undebel / nofuserex Goto Github PK

Not sure if this is within scope, but I've noticed that some code obfuscators try to obfuscate the control flow by turning every function into a giant switch statement with non-sequentially selected cases

e.g.

public void foo(string foo)
{
	IL_06:
	uint num = 2346910876u;
	for (;;)
	{
		uint num2;
		switch ((num2 = (num ^ 3075522388u)) % 5u)
		{
		case 1u:
		// do stuff
		num = (num2 * 3623258486u ^ 573975171u);
		continue;
		case 2u:
		// do stuff
		num = (num2 * 2623783498u ^ 3053144548u);
		continue;

This looks like it can be easily reverted by static analysis of the switch case math. So I guess this is a feature request.

Thanks for the great software and keep up the good work.

Looks like there is no support for dlls?
I've found in one place in sources that there is no analysis for null for the EP....

Can you submit a release on this repo?
it requires Windows to compile and some people may not be able to install it.

hey!

when trying to run this command:
.\NoFuserEx.exe "AE.Net.Mail.dll" --dont-constants --dont-cflow --dont-proxy-calls --dont-remove-junk-methods --dont-resources --dont-rename

I get the following error:

Unhandled Exception: System.BadImageFormatException: Invalid IMAGE_COR20_HEADER.cb value
   at dnlib.DotNet.MD.ImageCor20Header..ctor(IImageStream reader, Boolean verify) in D:\THESIS\98-Deobfuscation\NoFuserEx-master\NoFuserEx-master\dnlib\src\DotNet\MD\ImageCor20Header.cs:line 127
   at dnlib.DotNet.MD.MetaDataCreator.Create(IPEImage peImage, Boolean verify) in D:\THESIS\98-Deobfuscation\NoFuserEx-master\NoFuserEx-master\dnlib\src\DotNet\MD\MetaDataCreator.cs:line 176
   at dnlib.DotNet.MD.MetaDataCreator.Load(IPEImage peImage) in D:\THESIS\98-Deobfuscation\NoFuserEx-master\NoFuserEx-master\dnlib\src\DotNet\MD\MetaDataCreator.cs:line 105
   at dnlib.DotNet.MD.MetaDataCreator.Load(Byte[] data) in D:\THESIS\98-Deobfuscation\NoFuserEx-master\NoFuserEx-master\dnlib\src\DotNet\MD\MetaDataCreator.cs:line 49
   at dnlib.DotNet.ModuleDefMD.Load(Byte[] data, ModuleCreationOptions options) in D:\THESIS\98-Deobfuscation\NoFuserEx-master\NoFuserEx-master\dnlib\src\DotNet\ModuleDefMD.cs:line 188
   at NoFuserEx.Deobfuscator.Deobfuscators.AntiTamperDeobfuscator.Deobfuscate(AssemblyManager assemblyManager) in D:\THESIS\98-Deobfuscation\NoFuserEx-master\NoFuserEx-master\NoFuserEx\NoFuserEx\Deobfuscator\Deobfuscators\AntiTamperDeobfuscator.cs:line 47
   at NoFuserEx.Deobfuscator.DeobfuscatorManager.Start() in D:\THESIS\98-Deobfuscation\NoFuserEx-master\NoFuserEx-master\NoFuserEx\NoFuserEx\Deobfuscator\DeobfuscatorManager.cs:line 57
   at NoFuserEx.Program.Main(String[] args) in D:\THESIS\98-Deobfuscation\NoFuserEx-master\NoFuserEx-master\NoFuserEx\NoFuserEx\Program.cs:line 28

The obfuscations applied to the dll are the following:

• constants
• ref proxy
• anti debug
• anti dump
• rename
• ctrl flow
• anti tamper

I attached the project file for the ConfuserEx, original and obfuscated dlls
bug.zip

What could be the cause of this and what can be done to fix this issue?

Finally built the solution but keep getting this error when trying to deobfuscate a program.

https://i.imgur.com/iBx2Icx.png

Is there a fix or is it a problem with the program itself?

Hi!

Thanks for writing the tool! It really helped me out!

Just wanted to give You a heads up.
I was playing around with a dll without an entry point, that has been obfuscated using ConfuserEx 1.0 anti-tampering. The result is a Null-reference error:

Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.
   at NoFuserEx.Deobfuscator.Deobfuscators.AntiTamperDeobfuscator.Deobfuscate(AssemblyManager assemblyManager) in C:\Use
rs\Administrator\Desktop\NoFuserEx-master\NoFuserEx\NoFuserEx\Deobfuscator\Deobfuscators\AntiTamperDeobfuscator.cs:line
41
   at NoFuserEx.Deobfuscator.DeobfuscatorManager.Start() in C:\Users\Administrator\Desktop\NoFuserEx-master\NoFuserEx\No
FuserEx\Deobfuscator\DeobfuscatorManager.cs:line 57
   at NoFuserEx.Program.Main(String[] args) in C:\Users\Administrator\Desktop\NoFuserEx-master\NoFuserEx\NoFuserEx\Progr
am.cs:line 28
PS C:\Users\Administrator\Desktop\NoFuserEx-master\NoFuserEx\NoFuserEx\bin\Debug>

It seems that You are looking for an entry point in the file given as input, and in my case i don't have any.
I attached a dll i played with.
Samples.Pex_ORIGINAL-anti-tamper.zip

Just give me a heads up if this is even a supported scenario.

Hi,
Now that I've managed to build and execute the solution, I'm getting a weird Exception when executing it.
The CrackMe.exe file is a .NET oriented file obfuscated with ConfuserEX1.0.

Ideas?

Is there a version of this already compiled? thanks

Hello,

Please, need your help to fix this error while try to unpack a file packed with ConfuserEx 1.0.0

Screen shot of the error : https://imgur.com/a/yes7LIo

Thanks
Jemo

i try to use your program and wont clean the .dll

When I Use the tool this Rename class which really bad.
can you fix it?

                                                               Roy

Few days ago I was trying to reverse engineer your project to see how it works :) now I can look at the code.

By the way what kind of obfuscator you used there? It didn't seem to be Agile.Net or .NET Guard, modified versions of those?

I'm using Visual Studio 2017 and can't get it to compile cleanly.
I'm getting 10 errors from various sections of the code:

Severity	Code	Description	Project	File	Line	Suppression State
Error	CS1061	'IList<Resource>' does not contain a definition for 'Find' and no extension method 'Find' accepting a first argument of type 'IList<Resource>' could be found (are you missing a using directive or an assembly reference?)	NoFuserEx	C:\Users\home\Desktop\NoFuserEx-master\NoFuserEx\NoFuserEx\Deobfuscator\Deobfuscators\ResourcesDeobfuscator.cs	45	Active

Error	CS1061	'MethodDef' does not contain a definition for 'HasParamDefs' and no extension method 'HasParamDefs' accepting a first argument of type 'MethodDef' could be found (are you missing a using directive or an assembly reference?)	NoFuserEx	C:\Users\home\Desktop\NoFuserEx-master\NoFuserEx\NoFuserEx\Deobfuscator\Deobfuscators\ResourcesDeobfuscator.cs	77	Active

Error	CS1503	Argument 1: cannot convert from 'dnlib.DotNet.ICustomAttributeType' to 'System.Type'	NoFuserEx	C:\Users\home\Desktop\NoFuserEx-master\NoFuserEx\NoFuserEx\Deobfuscator\MemberCloner.cs	99	Active

Error	CS1061	'Local' does not contain a definition for 'PdbAttributes' and no extension method 'PdbAttributes' accepting a first argument of type 'Local' could be found (are you missing a using directive or an assembly reference?)	NoFuserEx	C:\Users\home\Desktop\NoFuserEx-master\NoFuserEx\NoFuserEx\Deobfuscator\MemberCloner.cs	111	Active

Error	CS1061	'Local' does not contain a definition for 'PdbAttributes' and no extension method 'PdbAttributes' accepting a first argument of type 'Local' could be found (are you missing a using directive or an assembly reference?)	NoFuserEx	C:\Users\home\Desktop\NoFuserEx-master\NoFuserEx\NoFuserEx\Deobfuscator\MemberCloner.cs	111	Active

Error	CS0117	'Instruction' does not contain a definition for 'SequencePoint'	NoFuserEx	C:\Users\home\Desktop\NoFuserEx-master\NoFuserEx\NoFuserEx\Deobfuscator\MemberCloner.cs	117 Active

Error	CS1061	'Instruction' does not contain a definition for 'SequencePoint' and no extension method 'SequencePoint' accepting a first argument of type 'Instruction' could be found (are you missing a using directive or an assembly reference?)	NoFuserEx	C:\Users\home\Desktop\NoFuserEx-master\NoFuserEx\NoFuserEx\Deobfuscator\MemberCloner.cs	117	Active

Error	CS1503	Argument 1: cannot convert from 'string' to 'System.Reflection.AssemblyName'	NoFuserEx	C:\Users\home\Desktop\NoFuserEx-master\NoFuserEx\NoFuserEx\Deobfuscator\AssemblyCreator.cs	20	Active

Error	CS1061	'MethodSpec' does not contain a definition for 'ResolveMethodDef' and no extension method 'ResolveMethodDef' accepting a first argument of type 'MethodSpec' could be found (are you missing a using directive or an assembly reference?)	NoFuserEx	C:\Users\home\Desktop\NoFuserEx-master\NoFuserEx\NoFuserEx\Deobfuscator\Deobfuscators\Constants\ConstantsDeobfuscator.cs	65	Active

Error	CS1061	'MethodDef' does not contain a definition for 'HasParamDefs' and no extension method 'HasParamDefs' accepting a first argument of type 'MethodDef' could be found (are you missing a using directive or an assembly reference?)	NoFuserEx	C:\Users\home\Desktop\NoFuserEx-master\NoFuserEx\NoFuserEx\Deobfuscator\Deobfuscators\Constants\ConstantsDeobfuscator.cs	135	Active

What am I missing?

Hey!

Sorry to bother Your again.
I am trying to understand how Anti-Tampering works in ConfuserEx. It seems that it encrypts the CIL commands and decrypts them at runtime (key and calculation are inserted in the module static constructor). But i cannot fully understand how it encrypts the code.

Is there a chance You would be willing to shed a bit of light on this mystery for me?

RuntimeHelpers.PrepareMethod(cctor.MethodHandle)
NoFuserEx\Deobfuscator\Deobfuscators\AntiTamperDeobfuscator.cs : 40

Original:
Assistent für verwaltetes Debuggen "FatalExecutionEngineError" : "Die Laufzeit hat einen schwerwiegenden Fehler entdeckt. Fehleradresse: "0x85508530" in Thread "0x29f0". Fehlercode: 0x80131623. Bei diesem Fehler könnte es sich um ein Problem in der CLR oder in den unsicheren oder nicht verifizierbaren Teilen des Benutzercodes handeln. Übliche Ursachen dieses Bugs sind Marshallerfehler für COM-Interop oder PInvoke, die den Stapel beschädigen können."

It doesn't give more info, what it says that the thread threw a FatalExecutionEngineError error on this address: 0x85508530 Error code: 0x80131623
Any ideas?

I compiled it successfully and everything, but when I drag an executable that was obfuscated using ConfuserEx v1.0.0, NoFuserEx just closes and nothing happens.

Hello, I have a problem.
After deobfuscation .NET Reflector says, the koi not found.
Anyone had same problem?

TY GUYS

if the assembly has anti dump enabled the anti tamper remover doesnt work
https://gyazo.com/0703ca0cb8f3da9f224f0347fa1ab632
gets this error

The No.1 Bug was that the program wont clear and the other bug is on the old version i have error : "File Is Not a .net portable executable. Skipping...

please help me

I was trying to compile it with the dnlib.dll. but it doesnt work for me.

a Release in the release will be great

sorry for my bad english

Hi,
what else you need?

[~] Module Size: 1.9 MB
[~] CLR Version: v2.0
[~] File queue: 1/1

[~] Detected: ConfuserEx v0.6.0
        [+] Unpacked:      Module "koi".
        [+] Removed:       Anti-tamper protection.

Wyjątek nieobsłużony: System.Reflection.TargetInvocationException: Obiekt docelowy wywołania zgłosił wyjątek. ---> System.InvalidProgramException: Środowisko Common Language Runtime wykryło nieprawidłowy program.
   w ???????????????????????????????????????()
   --- Koniec śladu stosu wyjątków wewnętrznych ---
   w System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   w System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   w System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   w NoFuserEx.Deobfuscator.Deobfuscators.ResourcesDeobfuscator.Deobfuscate(AssemblyManager assemblyManager) w C:\Users\lholetzke\Documents\Visual Studio 2015\Projects\NoFuserEx\NoFuserEx\NoFuserEx\Deobfuscator\Deobfuscators\ResourcesDeobfuscator.cs:wiersz 37
   w NoFuserEx.Deobfuscator.DeobfuscatorManager.Start() w C:\Users\lholetzke\Documents\Visual Studio 2015\Projects\NoFuserEx\NoFuserEx\NoFuserEx\Deobfuscator\DeobfuscatorManager.cs:wiersz 57
   w NoFuserEx.Program.Main(String[] args) w C:\Users\lholetzke\Documents\Visual Studio 2015\Projects\NoFuserEx\NoFuserEx\NoFuserEx\Program.cs:wiersz 29