monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove readme contents

Browse Source
This commit is contained in:
de4dot 2012-11-12 06:38:13 +01:00
parent d3e6d8f7d6
commit 56ecf1f926
1 changed files with 0 additions and 167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

167
README.md
View File

@ -1,167 +0,0 @@
de4dot - Deobfuscator for .NET
==============================
Features
--------
* Supports some popular obfuscators
* Deobfuscates control flow
* Cross-assembly symbol renaming
* Decrypts strings
* Decrypts resources
* Dumps embedded assemblies
* Dumps encrypted methods
* Deobfuscated files are runnable
* Removes other obfuscator junk
* Supports pure managed .NET files only
* Fixes peverify errors created by the obfuscator
* 100% Open Source
Many features work even if it's an unsupported obfuscator but the result may
or may not be runnable.
Who would need a deobfuscator?
------------------------------
* Security experts who need to deobfuscate obfuscated .NET malware.
* You lost your source code but have a copy of your obfuscated .NET
assemblies. You can then use ILSpy to decompile them.
* You must verify that an obfuscated compiled .NET assembly contains the
claimed source code, and no backdoors.
* Some obfuscators are not Mono-compatible. If you deobfuscate it, it may run
on Mono.
* Some obfuscated programs crash on 64-bit Windows. Deobfuscating it and
removing the obfuscator code solves that problem.
* You can only run verifiable .NET code, but the obfuscated program is
non-verifiable due to the obfuscated code.
* You don't want string decryption and tons of useless CIL instructions to
slow down your favorite program.
Features explained
------------------
### Supports some popular obfuscators
I won't list the supported obfuscators since I'd forget to update it when I
add support for another one. Run `de4dot -h` to get a list of the supported
obfuscators. It's usually very easy to add support for another obfuscator.
Other obfuscators are partially supported. Eg. control flow deobfuscation,
symbol renaming, and dynamic string decryption could possibly work.
### Deobfuscates control flow
Most obfuscators can rearrange the control flow so the code is harder to
understand. A simple method that is 10 lines long and easy to read, could
become 30-40 lines and be very hard to read. Control flow deobfuscation will
remove all of the obfuscated code, leaving just the original code. Dead code
is also removed.
### Cross-assembly symbol renaming
Many obfuscators can rename public classes if they're part of a private
assembly. This deobfuscator will properly rename not only the obfuscated class
and all references within that assembly, but also all references in other
assemblies. If you don't need symbol renaming, you should disable it.
### Decrypts strings
Most, if not all, obfuscators support encrypting the strings. They usually
replace the original string with an encrypted string, or an integer. The
encrypted string or integer is then handed over to the string decrypter which
returns the original string. This deobfuscator supports static decryption and
dynamic decryption. Dynamic decryption will load the assembly and then call
the string decrypter and save the decrypted string. You can tell it which
method is the string decrypter and it will do the rest. The default is to use
static string decryption. Dynamic string decryption can be useful if you're
deobfuscating an assembly obfuscated with an unsupported obfuscator.
### Decrypts resources
Resources are usually encrypted by the obfuscator. The deobfuscator supports
static decryption only.
### Dumps embedded assemblies
Some obfuscators can embed assemblies. They usually encrypt and compress the
assembly and put it in the resources section. These assemblies will be
decypted and decompressed and then saved to disk.
### Dumps encrypted methods
Some obfuscators encrypt all methods and only decrypt each method when
requested by the .NET runtime. The methods are statically decrypted and then
deobfuscated.
### Deobfuscated files are runnable
If it's a supported obfuscator, the output is runnable. This is an important
feature. If you can't run the resulting file, it's almost useless. Note that
you may need to resign all modified assemblies that were signed. Some programs
have internal checks for modifications that aren't part of the obfuscator.
These kinds of protections usually cause a crash on purpose. Those aren't
removed since they're part of the original assembly.
### Removes other obfuscator junk
Many obfuscation products add other junk to the file. Eg., they could add code
to log every single exception, or detect deobfuscation, etc. Since that's not
part of the original file, it's also removed. Some obfuscators add so many
junk classes that it's difficult to find all of them, though. You have to
remove those manually for now.
### Supports pure managed .NET files only
This is a limitation of the Mono.Cecil library. Most .NET assemblies, however,
are pure managed .NET assemblies.
### Fixes peverify errors created by the obfuscator
Usually when an obfuscator adds control flow obfuscation, the resulting code
doesn't pass all peverify tests, resulting in an unverifiable assembly. By
removing that obfuscation, and making sure to re-arrange the code blocks in a
certain order, those obfuscator created errors will be gone. If the assembly
was verifiable before obfuscation, it must be verifiable after deobfuscation.
### 100% Open Source
Can't get any better than this!
Examples
--------
Show help:
de4dot -h
Deobfuscate a few files:
de4dot file1.exe file2.dll file3.exe
Deobfuscate all files found:
de4dot -r c:\path1 -ro c:\out
Detect obfuscator recursively:
de4dot -d -r c:\path1
Deobfuscate and get a detailed log of what was changed:
de4dot -v file1.exe file2.dll file3.exe > log.txt
Deobfuscate and override string decrypter detection, finding and using all
static methods with string and int args that return a string. A dynamic method
is created and used to call the string decrypter method(s). Make sure you
don't include any non-string decrypter methods or you will get an exception:
de4dot --default-strtyp delegate --default-strtok "(System.String, System.Int32)" file1.exe file2.dll
Same as above but use a metadata token:
de4dot --default-strtyp delegate file1.exe --strtok 06000123 file2.dll --strtok 06004567 --strtok 06009ABC
Don't remove obfuscator types, methods, etc:
de4dot --keep-types file1.exe