GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → saneki → eazdevirt

saneki / eazdevirt

Licence: GPL-3.0 license
Devirtualizer for Eazfuscator.NET

Programming Languages

C#
18002 projects

Labels

dnlibeazfuscatordevirtualizer

Projects that are alternatives of or similar to eazdevirt

ILReplacer
ILReplacer, A Tool to Find and Replace .Net Application IL Code Instructions (Patcher)
Stars: ✭ 18 (-82.35%)
Mutual labels:  dnlib
dnEditor
💾 A .NET assembly editor based on dnlib
Stars: ✭ 108 (+5.88%)
Mutual labels:  dnlib
.NetReactorStringDecryptor
A string decryptor for .NET Reactor.
Stars: ✭ 20 (-80.39%)
Mutual labels:  dnlib
UnSealer
.NET Assemblies Deobfuscator.
Stars: ✭ 57 (-44.12%)
Mutual labels:  dnlib
DotNetUniversalPatcher
A .NET Patcher written in C# that implements the dnlib and dnpatch libraries.
Stars: ✭ 54 (-47.06%)
Mutual labels:  dnlib
.NetReactorCfCleaner
A control flow cleaner for .NET Reactor.
Stars: ✭ 42 (-58.82%)
Mutual labels:  dnlib
AgileStringDecryptor
a dynamic Agile.NET string decryptor that relies on invoke by wwh1004 | Version : 6.X
Stars: ✭ 24 (-76.47%)
Mutual labels:  dnlib
NetReactorSlayer
An open source (GPLv3) deobfuscator for Eziriz .NET Reactor
Stars: ✭ 260 (+154.9%)
Mutual labels:  dnlib

eazdevirt

eazdevirt is an open source (GPLv3) toolkit for inspecting and devirtualizing executables that have been protected with Eazfuscator.NET's virtualization feature.

eazdevirt uses dnlib to read and write assemblies, which is included as a submodule.

Features

  • Identify all methods (stubs) which have been virtualized
  • Devirtualize methods for which all virtual opcodes are understood
  • Inject method attributes to make identifying devirtualized methods easier
  • Extract the embedded resource file containing virtualization info
  • List all virtual opcodes and indicate which are identified

Common Issues / Solutions

Resolution of Types, Methods, etc.

Because of how Eazfuscator.NET's virtual machine works, resolving some types and methods requires that their names and MDTokens be as expected (more specifically, to match what is found in the embedded resource file). This means that running de4dot against an executable with the default options before attempting to devirtualize said executable might cause certain types/methods to not resolve correctly.

However, eazdevirt also requires (in most cases) the control flow of the program to be deobfuscated. Otherwise it might not detect certain virtual opcodes, and in some cases it might not work at all.

One way around this is the following:

de4dot --dont-rename --keep-types --preserve-tokens MyAssembly.exe
eazdevirt -d MyAssembly-cleaned.exe
de4dot MyAssembly-cleaned-devirtualized.exe

... leaving the result as MyAssembly-cleaned-devirtualized-cleaned.exe

If de4dot is having trouble decrypting strings, try appending --strtyp none after the input filename:

de4dot --dont-rename --keep-types --preserve-tokens MyAssembly.exe --strtyp none
...
de4dot MyAssembly-cleaned-devirtualized.exe --strtyp none

Building

Mono

To build with Mono:

git submodule update --init
xbuild eazdevirt.sln

MSVS

On a Windows machine with MSVS installed, opening the solution file and building in Visual Studio should be sufficient (after updating the submodule as shown above).

msbuild eazdevirt.sln should also work.

Special Thanks

  • 0xd4d, for the amazing dnlib
  • Exclusive, for providing samples and helping debug along the way
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].