De4dot-deobfuscator for. NET

Features

Here's a pseudo random list of the things it would do depending on what obfuscator is used to obfuscate an assembly:

• Inline methods. Some obfuscators Move Small parts of a method to another static method and calls it.
• Decrypt strings statically or dynamically
• Decrypt other constants. Some Obfuscators can also encrypt other constants, such as all integers, all doubles, etc.
• Decrypt methods statically or dynamically
• Remove proxy methods. Many obfuscators replace Most/all call instructions with a call to a delegate. This delegate in turn calls the real method.
• Rename symbols. Even though most symbols can ' t be restored, it'll rename them to human readable strings. Sometimes, some of the original names can be restored, though.
• Devirtualize virtualized Code
• Decrypt Resources. Many obfuscators has an option to encrypt. NET resources.
• Decrypt embedded files. Many obfuscators has an option of embed and possibly encrypt/compress other assemblies.
• Remove Tamper Detection Code
• Remove Anti-debug Code
• Control Flow deobfuscation. Many obfuscators modify the IL code so it looks like spaghetti code making it very difficult to understand the code.
• Restore class fields. Some obfuscators can move fields from one class to Some and other obfuscator created class.
• Convert a PE exe to a. NET exe. Some obfuscators Wrap A. NET assembly inside a Win32 PE so a. NET Decompiler can ' t read the file.
• Removes Most/all junk classes added by the obfuscator.
• Fixes some peverify errors. Many of the obfuscators is buggy and create unverifiable code by mistake.
• Restore the types of method parameters and fields

Supported Obfuscators/packers

• Agile.net (aka Clisecure)
• Babel.net
• Codefort
• Codeveil
• Codewall
• Cryptoobfuscator
• Deepsea Obfuscator
• Dotfuscator
• . NET Reactor
• Eazfuscator.net
• Goliath.net
• Ilprotector
• Maxtocode
• Mpress
• Rummage
• Skater.net
• smartassembly
• Spices.net
• Xenocode

Some of the above obfuscators is rarely used (eg. Goliath.net), so they has had much less testing. Help me out by reporting bugs or problems you find.

Warning

Sometimes the obfuscated assembly and all its dependencies is loaded into memory for execution. Use a safe sandbox environment if you suspect the assembly or assemblies to be malware.

Even if the current version of De4dot doesn ' t load a certain assembly to memory for execution, a future version might.

How to use de4dotn00b users

Drag and drop the file (s) onto De4dot.exe and wait a few seconds.

Deobfuscate more than one file at a time

When more than one assembly have been obfuscated, it ' s very likely that you must deobfuscate them all at the same time Unle SS you disable symbol renaming. The reason is so if assembly a have a reference to class C in assembly B, and you rename symbols only in assembly B, then Class C could is renamed to eg. Class0 but the reference in assembly a still references a class called C in assembly B. If you deobfuscate both assemblies @ the same time, all references would also be updated.

Find all obfuscated files and deobfuscate them

The following command line would deobfuscate all assemblies that has been obfuscated by a supported obfuscator and save th e Assemblies toc:\output

de4dot -r c:\input -ru -ro c:\output

-rmeans recursive search. -rumeans it should ignore unknown files. -ro means it should place the output files in the following directory. Typically, you ' d first copy c:\input c:\output to, and then run the command. That's the all files would be c:\output in, even non-assemblies and non-processed assemblies. When De4dot are finished, you ' d just double click the main assembly in and c:\output it should hopefully start.

Detect Obfuscator

Use the -d option to detect the Obfuscator without deobfuscating any assembly.

Find all. NET assemblies and detect Obfuscator. If it ' s an unsupported obfuscator or if it's not obfuscated, it'll print "Unknown obfuscator".

de4dot -d -r c:\input

Same as above except that it'll only show which files has been obfuscated by a supported obfuscator.

de4dot -d -r c:\input -ru

Detect Obfuscator

de4dot -d file1.dll file2.dll file3.dll

Preserving metadata Tokens

Sometimes in rare cases, you ' d want to preserve the metadata tokens. Use --preserve-tokens or --preserve-table . Also consider using --keep-types since it won ' t remove any types and methods added by the obfuscator. Another useful option is --dont-create-params . If used, the Renamer won ' t create Param the rows for method parameters that don ' t has a Param row. That's the Paramptr table won ' t being added to your assemblies. Peverify have a bug and doesn ' t support it (you'll see lots of "errors").

The #Strings, #US and #Blob heaps can also is preserved by using --preserve-strings , --preserve-us and --preserve-blob respectively. Of these three, is the most --preserve-us useful one since ldstr instruction and directly reference the module.ResolveString() #US heap.

--preserve-sig-dataShould is used if the obfuscator adds extra data at the end of signatures then it uses for its own purpose, eg. As decryption keys. Confuser is one obfuscator that does this.

--preserve-tokensPreserves all important tokens but would also enable --preserve-us , --preserve-blob and --preserve-sig-data .

If it ' s detected as an unknown (unsupported) obfuscator (or if you force it -p un with), all tokens is preserved, Includi ng the #US heap and any extra data at the end of signatures. Also, no Obfuscator types, fields or methods is removed.

Preserve all important tokens, #US, #Blob, extra sig data.

de4dot --preserve-tokens file1.dll

Preserve all important tokens, #US, #Blob, extra sig data and don ' t remove Types/fields added by the Obfuscator

de4dot --keep-types --preserve-tokens file1.dll

Preserve all important tokens, #US, #Blob, extra sig data and don ' t create extra Param rows to prevent the paramptr table from being created.

de4dot --dont-create-params --preserve-tokens file1.dll

Preserve all important tokens except the Param tokens.

de4dot --preserve-table all,-pd file1.dll

Dynamically decrypting strings

Although de4dot supports a lot of obfuscators, there ' s still some it doesn ' t support. To decrypt strings, you'll first need to figure out which method or methods decrypt strings. To get the method tokens of these string decrypters, you can use ILDASM with the ' Show metadata tokens ' option enabled. A method token is a 32-bit number and begins with, eg. 06012345.

This command would load assembly File1.dll into memory by calling Assembly.Load() . When it detects calls to the both string Decrypters (06012345 and 060ABCDE), it would call them by creating a dynamic method , and save the result (the decrypted string). The call to the string Decrypter'll be removed and the decrypted string would be is in it place.

de4dot file1.dll --strtyp delegate --strtok 06012345 --strtok 060ABCDE

Since the assembly is loaded and executed, make sure you run this in a sandbox if you suspect the file to be malware.

Forcing detection of a certain obfuscator

de4dotIsn ' t perfect. If it fails to detect a obfuscator, you can use the -p option to force it to assume it's been obfuscated by it.

Force smartassembly

de4dot file1.dll -p sa

Force unsupported Obfuscator

de4dot file1.dll -p un

For other obfuscator types.

disabling symbol renaming

Renaming symbols isn ' t as easy as renaming A to B when reflection is involved. de4dotcurrently doesn ' t support renaming XAML so if you suspect that it uses WPF (or if it's a Silverlight app) you should Disable renaming if the assembly fails to run.

de4dot --dont-rename file1.dll file2.dll

--keep-namesCan also is used to tell don't de4dot to rename certain symbols, eg. "Don ' t rename Fields".

Rename everything that should be renamed except properties, events and methods.

de4dot --keep-names pem file1.dll

Using a different rename regex

The default regexes should be enough, except possibly the one that's used when a unsupported obfuscator is detected. To see all default regexes, start de4dot without any arguments and it would list all options and all default values.

Eg., currently the following is the default regex used if Dotfuscator is detected

!^[a-z][a-z0-9]{0,2}$&!^A_[0-9]+$&^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$

As you can see, it's not just one regex, it's more than one. Each of the are separated by and each & regex can being negated by using in ! front of it. To show it more clearly, these regexes is used:

(negated) ^[a-z][a-z0-9]{0,2}$(negated) ^A_[0-9]+$^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$

To change the Regex (es), you must know the short type name of the "the Obfuscator". Eg. It's sa if it ' s smartassembly, and un if it's an unsupported/unknown obfuscator. The option to use are --TYPE-name (eg. for smartassembly and for --sa-name --un-name unknown/unsupported obfuscators):

de4dot --un-name "^[a-zA-Z]\w*$" file1.dll

Other options

Start de4dot without any arguments and it'll show all options.

Examples

Show Help:

de4dot -h

Deobfuscate a few files:

de4dot file1.exe file2.dll file3.exe

Deobfuscate All files Found:

de4dot -r c:\path1 -ro c:\out

Detect Obfuscator recursively:

de4dot -d -r c:\path1

Deobfuscate and get a detailed log of what is changed:

de4dot -v file1.exe file2.dll file3.exe > log.txt

Deobfuscate and override string Decrypter detection, finding and using all static methods with string and int args that re Turn a string. A dynamic method is created and used to the string Decrypter method (s). Make sure don't include any non-string decrypter methods or you'll get an exception:

de4dot --default-strtyp delegate --default-strtok "(System.String, System.Int32)" file1.exe file2.dll

Same as above but use a metadata token:

de4dot --default-strtyp delegate file1.exe --strtok 06000123 file2.dll --strtok 06004567 --strtok 06009ABC

Don ' t remove Obfuscator types, methods, etc:

de4dot --keep-types file1.exe

De4dot-deobfuscator for. NET