How to deobfuscate but make sure metadata tokens stay the same?

--preserve-tokens will preserve all important metadata tokens, the #US and #Blob heaps, and keep junk data in signatures.

--keep-types should normally also be used. If used, no obfuscator types or methods will be removed.

Most of the time you don't need to preserve the method parameters' metadata tokens. You can use--preserve-table all,-pd which will preserve all important tokens except the parameter tokens.

--dont-rename or --keep-names can also sometimes be necessary. For example, if you're deobfuscating Confuser obfuscated assemblies, then --keep-names d will rename everything except fields in delegate types.

If the file has been obfuscated by an unsupported obfuscator, then all tokens are preserved by default.

Examples:

Preserve all important tokens, #US heap, #Blob heap, junk sig data, and don't remove any obfuscator types/methods:

de4dot --preserve-tokens --keep-types file.dll

Preserve all tokens except parameter tokens, and don't rename fields in delegate types:

de4dot --keep-names d --preserve-table all,-pd file.dll

An assembly has been obfuscated by two or more supported obfuscators. How do I deobfuscate the assembly?

If two or more obfuscators are detected, de4dot will print that and a description on how to force detection of one of them.

You need to figure out in which order the obfuscators were used and deobfuscate it in reverse order. You should also use --preserve-tokens to preserve metadata tokens in case the next obfuscator uses hard coded metadata tokens to decrypt eg. strings.

The -p XX option can be used to force detection of an obfuscator, where XX is the type of the obfuscator. de4dot -h will show all types.

Assume filename.dll has been obfuscated by sa followed by ef, then you should use these commands:

de4dot --preserve-tokens --dont-rename filename.dll -p ef -o tmp.dll

de4dot tmp.dll -p sa -o cleaned-file.dll

del tmp.dll

The output will be in cleaned-file.dll.

How do I decrypt strings in an assembly obfuscated by an unsupported obfuscator?

First you must figure out the metadata token of the string decrypter. You can use Simple Assembly Explorer (SAE). Locate the string decrypter and hover the mouse over the method name and you should see something like 06001234. That's the method's metadata token. The following command will dynamically decrypt the strings:

de4dot filename.dll --strtyp delegate --strtok 06001234

If it has more than one string decrypter, just append more --strtok 06xxxxxx like so:

de4dot filename.dll --strtyp delegate --strtok 06001234 --strtok 06001235 --strtok 06001236

--strtyp delegate will create a dynamic method and simply call the string decrypter and let it decrypt the string for us. --strtype emulate needs to be used if the string decrypter detects dynamic methods. If you suspect the assembly to be malware, you should only do this in a sandbox since unknown code is executed.

What could be the reason for an assembly to crash if it's been renamed?

If it's a supported obfuscator, renaming should always work, except in a few cases.

It could happen when a resource isn't renamed when the class that uses it has been renamed.

It could also happen if you deobfuscate an assembly, A.dll, but there's another assembly, B.dll, that has a reference to A, and that reference has been renamed in A.dll but not in B.dll. In this case, you must deobfuscate both A.dll and B.dll to make sure all references to A.dll in B.dll also are renamed.

de4dot A.dll B.dll

After deobfuscating a .NET Reactor obfuscated assembly, I see methods with only a throw (uint)-559038242 statement.

That throw is actually throw 0xDEADCODE. Those methods are encrypted native (x86 code) methods and the throw won't execute at run time. The method body will be replaced with the real method at run time by the obfuscator's methods decryptor. You'll know when there are native methods left in the image if you see something like this after deobfuscation:

Re-encrypted 10/73 native methods

In this example, there are 10 methods left that are still native methods. The remaining 63 methods were converted back to CIL code or deleted from the image. A future version of de4dot may convert the remaining native methods back to CIL code.

de4dot FAQ的更多相关文章

  1. Google软件构建工具Bazel FAQ

    Google软件构建工具Bazel FAQ 本文是我的翻译,原文在这里.欢迎转载,转载请注名本文作者和原始链接 注:如果想了解Bazel的原理,可以看看我之前翻译的Google Blaze原理及使用方 ...

  2. 领域驱动设计常见问题FAQ

    本文出处:http://www.cqrs.nu/Faq What is a domain? The field for which a system is built. Airport managem ...

  3. CQRS FAQ (翻译)

    我从接触ddd到学习cqrs有6年多了, 其中也遇到了不少疑问, 也向很多的前辈牛人请教得到了很多宝贵的意见和建议. 偶尔的机会看到国外有个站点专门罗列了ddd, cqrs和事件溯源的常见问题. 其中 ...

  4. (译)关于async与await的FAQ

    传送门:异步编程系列目录…… 环境:VS2012(尽管System.Threading.Tasks在.net4.0就引入,在.net4.5中为其增加了更丰富的API及性能提升,另外关键字”async” ...

  5. De4Dot+Reflector 支持多种反混淆

    官网: http://www.de4dot.com/ 源码:https://github.com/brianhama/de4dot 使用方法 通过CMD命令方式进入: F:\2\de4dot-v3-1 ...

  6. Async/Await FAQ

    From time to time, I receive questions from developers which highlight either a need for more inform ...

  7. Unity3D热更新全书FAQ

    只要有程序员朋友们问过两次的问题 就会收录在此FAQ中 1.C#Light对比LUA有什么好处 C#Light是静态类型脚本语言,语法同C#,Lua是动态类型脚本语言,这两种都有人喜欢. 我更喜欢静态 ...

  8. discuz /faq.php SQL Injection Vul

    catalog . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 . 通过获取管理员密码 . 对管理员密码进行破解.通过在cmd5.com ...

  9. Part 2: Oracle E-Business Suite on Cloud FAQ

    Running Oracle E-Business Suite on Oracle Cloud is simple, but it doesn't take too much effort to co ...

随机推荐

  1. 【Tools】PDF编辑软件-pdfelement 6.8 官网文件中文+破解版本

    试用了下,感觉还不错分享给大家. 有币的求赏,小弟下载缺币.没币的从附件下载. 赏币地址:https://download.csdn.net/download/qq_18187161/10744059 ...

  2. Andrew Ng机器学习课程9

    Andrew Ng机器学习课程9 首先以一个工匠为例,说明要成为一个出色的工匠,就需要掌握各种工具的使用,才能知道在具体的任务中选择什么工具来做.所以今天要讲的就是机器学习的理论部分. bias va ...

  3. tomcat配置SLL证书

    1.将jks证书复制到conf目录下 2.解除注释:88行至96行 修改代码 <Connector port="443" protocol="org.apache. ...

  4. 在 FR 网络配置 OSPF

    一.环境准备 1. 软件:GNS3 2. 路由:c7200 二.实验操作 实验要求: 1.掌握配置帧中继的基本方法. 2.掌握在路由器中模拟帧中继交换机的方法. 3.掌握 NBMA 网络中 OSPF  ...

  5. models环境配置和表查询

    一般操作 在进行一般操作时先配置一下参数,使得我们可以直接在Django页面中运行我们的测试脚本 在Python脚本中调用Django环境 模型转为mysql数据库中的表settings配置 需要在s ...

  6. 【工具】java发送验证码邮件

    文章目录 前言 配置邮箱服务器 代码实现 发送随机验证码与验证 后记 前言 要实现 可以设置格式,附件,抄送等功能,就跟真人操控邮箱发送邮件一样的功能,或许比较难,博主没研究,博主暂时没用到那些功能, ...

  7. CentOS6.8 克隆

    克隆 克隆前,先将上面安装好并且设置好的系统关机 (1) 右键centos -->管理->克隆->下一步->下一步->完整克隆 ->克隆名称起名有意义点就行-> ...

  8. fastjson<1.2.47 RCE 漏洞复现

    这两天爆出了 fastjson 的老洞,复现简单记录一下. 首先使用 spark 搭建一个简易的利用 fastjson 解析 json 的 http server. package cn.hackte ...

  9. [PKUSC2018]主斗地(搜索+贪心)

    首先如果对子和三张牌出现在解中,那么全拆成单张显然没有问题,顺子同理.于是真正有用的牌型就只有单牌.三带一.三带二.四带二了. 暴搜jry手中的牌,然后先搜出双方的大牌型(即三张.四张牌的个数),再枚 ...

  10. 修改mysql远程数据库链接密码(转)

    原文:https://blog.csdn.net/jianjiao7869/article/details/81029171 原来root用户有两个,一个只允许localhost登陆,一个可运行所有用 ...