Description
===========
de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly.
It uses [dnlib](https://github.com/0xd4d/dnlib/) to read and write assemblies so make sure you get it or it won't compile.
Binaries
========
Get binaries from the build server [![](https://github.com/0xd4d/de4dot/workflows/GitHub%20CI/badge.svg)](https://github.com/0xd4d/de4dot/actions).
It's FREE but there's NO SUPPORT
================================
There's no support. Don't email me if you can't use it or if it fails to deobfuscate a file obfuscated with an updated obfuscator.
Instead, try to update de4dot yourself. It's a lot easier than you think. If you can't, search the Internet and you should find a couple of forums where you can ask your question.
Features
========
Here's a pseudo random list of the things it will do depending on what obfuscator was used to obfuscate an assembly:
* Inline methods. Some obfuscators move small parts of a method to another static method and calls it.
* Decrypt strings statically or dynamically
* Decrypt other constants. Some obfuscators can also encrypt other constants, such as all integers, all doubles, etc.
* Decrypt methods statically or dynamically
* Remove proxy methods. Many obfuscators replace most/all call instructions with a call to a delegate. This delegate in turn calls the real method.
* Rename symbols. Even though most symbols can't be restored, it will rename them to human readable strings. Sometimes, some of the original names can be restored, though.
* Devirtualize virtualized code
* Decrypt resources. Many obfuscators have an option to encrypt .NET resources.
* Decrypt embedded files. Many obfuscators have an option to embed and possibly encrypt/compress other assemblies.
* Remove tamper detection code
* Remove anti-debug code
* Control flow deobfuscation. Many obfuscators modify the IL code so it looks like spaghetti code making it very difficult to understand the code.
* Restore class fields. Some obfuscators can move fields from one class to some other obfuscator created class.
* Convert a PE exe to a .NET exe. Some obfuscators wrap a .NET assembly inside a Win32 PE so a .NET decompiler can't read the file.
* Removes most/all junk classes added by the obfuscator.
* Fixes some peverify errors. Many of the obfuscators are buggy and create unverifiable code by mistake.
* Restore the types of method parameters and fields
Supported obfuscators/packers
=============================
* Agile.NET (aka CliSecure)
* Babel.NET
* CodeFort
* CodeVeil
* CodeWall
* CryptoObfuscator
* DeepSea Obfuscator
* Dotfuscator
* .NET Reactor
* Eazfuscator.NET
* Goliath.NET
* ILProtector
* MaxtoCode
* MPRESS
* Rummage
* Skater.NET
* SmartAssembly
* Spices.Net
* Xenocode
Some of the above obfuscators are rarely used (eg. Goliath.NET), so they have had much less testing. Help me out by reporting bugs or problems you find.
Warning
=======
Sometimes the obfuscated assembly and all its dependencies are loaded into memory for execution. Use a safe sandbox environment if you suspect the assembly or assemblies to be malware.
Even if the current version of de4dot doesn't load a certain assembly into memory for execution, a future version might.
How to use de4dot
=================
N00b users
----------
Drag and drop the file(s) onto de4dot.exe and wait a few seconds.
Deobfuscate more than one file at a time
----------------------------------------
When more than one assembly has been obfuscated, it's very likely that you must deobfuscate them all at the same time unless you disable symbol renaming. The reason is that if assembly A has a reference to class C in assembly B, and you rename symbols only in assembly B, then class C could be renamed to eg. Class0 but the reference in assembly A still references a class called C in assembly B. If you deobfuscate both assemblies at the same time, all references will also be updated.
Find all obfuscated files and deobfuscate them
----------------------------------------------
The following command line will deobfuscate all assemblies that have been obfuscated by a supported obfuscator and save the assemblies to `c:\output`
de4dot -r c:\input -ru -ro c:\output
`-r` means recursive search. `-ru` means it should ignore unknown files. `-ro` means it should place the output files in the following directory. Typically, you'd first copy `c:\input` to `c:\output`, and then run the command. That way all the files will be in `c:\output`, even non-assemblies and non-processed assemblies. When de4dot is finished, you'd just double click the main assembly in `c:\output` and it should hopefully start.
Detect obfuscator
-----------------
Use the `-d` option to detect the obfuscator without deobfuscating any assembly.
Find all .NET assemblies and detect obfuscator. If it's an unsupported obfuscator or if it's not obfuscated, it will print "Unknown obfuscator".
de4dot -d -r c:\input
Same as above except that it will only show which files have been obfuscated by a supported obfuscator.
de4dot -d -r c:\input -ru
Detect obfuscator
de4dot -d file1.dll file2.dll file3.dll
Preserving metadata tokens
--------------------------
Sometimes in rare cases, you'd want to preserve the metadata tokens. Use `--preserve-tokens` or `--preserve-table`. Also consider using `--keep-types` since it won't remove any types and methods added by the obfuscator. Another useful option is `--dont-create-params`. If used, the renamer won't create Param rows for method parameters that don't have a Param row. That way the ParamPtr table won't be added to your assemblies. Peverify has a bug and doesn't support it (you'll see lots of "errors").
The #Strings, #US and #Blob heaps can also be preserved by using `--preserve-strings`, `--preserve-us`, and `--preserve-blob` respectively. Of these three, `--preserve-us` is the most useful one since `ldstr` instruction and `module.ResolveString()` directly reference the #US heap.
`--preserve-sig-data` should be used if the obfuscator adds extra data at the end of signatures that it uses for its own purpose, eg. as decryption keys. Confuser is one obfuscator that does this.
`--preserve-tokens` preserves all important tokens but will also enable `--preserve-us`, `--preserve-blob` and `--preserve-sig-data`.
If it's detected as an unknown (unsupported) obfuscator (or if you force it with `-p un`), all tokens are preserved, including the #US heap and any extra data at the end of signatures. Also, no obfuscator types, fields or methods are removed.
Preserve all important tokens, #US, #Blob, extra sig data.
de4dot --preserve-tokens file1.dll
Preserve all important tokens, #US, #Blob, extra sig data and don't remove types/fields added by the obfuscator
de4dot --keep-types --preserve-tokens file1.dll
Preserve all important tokens, #US, #Blob, extra sig data and don't create extra Param rows to prevent the ParamPtr table from being created.
de4dot --dont-create-params --preserve-tokens file1.dll
Preserve all important tokens except the Param tokens.
de4dot --preserve-table all,-pd file1.dll
Dynamically decrypting strings
------------------------------
Although `de4dot` supports a lot of obfuscators, there's still some it doesn't support. To decrypt strings, you'll first need to figure out which method or methods decrypt strings. To get the method token of these string decrypters, you can use ILDASM with the 'show metadata tokens' option enabled. A method token is a 32-bit number and begins with 06, eg. 06012345.
This command will load assembly file1.dll into memory by calling `Assembly.Load()`. When it detects calls to the two string
没有合适的资源?快使用搜索试试~ 我知道了~
de4dot-master_Check_valuablemwz_deobfuscator_源码
共475个文件
cs:425个
csproj:16个
config:8个
1.该资源内容由用户上传,如若侵权请联系客服进行举报
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
版权申诉
0 下载量 97 浏览量
2021-10-04
01:25:34
上传
评论
收藏 904KB ZIP 举报
温馨提示
Good deobfuscator. Please check the usage from GitHub.
资源推荐
资源详情
资源评论
收起资源包目录
de4dot-master_Check_valuablemwz_deobfuscator_源码 (475个子文件)
CSVM6.bin 10KB
CSVM5.bin 10KB
CSVM4.bin 9KB
CSVM3.bin 9KB
CSVM1.bin 9KB
CSVM2.bin 9KB
App.config 368B
App.config 368B
App.config 251B
App.config 251B
App.config 204B
App.config 204B
App.config 198B
App.config 198B
COPYING 34KB
Renamer.cs 55KB
OpCodeHandlers.cs 46KB
InstructionEmulator.cs 44KB
ProxyCallFixer.cs 41KB
Tests.cs 38KB
StringDecrypter.cs 33KB
VersionDetector.cs 30KB
DynamicMethodsDecrypter.cs 30KB
MethodsDecrypter.cs 29KB
TypeInfo.cs 28KB
ConstantsDecrypterV18.cs 26KB
JitMethodsDecrypter.cs 25KB
StringDecrypter.cs 24KB
Inflater.cs 24KB
ObfuscatedFile.cs 24KB
DeobfuscatorBase.cs 24KB
Deobfuscator.cs 23KB
TypeDef.cs 23KB
DynamicMethodsDecrypter.cs 23KB
CsvmInfo.cs 22KB
DotNetUtils.cs 22KB
Deobfuscator.cs 22KB
OpCodeHandler.cs 22KB
MethodsDecrypter.cs 21KB
Int32Value.cs 19KB
Unpacker.cs 19KB
MemberDefDict.cs 19KB
ConstantsReader.cs 19KB
TypesRestorer.cs 19KB
AccessChecker.cs 18KB
AssemblyData.cs 18KB
CommandLineParser.cs 18KB
Blowfish.cs 17KB
OpCodeHandlerInfoReader.cs 17KB
Int64Value.cs 17KB
ConstantsDecrypterV17.cs 17KB
Deobfuscator.cs 17KB
StringDecrypter.cs 17KB
AssemblyResolver.cs 16KB
ConstantsDecrypterBase.cs 16KB
ProxyCallFixerBase.cs 16KB
MethodsRewriter.cs 15KB
EncryptedResource.cs 15KB
AssemblyResolver.cs 14KB
ImageReader.cs 14KB
Modules.cs 14KB
MethodsDecrypter.cs 14KB
MemoryMethodsDecrypter.cs 14KB
StringDecrypter.cs 14KB
SwitchCflowDeobfuscator.cs 14KB
SigCreator.cs 13KB
FilesDeobfuscator.cs 13KB
CsvmToCilMethodConverterBase.cs 13KB
ResourceDecrypter.cs 12KB
ResourceDecrypter.cs 12KB
TamperProtectionRemover.cs 12KB
Deobfuscator.cs 12KB
MethodsDecrypterBase.cs 12KB
InstructionListParser.cs 11KB
AssemblyResolver.cs 11KB
Utils.cs 11KB
LzmaDecoder.cs 11KB
StringDecrypterInfo.cs 11KB
StringDecrypter.cs 11KB
Deobfuscator.cs 11KB
CryptDecrypter.cs 11KB
ConstantsDecrypterV15.cs 11KB
ResourceDecrypter.cs 11KB
CodeGenerator.cs 11KB
RuntimeFileInfo.cs 10KB
Deobfuscator.cs 10KB
CodeGenerator.cs 10KB
MethodReturnValueInliner.cs 10KB
Deobfuscator.cs 10KB
DecrypterType.cs 10KB
DsMethodCallInliner.cs 10KB
ResourceResolver.cs 10KB
Deobfuscator.cs 10KB
AntiDebugger.cs 9KB
StringDecrypter.cs 9KB
FieldsRestorer.cs 9KB
DeadCodeRemover.cs 9KB
ScopeBlock.cs 9KB
BranchEmulator.cs 9KB
GenericArgsSubstitutor.cs 9KB
共 475 条
- 1
- 2
- 3
- 4
- 5
资源评论
周玉坤举重
- 粉丝: 63
- 资源: 4780
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功