Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

de4dot deobfuscation problems

Featured Replies

Posted

de4dot deobfuscation problems
I have an file protected by ConfuserEx,
I de-obfuscated most of methods;
but there is a problem with a method which is not obfuscated at all.
Here is non working code:

public static void DeobfuscateCflow(MethodDef meth)
        {
            for (int i = 0; i < 2; i++)
            {
                if (failedMethods.Contains(meth.MDToken.ToInt32()))
                    continue;
                             
                CfDeob = new BlocksCflowDeobfuscator();
                Blocks blocks = new Blocks(meth);
                //List<Block> test = blocks.MethodBlocks.GetAllBlocks();
                
                //MoveStloc_toStart(blocks);
                blocks.RemoveDeadBlocks();
                blocks.RepartitionBlocks();

                blocks.UpdateBlocks();
                blocks.Method.Body.SimplifyBranches();
                blocks.Method.Body.OptimizeBranches();
                CfDeob.Initialize(blocks);
                //CfDeob.Deobfuscate();
               // CfDeob.Add(new ControlFlow());
               CfDeob.Add(new ControlFlowTest())
                // CfDeob.Add(new Cflow());
                CfDeob.Deobfuscate();
                blocks.RepartitionBlocks();

                IList<Instruction> instructions;
                IList<ExceptionHandler> exceptionHandlers;
                
                blocks.GetCode(out instructions, out exceptionHandlers);
                
                dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(instructions,exceptionHandlers);
                uint maxStack = 0;
                if (maxStackCalc.Calculate(out maxStack))
                {

                    //if (ControlFlow.modified)
                    DotNetUtils.RestoreBody(meth, instructions, exceptionHandlers);
                    //break;
                    //else
                    //DotNetUtils.RestoreBody(meth, meth.Body.Instructions, meth.Body.ExceptionHandlers);
                    
                }

Where ControlFlowTest is just this:

    class ControlFlowTest : BlockDeobfuscator
    {
        protected override bool Deobfuscate(Block block)
        {
        return false;
        }
    }

 

if (hasCflow(method))
{
DeobfuscateCflow(method);
}
else
{
DeobfuscateCflowSimple(method);
}

hasCflow just check if there is a switch instruction which it is so will return true.
DeobfuscateCflowSimple it works perfectly for that method:

public static void DeobfuscateCflowSimple(MethodDef meth)
        {
            BlocksCflowDeobfuscator cflowDeobfuscator = new BlocksCflowDeobfuscator();
            IList<Instruction> allInstructions;
            IList<ExceptionHandler> allExceptionHandlers;
            Blocks blocks = new Blocks(meth);
            cflowDeobfuscator.Initialize(blocks);
            cflowDeobfuscator.Deobfuscate();
            blocks.RepartitionBlocks();
            blocks.GetCode(out allInstructions, out allExceptionHandlers);
            dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(allInstructions,allExceptionHandlers);
            uint maxStack = 0;
            if (maxStackCalc.Calculate(out maxStack))
            {
                DotNetUtils.RestoreBody(meth, allInstructions, allExceptionHandlers);
            }
            else
            {
                if (!failedMethods.Contains(meth.MDToken.ToInt32()))
                {
                    Console.WriteLine("Still obfuscated method token: "+meth.MDToken.ToInt32().ToString("X8"));
                    Console.WriteLine("Still obfuscated method: "+meth.ToString()+";");
                    failedMethods.Add(meth.MDToken.ToInt32());
                }
            }
        }

 

I'm using de4dot.blocks 3.1.41592.3405
and dnlib.dll 1.6.0.0
Does anyone known how to fix the above problems,
Maybe this is just on outdated dnlib/de4dot.blocks problem; anyway will be great if someone could share new dnlib.dll/de4dot.blocks.
 

Edited by CodeExplorer

I

1 hour ago, CodeExplorer said:

de4dot deobfuscation problems
I have an file protected by ConfuserEx,
I de-obfuscated most of methods;
but there is a problem with a method which is not obfuscated at all.
Here is non working code:

public static void DeobfuscateCflow(MethodDef meth)
        {
            for (int i = 0; i < 2; i++)
            {
                if (failedMethods.Contains(meth.MDToken.ToInt32()))
                    continue;
                             
                CfDeob = new BlocksCflowDeobfuscator();
                Blocks blocks = new Blocks(meth);
                //List<Block> test = blocks.MethodBlocks.GetAllBlocks();
                
                //MoveStloc_toStart(blocks);
                blocks.RemoveDeadBlocks();
                blocks.RepartitionBlocks();

                blocks.UpdateBlocks();
                blocks.Method.Body.SimplifyBranches();
                blocks.Method.Body.OptimizeBranches();
                CfDeob.Initialize(blocks);
                //CfDeob.Deobfuscate();
               // CfDeob.Add(new ControlFlow());
               CfDeob.Add(new ControlFlowTest())
                // CfDeob.Add(new Cflow());
                CfDeob.Deobfuscate();
                blocks.RepartitionBlocks();

                IList<Instruction> instructions;
                IList<ExceptionHandler> exceptionHandlers;
                
                blocks.GetCode(out instructions, out exceptionHandlers);
                
                dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(instructions,exceptionHandlers);
                uint maxStack = 0;
                if (maxStackCalc.Calculate(out maxStack))
                {

                    //if (ControlFlow.modified)
                    DotNetUtils.RestoreBody(meth, instructions, exceptionHandlers);
                    //break;
                    //else
                    //DotNetUtils.RestoreBody(meth, meth.Body.Instructions, meth.Body.ExceptionHandlers);
                    
                }

Where ControlFlowTest is just this:

    class ControlFlowTest : BlockDeobfuscator
    {
        protected override bool Deobfuscate(Block block)
        {
        return false;
        }
    }

 

if (hasCflow(method))
{
DeobfuscateCflow(method);
}
else
{
DeobfuscateCflowSimple(method);
}

hasCflow just check if there is a switch instruction which it is so will return true.
DeobfuscateCflowSimple it works perfectly for that method:

public static void DeobfuscateCflowSimple(MethodDef meth)
        {
            BlocksCflowDeobfuscator cflowDeobfuscator = new BlocksCflowDeobfuscator();
            IList<Instruction> allInstructions;
            IList<ExceptionHandler> allExceptionHandlers;
            Blocks blocks = new Blocks(meth);
            cflowDeobfuscator.Initialize(blocks);
            cflowDeobfuscator.Deobfuscate();
            blocks.RepartitionBlocks();
            blocks.GetCode(out allInstructions, out allExceptionHandlers);
            dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(allInstructions,allExceptionHandlers);
            uint maxStack = 0;
            if (maxStackCalc.Calculate(out maxStack))
            {
                DotNetUtils.RestoreBody(meth, allInstructions, allExceptionHandlers);
            }
            else
            {
                if (!failedMethods.Contains(meth.MDToken.ToInt32()))
                {
                    Console.WriteLine("Still obfuscated method token: "+meth.MDToken.ToInt32().ToString("X8"));
                    Console.WriteLine("Still obfuscated method: "+meth.ToString()+";");
                    failedMethods.Add(meth.MDToken.ToInt32());
                }
            }
        }

 

I'm using de4dot.blocks 3.1.41592.3405
and dnlib.dll 1.6.0.0
Does anyone known how to fix the above problems,
Maybe this is just on outdated dnlib/de4dot.blocks problem; anyway will be great if someone could share new dnlib.dll/de4dot.blocks.
 

I dont know how to fix. But I do have dnlib 3.5. It is actually from mobile46 de4dot clone. blocks is the same version.

https://workupload.com/file/CCVa5XdSLhZ

 

 

why not using last one?

https://github.com/0xd4d/dnlib/releases/tag/v4.5.0

 

but having lots of sex with old crap of 20 yearss old??

   

2 hours ago, CodeExplorer said:

and dnlib.dll 1.6.0.0

last one it has dozens of fixes from that olddd dusty buildd....

36 minutes ago, jackyjask said:

why not using last one?

https://github.com/0xd4d/dnlib/releases/tag/v4.5.0

 

but having lots of sex with old crap of 20 yearss old??

   

last one it has dozens of fixes from that olddd dusty buildd....

dnlib45 will not compile directly with mobile46 de4dot. I think that is de4dot latest  or there any other newer version :)

Edited by extonoxt

It is not hard to update dnlib, maybe 8/10 fixes on de4dot and it will work.

Tomorrow I will share my updated de4dot-cex with you.

  • Author

I don't think dnlib.dll is the problem, I've updated it to dnlib 3.3.2.0.
de4dot.blocks.dll seems to be problem and I don't think it gonna be any de4dot that will work,
Here is test file:
https://workupload.com/file/kcxGNgKgS3u

Is there any way to disable control flow deobfuscation for de4dot ???
 

use 

de4dot.exe --no-cflow-deob

 

image.png.751dbfc2f1646d44016547ae542d6776.png

21 minutes ago, CodeExplorer said:

I don't think dnlib.dll is the problem, I've updated it to dnlib 3.3.2.0.
de4dot.blocks.dll seems to be problem and I don't think it gonna be any de4dot that will work,
Here is test file:
https://workupload.com/file/kcxGNgKgS3u

Is there any way to disable control flow deobfuscation for de4dot ???
 

can you post the original

This is for stopWorkingAfter_de4dot

For every single run "Enter License Code" gives different  "Invalid token" Exception

image.png.8faf2d1eb35825ecbe9382bf53066337.png

image.png.371ad2dd5a502b53ddd6c73d1deb27f3.png

image.png.d4e374bd24e203fa5285cf3c12ef5d47.png

Edited by extonoxt

  • Author

In my case is just complain about dna.dll not being found when I click on "Enter License Code".
https://ibb.co/N2yXKDfx

12 minutes ago, CodeExplorer said:

In my case is just complain about dna.dll not being found when I click on "Enter License Code".
https://ibb.co/N2yXKDfx

I get that for the original too

I suspect it isn't complete? If you DL the latest version there is a DNA.dll included, but not the one that "suits" the executable you have.

v1.2.2.83 seems no longer available on the Interwebz.

v1.2.3.87 (hibrec.dll is obfuscated):
https://mega.nz/file/3kRRxSZA#y98k7mBJKpygPxFu5Txi_-l9iDnyN3GzYxzjTVb3z-I

 

42 minutes ago, extonoxt said:

There is another dll is used in memory. Take a look

https://workupload.com/file/UUu5VDPBfC3

I believe this is the resource file?

Edited by Ben_Dover

  • Author
36 minutes ago, extonoxt said:

There is another dll is used in memory. Take a look

https://workupload.com/file/UUu5VDPBfC3

That's assembly with resources.

From what I could see they are more files missing not just DNA.dll.
 

  • Author

Here is missing dll:
https://workupload.com/file/Qr36PMtf4fs

directory lib to be placed next to HibernationRecon.exe.
 

Updated in the following

 

Edited by CreateAndInject

  • Author

Same problem with:

// Token: 0x0200011D RID: 285
[CompilerGenerated]
private sealed class VB$StateMachine_11_ParseCommandLineParameter : IEnumerable<KeyValuePair<string, IEnumerable<string>>>, IEnumerator<KeyValuePair<string, IEnumerable<string>>>, IDisposable, IEnumerable, IEnumerator
{

// Arsenal.ImageMounter.IO.ConsoleSupport.VB$StateMachine_11_ParseCommandLineParameter
// Token: 0x06000EBF RID: 3775 RVA: 0x00041558 File Offset: 0x0003F758
[CompilerGenerated]
bool IEnumerator.MoveNext()
{

that method gets corrupted after control flow de-obfuscation.

Also tried with:
de4dot.exe --no-cflow-deob
no good luck.
 

3 hours ago, CodeExplorer said:

gets corrupted

what exactly?

Fixed

 

unpacked.zip

Edited by CreateAndInject

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.