.png.8faf2d1eb35825ecbe9382bf53066337.png

    image.png.371ad2dd5a502b53ddd6c73d1deb27f3.png

    image.png.d4e374bd24e203fa5285cf3c12ef5d47.png

    Edited by extonoxt

    • Like 1
    • Author

    In my case is just complain about dna.dll not being found when I click on "Enter License Code".
    https://ibb.co/N2yXKDfx

    • Like 1
    12 minutes ago, CodeExplorer said:

    In my case is just complain about dna.dll not being found when I click on "Enter License Code".
    https://ibb.co/N2yXKDfx

    I get that for the original too

    • Like 1

    I suspect it isn't complete? If you DL the latest version there is a DNA.dll included, but not the one that "suits" the executable you have.

    v1.2.2.83 seems no longer available on the Interwebz.

    v1.2.3.87 (hibrec.dll is obfuscated):
    https://mega.nz/file/3kRRxSZA#y98k7mBJKpygPxFu5Txi_-l9iDnyN3GzYxzjTVb3z-I

     

    42 minutes ago, extonoxt said:

    There is another dll is used in memory. Take a look

    https://workupload.com/file/UUu5VDPBfC3

    I believe this is the resource file?

    Edited by Ben_Dover

    • Like 1
    • Author
    36 minutes ago, extonoxt said:

    There is another dll is used in memory. Take a look

    https://workupload.com/file/UUu5VDPBfC3

    That's assembly with resources.

    From what I could see they are more files missing not just DNA.dll.
     

    • Like 2
    • Author

    Here is missing dll:
    https://workupload.com/file/Qr36PMtf4fs

    directory lib to be placed next to HibernationRecon.exe.
     

    • Like 1

    Updated in the following

     

    Edited by CreateAndInject

    • Like 2
    • Author

    Same problem with:

    // Token: 0x0200011D RID: 285
    [CompilerGenerated]
    private sealed class VB$StateMachine_11_ParseCommandLineParameter : IEnumerable<KeyValuePair<string, IEnumerable<string>>>, IEnumerator<KeyValuePair<string, IEnumerable<string>>>, IDisposable, IEnumerable, IEnumerator
    {

    // Arsenal.ImageMounter.IO.ConsoleSupport.VB$StateMachine_11_ParseCommandLineParameter
    // Token: 0x06000EBF RID: 3775 RVA: 0x00041558 File Offset: 0x0003F758
    [CompilerGenerated]
    bool IEnumerator.MoveNext()
    {

    that method gets corrupted after control flow de-obfuscation.

    Also tried with:
    de4dot.exe --no-cflow-deob
    no good luck.
     

    • Like 1
    3 hours ago, CodeExplorer said:

    gets corrupted

    what exactly?

    • Like 1

    Fixed

     

    unpacked.zip

    Edited by CreateAndInject

    • Like 1

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.