CodeExplorer Posted August 4 Posted August 4 (edited) de4dot deobfuscation problems I have an file protected by ConfuserEx, I de-obfuscated most of methods; but there is a problem with a method which is not obfuscated at all. Here is non working code: public static void DeobfuscateCflow(MethodDef meth) { for (int i = 0; i < 2; i++) { if (failedMethods.Contains(meth.MDToken.ToInt32())) continue; CfDeob = new BlocksCflowDeobfuscator(); Blocks blocks = new Blocks(meth); //List<Block> test = blocks.MethodBlocks.GetAllBlocks(); //MoveStloc_toStart(blocks); blocks.RemoveDeadBlocks(); blocks.RepartitionBlocks(); blocks.UpdateBlocks(); blocks.Method.Body.SimplifyBranches(); blocks.Method.Body.OptimizeBranches(); CfDeob.Initialize(blocks); //CfDeob.Deobfuscate(); // CfDeob.Add(new ControlFlow()); CfDeob.Add(new ControlFlowTest()) // CfDeob.Add(new Cflow()); CfDeob.Deobfuscate(); blocks.RepartitionBlocks(); IList<Instruction> instructions; IList<ExceptionHandler> exceptionHandlers; blocks.GetCode(out instructions, out exceptionHandlers); dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(instructions,exceptionHandlers); uint maxStack = 0; if (maxStackCalc.Calculate(out maxStack)) { //if (ControlFlow.modified) DotNetUtils.RestoreBody(meth, instructions, exceptionHandlers); //break; //else //DotNetUtils.RestoreBody(meth, meth.Body.Instructions, meth.Body.ExceptionHandlers); } Where ControlFlowTest is just this: class ControlFlowTest : BlockDeobfuscator { protected override bool Deobfuscate(Block block) { return false; } } if (hasCflow(method)) { DeobfuscateCflow(method); } else { DeobfuscateCflowSimple(method); } hasCflow just check if there is a switch instruction which it is so will return true. DeobfuscateCflowSimple it works perfectly for that method: public static void DeobfuscateCflowSimple(MethodDef meth) { BlocksCflowDeobfuscator cflowDeobfuscator = new BlocksCflowDeobfuscator(); IList<Instruction> allInstructions; IList<ExceptionHandler> allExceptionHandlers; Blocks blocks = new Blocks(meth); cflowDeobfuscator.Initialize(blocks); cflowDeobfuscator.Deobfuscate(); blocks.RepartitionBlocks(); blocks.GetCode(out allInstructions, out allExceptionHandlers); dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(allInstructions,allExceptionHandlers); uint maxStack = 0; if (maxStackCalc.Calculate(out maxStack)) { DotNetUtils.RestoreBody(meth, allInstructions, allExceptionHandlers); } else { if (!failedMethods.Contains(meth.MDToken.ToInt32())) { Console.WriteLine("Still obfuscated method token: "+meth.MDToken.ToInt32().ToString("X8")); Console.WriteLine("Still obfuscated method: "+meth.ToString()+";"); failedMethods.Add(meth.MDToken.ToInt32()); } } } I'm using de4dot.blocks 3.1.41592.3405 and dnlib.dll 1.6.0.0 Does anyone known how to fix the above problems, Maybe this is just on outdated dnlib/de4dot.blocks problem; anyway will be great if someone could share new dnlib.dll/de4dot.blocks. Edited August 4 by CodeExplorer 1
extonoxt Posted August 4 Posted August 4 I 1 hour ago, CodeExplorer said: de4dot deobfuscation problems I have an file protected by ConfuserEx, I de-obfuscated most of methods; but there is a problem with a method which is not obfuscated at all. Here is non working code: public static void DeobfuscateCflow(MethodDef meth) { for (int i = 0; i < 2; i++) { if (failedMethods.Contains(meth.MDToken.ToInt32())) continue; CfDeob = new BlocksCflowDeobfuscator(); Blocks blocks = new Blocks(meth); //List<Block> test = blocks.MethodBlocks.GetAllBlocks(); //MoveStloc_toStart(blocks); blocks.RemoveDeadBlocks(); blocks.RepartitionBlocks(); blocks.UpdateBlocks(); blocks.Method.Body.SimplifyBranches(); blocks.Method.Body.OptimizeBranches(); CfDeob.Initialize(blocks); //CfDeob.Deobfuscate(); // CfDeob.Add(new ControlFlow()); CfDeob.Add(new ControlFlowTest()) // CfDeob.Add(new Cflow()); CfDeob.Deobfuscate(); blocks.RepartitionBlocks(); IList<Instruction> instructions; IList<ExceptionHandler> exceptionHandlers; blocks.GetCode(out instructions, out exceptionHandlers); dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(instructions,exceptionHandlers); uint maxStack = 0; if (maxStackCalc.Calculate(out maxStack)) { //if (ControlFlow.modified) DotNetUtils.RestoreBody(meth, instructions, exceptionHandlers); //break; //else //DotNetUtils.RestoreBody(meth, meth.Body.Instructions, meth.Body.ExceptionHandlers); } Where ControlFlowTest is just this: class ControlFlowTest : BlockDeobfuscator { protected override bool Deobfuscate(Block block) { return false; } } if (hasCflow(method)) { DeobfuscateCflow(method); } else { DeobfuscateCflowSimple(method); } hasCflow just check if there is a switch instruction which it is so will return true. DeobfuscateCflowSimple it works perfectly for that method: public static void DeobfuscateCflowSimple(MethodDef meth) { BlocksCflowDeobfuscator cflowDeobfuscator = new BlocksCflowDeobfuscator(); IList<Instruction> allInstructions; IList<ExceptionHandler> allExceptionHandlers; Blocks blocks = new Blocks(meth); cflowDeobfuscator.Initialize(blocks); cflowDeobfuscator.Deobfuscate(); blocks.RepartitionBlocks(); blocks.GetCode(out allInstructions, out allExceptionHandlers); dnlib.MyWriter.MaxStackCalculator maxStackCalc = new dnlib.MyWriter.MaxStackCalculator(allInstructions,allExceptionHandlers); uint maxStack = 0; if (maxStackCalc.Calculate(out maxStack)) { DotNetUtils.RestoreBody(meth, allInstructions, allExceptionHandlers); } else { if (!failedMethods.Contains(meth.MDToken.ToInt32())) { Console.WriteLine("Still obfuscated method token: "+meth.MDToken.ToInt32().ToString("X8")); Console.WriteLine("Still obfuscated method: "+meth.ToString()+";"); failedMethods.Add(meth.MDToken.ToInt32()); } } } I'm using de4dot.blocks 3.1.41592.3405 and dnlib.dll 1.6.0.0 Does anyone known how to fix the above problems, Maybe this is just on outdated dnlib/de4dot.blocks problem; anyway will be great if someone could share new dnlib.dll/de4dot.blocks. I dont know how to fix. But I do have dnlib 3.5. It is actually from mobile46 de4dot clone. blocks is the same version. https://workupload.com/file/CCVa5XdSLhZ 1
jackyjask Posted August 4 Posted August 4 why not using last one? https://github.com/0xd4d/dnlib/releases/tag/v4.5.0 but having lots of sex with old crap of 20 yearss old?? 2 hours ago, CodeExplorer said: and dnlib.dll 1.6.0.0 last one it has dozens of fixes from that olddd dusty buildd.... 1
extonoxt Posted August 4 Posted August 4 (edited) 36 minutes ago, jackyjask said: why not using last one? https://github.com/0xd4d/dnlib/releases/tag/v4.5.0 but having lots of sex with old crap of 20 yearss old?? last one it has dozens of fixes from that olddd dusty buildd.... dnlib45 will not compile directly with mobile46 de4dot. I think that is de4dot latest or there any other newer version Edited August 4 by extonoxt 1
cachito Posted August 5 Posted August 5 It is not hard to update dnlib, maybe 8/10 fixes on de4dot and it will work. Tomorrow I will share my updated de4dot-cex with you. 4
CodeExplorer Posted August 5 Author Posted August 5 I don't think dnlib.dll is the problem, I've updated it to dnlib 3.3.2.0. de4dot.blocks.dll seems to be problem and I don't think it gonna be any de4dot that will work, Here is test file: https://workupload.com/file/kcxGNgKgS3u Is there any way to disable control flow deobfuscation for de4dot ??? 1
extonoxt Posted August 5 Posted August 5 21 minutes ago, CodeExplorer said: I don't think dnlib.dll is the problem, I've updated it to dnlib 3.3.2.0. de4dot.blocks.dll seems to be problem and I don't think it gonna be any de4dot that will work, Here is test file: https://workupload.com/file/kcxGNgKgS3u Is there any way to disable control flow deobfuscation for de4dot ??? can you post the original 1
CodeExplorer Posted August 5 Author Posted August 5 Original file: https://workupload.com/file/2BbZRYkPGzy 1
extonoxt Posted August 5 Posted August 5 (edited) This is for stopWorkingAfter_de4dot For every single run "Enter License Code" gives different "Invalid token" Exception Edited August 5 by extonoxt 1
CodeExplorer Posted August 5 Author Posted August 5 In my case is just complain about dna.dll not being found when I click on "Enter License Code". https://ibb.co/N2yXKDfx 1
extonoxt Posted August 5 Posted August 5 12 minutes ago, CodeExplorer said: In my case is just complain about dna.dll not being found when I click on "Enter License Code". https://ibb.co/N2yXKDfx I get that for the original too 1
extonoxt Posted August 5 Posted August 5 There is another dll is used in memory. Take a look https://workupload.com/file/UUu5VDPBfC3 1
Ben_Dover Posted August 5 Posted August 5 (edited) I suspect it isn't complete? If you DL the latest version there is a DNA.dll included, but not the one that "suits" the executable you have. v1.2.2.83 seems no longer available on the Interwebz. v1.2.3.87 (hibrec.dll is obfuscated): https://mega.nz/file/3kRRxSZA#y98k7mBJKpygPxFu5Txi_-l9iDnyN3GzYxzjTVb3z-I 42 minutes ago, extonoxt said: There is another dll is used in memory. Take a look https://workupload.com/file/UUu5VDPBfC3 I believe this is the resource file? Edited August 5 by Ben_Dover 1
CodeExplorer Posted August 5 Author Posted August 5 36 minutes ago, extonoxt said: There is another dll is used in memory. Take a look https://workupload.com/file/UUu5VDPBfC3 That's assembly with resources. From what I could see they are more files missing not just DNA.dll. 2
CodeExplorer Posted August 5 Author Posted August 5 Here is missing dll: https://workupload.com/file/Qr36PMtf4fs directory lib to be placed next to HibernationRecon.exe. 1
CreateAndInject Posted August 6 Posted August 6 (edited) Updated in the following Edited August 7 by CreateAndInject 2
CodeExplorer Posted August 6 Author Posted August 6 Same problem with: // Token: 0x0200011D RID: 285 [CompilerGenerated] private sealed class VB$StateMachine_11_ParseCommandLineParameter : IEnumerable<KeyValuePair<string, IEnumerable<string>>>, IEnumerator<KeyValuePair<string, IEnumerable<string>>>, IDisposable, IEnumerable, IEnumerator { // Arsenal.ImageMounter.IO.ConsoleSupport.VB$StateMachine_11_ParseCommandLineParameter // Token: 0x06000EBF RID: 3775 RVA: 0x00041558 File Offset: 0x0003F758 [CompilerGenerated] bool IEnumerator.MoveNext() { that method gets corrupted after control flow de-obfuscation. Also tried with: de4dot.exe --no-cflow-deob no good luck. 1
jackyjask Posted August 6 Posted August 6 3 hours ago, CodeExplorer said: gets corrupted what exactly? 1
CreateAndInject Posted August 7 Posted August 7 (edited) Fixed unpacked.zip Edited August 7 by CreateAndInject 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now