Code Monkey home page Code Monkey logo

eazdevirt's Introduction

eazdevirt

eazdevirt is an open source (GPLv3) toolkit for inspecting and devirtualizing executables that have been protected with Eazfuscator.NET's virtualization feature.

eazdevirt uses dnlib to read and write assemblies, which is included as a submodule.

Features

  • Identify all methods (stubs) which have been virtualized
  • Devirtualize methods for which all virtual opcodes are understood
  • Inject method attributes to make identifying devirtualized methods easier
  • Extract the embedded resource file containing virtualization info
  • List all virtual opcodes and indicate which are identified

Common Issues / Solutions

Resolution of Types, Methods, etc.

Because of how Eazfuscator.NET's virtual machine works, resolving some types and methods requires that their names and MDTokens be as expected (more specifically, to match what is found in the embedded resource file). This means that running de4dot against an executable with the default options before attempting to devirtualize said executable might cause certain types/methods to not resolve correctly.

However, eazdevirt also requires (in most cases) the control flow of the program to be deobfuscated. Otherwise it might not detect certain virtual opcodes, and in some cases it might not work at all.

One way around this is the following:

de4dot --dont-rename --keep-types --preserve-tokens MyAssembly.exe
eazdevirt -d MyAssembly-cleaned.exe
de4dot MyAssembly-cleaned-devirtualized.exe

... leaving the result as MyAssembly-cleaned-devirtualized-cleaned.exe

If de4dot is having trouble decrypting strings, try appending --strtyp none after the input filename:

de4dot --dont-rename --keep-types --preserve-tokens MyAssembly.exe --strtyp none
...
de4dot MyAssembly-cleaned-devirtualized.exe --strtyp none

Building

Mono

To build with Mono:

git submodule update --init
xbuild eazdevirt.sln

MSVS

On a Windows machine with MSVS installed, opening the solution file and building in Visual Studio should be sufficient (after updating the submodule as shown above).

msbuild eazdevirt.sln should also work.

Special Thanks

  • 0xd4d, for the amazing dnlib
  • Exclusive, for providing samples and helping debug along the way

eazdevirt's People

Contributors

saneki avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.