de4dot-cex icon indicating copy to clipboard operation
de4dot-cex copied to clipboard

Published 20 hours ago • verified publisher icon ViRb3

Obfuscation artifacts remain

Open HammerBob opened this issue 5 years ago • 10 comments

de4dot-cex successfully removed most of the ConfuserEx 1.0.0 protection for me, but some artifacts remain in the code. I'm willing to pay if you are willing to improve de4dot-cex to remove these artifacts. Are you interested?

HammerBob avatar May 02 '19 10:05 HammerBob

Are you sure it is vanilla ConfuserEx (no modifications)? If yes, then please send me the file.

ViRb3 avatar May 02 '19 11:05 ViRb3

I'm sure it is vanilla ConfuserEx v1.0.0. My test program is in de4dot-dex-issue.zip.

You can download the zip https://www.zipshare.com/fileDownload/eyJhcmNoaXZlSWQiOiJhNTAxMDljYi1iY2U0LTRjZjQtYjc0OC1kMTI4MTU1ZjM0NTgiLCJlbWFpbCI6ImJvYkBwcXN5c3RlbXMuY29tIn0= from:

https://www.zipshare.com/fileDownload/eyJhcmNoaXZlSWQiOiJhNTAxMDljYi1iY2U0LTRjZjQtYjc0OC1kMTI4MTU1ZjM0NTgiLCJlbWFpbCI6ImJvYkBwcXN5c3RlbXMuY29tIn0= .

Please see de4dot-cex issue.pdf in the zip.

Thanks for looking into this.

On Thu, May 2, 2019 at 7:28 AM Victor [email protected] wrote:

Are you sure it is vanilla ConfuserEx (no modifications)? If yes, then please send me the file.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ViRb3/de4dot-cex/issues/6#issuecomment-488638055, or mute the thread https://github.com/notifications/unsubscribe-auth/ABRVK6EB5D37KIWUSAQP2BTPTLF7NANCNFSM4HJ5IERQ .

HammerBob avatar May 02 '19 18:05 HammerBob

Thanks for the detailed description! The issue is that methods are not inlined after their proxies are resolved. I will see what I can do about that :)

ViRb3 avatar May 02 '19 18:05 ViRb3

I implemented de4dot's default MethodCallInliner. Note that inlining of instance methods has not been enabled, since I couldn't find that functionality in the test cases you sent me. Please give it a test yourself and let me know if everything is working properly: https://ci.appveyor.com/project/ViRb3/de4dot-cex/builds/24273228/artifacts

ViRb3 avatar May 03 '19 00:05 ViRb3

The issue I identified seems to be working properly now. Thanks a lot!

I'm not sure if I need "inlining of instance methods" working or not. Can you give me an example of what that looks like in the code? I still see lots of methods with names like method_N or smethod_N. I'm not sure if some of those might go away if "inlining of instance methods" was working.

I would like to move our conversation to email. Please email me at: [email protected].

On Thu, May 2, 2019 at 8:35 PM Victor [email protected] wrote:

I implemented de4dot's default MethodCallInliner. Note that inlining of instance methods has not been enabled, since I couldn't find that functionality in the test cases you sent me. Please give it a test yourself and let me know if everything is working properly: https://ci.appveyor.com/project/ViRb3/de4dot-cex/builds/24273228/artifacts

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ViRb3/de4dot-cex/issues/6#issuecomment-488879282, or mute the thread https://github.com/notifications/unsubscribe-auth/ABRVK6DYMNMNMSXRMYMWWFTPTOCFNANCNFSM4HJ5IERQ .

HammerBob avatar May 03 '19 13:05 HammerBob

I discovered an issue where "Name" protection is not properly deobfuscated in one case.

Please refer to the PDF in:

https://www.zipshare.com/fileDownload/eyJhcmNoaXZlSWQiOiIyNzg4OTBjZS0yN2JkLTQ3ZGQtYmZiOC03YWU2MmI1MDZhMDQiLCJlbWFpbCI6ImJvYkBwcXN5c3RlbXMuY29tIn0=

On Thu, May 2, 2019 at 8:35 PM Victor [email protected] wrote:

I implemented de4dot's default MethodCallInliner. Note that inlining of instance methods has not been enabled, since I couldn't find that functionality in the test cases you sent me. Please give it a test yourself and let me know if everything is working properly: https://ci.appveyor.com/project/ViRb3/de4dot-cex/builds/24273228/artifacts

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ViRb3/de4dot-cex/issues/6#issuecomment-488879282, or mute the thread https://github.com/notifications/unsubscribe-auth/ABRVK6DYMNMNMSXRMYMWWFTPTOCFNANCNFSM4HJ5IERQ .

HammerBob avatar May 03 '19 18:05 HammerBob

I will check this when I get back to my laptop. It should be a week or so.

ViRb3 avatar May 06 '19 21:05 ViRb3

Hello,

Are you still working on this? I also found that some artifacts remain on dotfuscator.

can you please take a look at it ?

https://mega.nz/file/E4whWYJZ#1pGSSouGy2ykfTb2iql_An1cYG3deySjo89f1o0h4CI

danyhm avatar Aug 07 '20 18:08 danyhm

Sorry, I don't think I'll have time to maintain this project in the foreseeable future.

ViRb3 avatar Aug 07 '20 18:08 ViRb3

Hi,

No, I'm not dealing with this any longer.

Bob

On Fri, Aug 7, 2020 at 2:40 PM danyhm [email protected] wrote:

Hello,

Are you still working on this? I also found that some artifacts remain on dotfuscator.

can you please take a look at it ?

https://mega.nz/file/E4whWYJZ#1pGSSouGy2ykfTb2iql_An1cYG3deySjo89f1o0h4CI

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ViRb3/de4dot-cex/issues/6#issuecomment-670654932, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABRVK6BY7ZYEDM2FN35CMETR7RDADANCNFSM4HJ5IERQ .

HammerBob avatar Aug 07 '20 22:08 HammerBob