Features

Here's a pseudo random list of the things it will do depending on what obfuscator was used to obfuscate an assembly:

  • Inline methods. Some obfuscators move small parts of a method to another static method and calls it.
  • Decrypt strings statically or dynamically
  • Decrypt other constants. Some obfuscators can also encrypt other constants, such as all integers, all doubles, etc.
  • Decrypt methods statically or dynamically
  • Remove proxy methods. Many obfuscators replace most/all call instructions with a call to a delegate. This delegate in turn calls the real method.
  • Rename symbols. Even though most symbols can't be restored, it will rename them to human readable strings. Sometimes, some of the original names can be restored, though.
  • Devirtualize virtualized code
  • Decrypt resources. Many obfuscators have an option to encrypt .NET resources.
  • Decrypt embedded files. Many obfuscators have an option to embed and possibly encrypt/compress other assemblies.
  • Remove tamper detection code
  • Remove anti-debug code
  • Control flow deobfuscation. Many obfuscators modify the IL code so it looks like spaghetti code making it very difficult to understand the code.
  • Restore class fields. Some obfuscators can move fields from one class to some other obfuscator created class.
  • Convert a PE exe to a .NET exe. Some obfuscators wrap a .NET assembly inside a Win32 PE so a .NET decompiler can't read the file.
  • Removes most/all junk classes added by the obfuscator.
  • Fixes some peverify errors. Many of the obfuscators are buggy and create unverifiable code by mistake.
  • Restore the types of method parameters and fields

Supported obfuscators/packers

  • Agile.NET (aka CliSecure)
  • Babel.NET
  • CodeFort
  • CodeVeil
  • CodeWall
  • CryptoObfuscator
  • DeepSea Obfuscator
  • Dotfuscator
  • .NET Reactor
  • Eazfuscator.NET
  • Goliath.NET
  • ILProtector
  • MaxtoCode
  • MPRESS
  • Rummage
  • Skater.NET
  • SmartAssembly
  • Spices.Net
  • Xenocode

Some of the above obfuscators are rarely used (eg. Goliath.NET), so they have had much less testing. Help me out by reporting bugs or problems you find.

Warning

Sometimes the obfuscated assembly and all its dependencies are loaded into memory for execution. Use a safe sandbox environment if you suspect the assembly or assemblies to be malware.

Even if the current version of de4dot doesn't load a certain assembly into memory for execution, a future version might.

How to use de4dot

N00b users

Drag and drop the file(s) onto de4dot.exe and wait a few seconds.

Deobfuscate more than one file at a time

When more than one assembly has been obfuscated, it's very likely that you must deobfuscate them all at the same time unless you disable symbol renaming. The reason is that if assembly A has a reference to class C in assembly B, and you rename symbols only in assembly B, then class C could be renamed to eg. Class0 but the reference in assembly A still references a class called C in assembly B. If you deobfuscate both assemblies at the same time, all references will also be updated.

Find all obfuscated files and deobfuscate them

The following command line will deobfuscate all assemblies that have been obfuscated by a supported obfuscator and save the assemblies to c:\output

de4dot -r c:\input -ru -ro c:\output

-r means recursive search. -ru means it should ignore unknown files. -ro means it should place the output files in the following directory. Typically, you'd first copy c:\input to c:\output, and then run the command. That way all the files will be in c:\output, even non-assemblies and non-processed assemblies. When de4dot is finished, you'd just double click the main assembly in c:\output and it should hopefully start.

Detect obfuscator

Use the -d option to detect the obfuscator without deobfuscating any assembly.

Find all .NET assemblies and detect obfuscator. If it's an unsupported obfuscator or if it's not obfuscated, it will print "Unknown obfuscator".

de4dot -d -r c:\input

Same as above except that it will only show which files have been obfuscated by a supported obfuscator.

de4dot -d -r c:\input -ru

Detect obfuscator

de4dot -d file1.dll file2.dll file3.dll

Preserving metadata tokens

Sometimes in rare cases, you'd want to preserve the metadata tokens. Use --preserve-tokens or --preserve-table. Also consider using --keep-types since it won't remove any types and methods added by the obfuscator. Another useful option is--dont-create-params. If used, the renamer won't create Param rows for method parameters that don't have a Param row. That way the ParamPtr table won't be added to your assemblies. Peverify has a bug and doesn't support it (you'll see lots of "errors").

The #Strings, #US and #Blob heaps can also be preserved by using --preserve-strings--preserve-us, and --preserve-blob respectively. Of these three, --preserve-us is the most useful one since ldstr instruction andmodule.ResolveString() directly reference the #US heap.

--preserve-sig-data should be used if the obfuscator adds extra data at the end of signatures that it uses for its own purpose, eg. as decryption keys. Confuser is one obfuscator that does this.

--preserve-tokens preserves all important tokens but will also enable --preserve-us--preserve-blob and --preserve-sig-data.

If it's detected as an unknown (unsupported) obfuscator (or if you force it with -p un), all tokens are preserved, including the #US heap and any extra data at the end of signatures. Also, no obfuscator types, fields or methods are removed.

Preserve all important tokens, #US, #Blob, extra sig data.

de4dot --preserve-tokens file1.dll

Preserve all important tokens, #US, #Blob, extra sig data and don't remove types/fields added by the obfuscator

de4dot --keep-types --preserve-tokens file1.dll

Preserve all important tokens, #US, #Blob, extra sig data and don't create extra Param rows to prevent the ParamPtr table from being created.

de4dot --dont-create-params --preserve-tokens file1.dll

Preserve all important tokens except the Param tokens.

de4dot --preserve-table all,-pd file1.dll

Dynamically decrypting strings

Although de4dot supports a lot of obfuscators, there's still some it doesn't support. To decrypt strings, you'll first need to figure out which method or methods decrypt strings. To get the method token of these string decrypters, you can use ILDASM with the 'show metadata tokens' option enabled. A method token is a 32-bit number and begins with 06, eg. 06012345.

This command will load assembly file1.dll into memory by calling Assembly.Load(). When it detects calls to the two string decrypters (06012345 and 060ABCDE), it will call them by creating a dynamic method, and save the result (the decrypted string). The call to the string decrypter will be removed and the decrypted string will be in its place.

de4dot file1.dll --strtyp delegate --strtok 06012345 --strtok 060ABCDE

Since the assembly is loaded and executed, make sure you run this in a sandbox if you suspect the file to be malware.

Forcing detection of a certain obfuscator

de4dot isn't perfect. If it fails to detect an obfuscator, you can use the -p option to force it to assume it's been obfuscated by it.

Force SmartAssembly

de4dot file1.dll -p sa

Force unsupported obfuscator

de4dot file1.dll -p un

For other obfuscator types, see the help screen.

Disabling symbol renaming

Renaming symbols isn't as easy as renaming A to B when reflection is involved. de4dot currently doesn't support renaming XAML so if you suspect that it uses WPF (or if it's a Silverlight app) you should disable renaming if the assembly fails to run.

de4dot --dont-rename file1.dll file2.dll

--keep-names can also be used to tell de4dot not to rename certain symbols, eg. "don't rename fields".

Rename everything that should be renamed except properties, events and methods.

de4dot --keep-names pem file1.dll

Using a different rename regex

The default regexes should be enough, except possibly the one that is used when an unsupported obfuscator is detected. To see all default regexes, start de4dot without any arguments and it will list all options and all default values.

Eg., currently the following is the default regex used when Dotfuscator is detected

!^[a-z][a-z0-9]{0,2}$&!^A_[0-9]+$&^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$

As you can see, it's not just one regex, it's more than one. Each one is separated by & and each regex can be negated by using! in front of it. To show it more clearly, these regexes are used:

(negated) ^[a-z][a-z0-9]{0,2}$
(negated) ^A_[0-9]+$
^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$

To change the regex(es), you must know the short type name of the obfuscator (see help screen). Eg. it's sa if it's SmartAssembly, and un if it's an unsupported/unknown obfuscator. The option to use is --TYPE-name (eg. --sa-name for SmartAssembly and --un-name for unknown/unsupported obfuscators):

de4dot --un-name "^[a-zA-Z]\w*$" file1.dll

Other options

Start de4dot without any arguments and it will show all options.

Examples

Show help:

de4dot -h

Deobfuscate a few files:

de4dot file1.exe file2.dll file3.exe

Deobfuscate all files found:

de4dot -r c:\path1 -ro c:\out

Detect obfuscator recursively:

de4dot -d -r c:\path1

Deobfuscate and get a detailed log of what was changed:

de4dot -v file1.exe file2.dll file3.exe > log.txt

Deobfuscate and override string decrypter detection, finding and using all static methods with string and int args that return a string. A dynamic method is created and used to call the string decrypter method(s). Make sure you don't include any non-string decrypter methods or you will get an exception:

de4dot --default-strtyp delegate --default-strtok "(System.String, System.Int32)" file1.exe file2.dll

Same as above but use a metadata token:

de4dot --default-strtyp delegate file1.exe --strtok 06000123 file2.dll --strtok 06004567 --strtok 06009ABC

Don't remove obfuscator types, methods, etc:

de4dot --keep-types file1.exe

de4dot - Deobfuscator for .NET的更多相关文章

  1. de4dot命令 v2.0.3.3405

    de4dot v2.0.3.3405 Copyright (C) 2011-2013 [email]de4dot@gmail.com[/email] Latest version and source ...

  2. .Net脱壳工具 de4dot参数说明/简易教程

    de4dot  /? 帮助原文 使用方法 de4dot "d:\xx.exe" -p xc -p xc 指定壳类型 , 这里是xc,表示Xenocode壳.这样会在exe的相同目录 ...

  3. [.NET逆向] [入门级]de4dot参数详解

    为了避免被0xd4d(de4dot作者)认为是"N00bUser"为了认识到Some of the advanced options may be incompatible, ca ...

  4. de4dot 反混淆

    de4dot .NET deobfuscator and unpacker. Description de4dot is an open source (GPLv3) .NET deobfuscato ...

  5. De4Dot+Reflector 支持多种反混淆

    官网: http://www.de4dot.com/ 源码:https://github.com/brianhama/de4dot 使用方法 通过CMD命令方式进入: F:\2\de4dot-v3-1 ...

  6. Nofuser - deobfuscator for Confuser

    google搜索了好久,最终找到这个工具,可直接使用. 虽然脱后有很多无用代码,但关键代码是还是很清晰的! ----------------------------NoFuser----------- ...

  7. C# 反编译-Reflector 反混淆-De4Dot 修改dll/exe代码-reflexil

    反编译工具 Reflector 破解版下载地址:http://pan.baidu.com/s/15UwJo 使用方法:略 反混淆工具De4Dot 开源软件 下载地址http://pan.baidu.c ...

  8. de4dot 脱壳工具

    开源免费的一款工具 官方地址http://www.de4dot.com/ 很NB的工具,能脱大部分的壳 如下 Babel.NET CodeFort CodeVeil CodeWall CryptoOb ...

  9. RESTClient调试POST方法&Reflector+de4dot反混淆破解dll

    RESTClient调试POST方法 RESTClient是火狐的一款WebAPI测试工具. 1.先看下我们要调试的接口

随机推荐

  1. Jupyter notbook 修改默认路径

    打开 cmd 输入命令 jupyter notebook --generate-config  2.打开配置文件  3.修改路径  转自: https://blog.csdn.net/zw__chen ...

  2. eclipse英语单词1

    short cut bar 捷径,快捷方法 menu bar 菜单栏 tool bar 工具栏 workbench window 工作台窗口 perspective 透视 editor 编辑器 con ...

  3. C++STL位标志、智能指针与异常处理

    参考<21天学通C++>第25章节,对STL位标志进行介绍.就是当需要不是像char int long 等整个字节数的数据表示形式,而是使用二进制位表示的时候,通常使用这里讲到的位标志.从 ...

  4. WXS----数据类型

  5. win10中禁用Ctrl+Alt+上下左右箭头的方法

    win10的Ctrl+Alt+向左/右/上/下箭头,与pycharm中的快捷键有冲突,需要禁用 右键''显示设置''---->高级显示设置------->显示器1的显示适配属性-----& ...

  6. Django 之安全篇

    一.CSRF攻击 CSRF攻击概述: CSRF(Cross Site Request Forgery, 跨站域请求伪造)是一种网络的攻击方式,它在 2007 年曾被列为互联网 20 大安全隐患之一.其 ...

  7. BGP 实验

    一.环境准备 1. 软件:GNS3 2. 路由:c7200 二.实验操作 实验要求: 1. 掌握 BGP 的基本配置方法. 2. 掌握如何查看 BGP 的各种配置信息. 3. 掌握基于回环口的 BGP ...

  8. spring 整合guava

    一.ApplicationContext.xml中的配置 <!--开启缓存注解--> <cache:annotation-driven /> <bean id=" ...

  9. java当中JDBC当中请给出一个SQLServer DataSource and SingleTon例子

    [学习笔记] 5.SQLServer DataSource and SingleTon: import net.sourceforge.jtds.jdbcx.*;import java.sql.*;i ...

  10. STL源码剖析——空间配置器Allocator#3 自由链表与内存池

    上节在学习第二级配置器时了解了第二级配置器通过内存池与自由链表来处理小区块内存的申请.但只是对其概念进行点到为止的认识,并未深入探究.这节就来学习一下自由链表的填充和内存池的内存分配机制. refil ...