holly-hacker / eazfixer Goto Github PK

View Code? Open in Web Editor NEW

361.0 33.0 124.0 76 KB

A deobfuscation tool for Eazfuscator.

License: MIT License

C# 100.00%

deobfuscation eazfuscator deobfuscator

eazfixer's Introduction

EazFixer

A deobfuscation tool for Eazfuscator.

Downloading

You can download the latest master build at AppVeyor. If there was no commit in the last 6 months, you will have to build it yourself. Please do not open issues asking for me to build it for you.

Description

EazFixer is a deobfuscation tool for Eazfuscator, a commercial .NET obfuscator. For a list of features, see the list below.

Implemented fixes:

String encryption
Resource encryption
Assembly embedding

Not implemented, may be added in the future:

Entrypoint obfuscation
Data virtualization

Out of scope:

Code virtualization (consider using EazyDevirt)
Symbol renaming (symbol names are either unrecoverable or encrypted. For symbol decryption in case of a known key, see EazDecode)
Automatic code optimization (not an anti-feature!)
Code control flow obfuscation (I didn't have any problems with my samples in dnSpy)
Assemblies merging (doesn't seem probable, especially with symbol renaming)
Control flow obfuscation (use de4dot)

Usage

Call from the command line or drag and drop the file on and let it run or use the command line flag --file.

If your assembly is protected with control-flow obfuscation, run it through de4dot with the --only-cflow-deob flag first.

--file path
--keep-types
--virt-fix

The flag --file is used for the input file. The flag --keep-types is similar to the de4dot flag, Keeps obfuscator types and assemblies. The flag --virt-fix keeps certain parts obfuscated to stay working with virtualized assemblies.

example: EazFixer.exe --file test.exe --keep-types

Building

Clone the repository and use the latest version of Visual Studio (2019, at the time of writing).

Support

EazFixer is (and will always be) targeted at the latest version of Eazfuscator. If your version is not supported, try a more universal deobfuscator like de4dot. If your version is newer than what this tool supports, create an issue only after verifying with the latest version of Eazfuscator.

Also, I will not help you use this program. Consider it for advanced users only. If you do run into a problem and are sure it is a bug, feel free to submit an issue but I cannot guarantee I will fix it.

Related projects

EazDecode, for decrypting encrypted symbol names in case of a known encryption key.
eazdevirt, a tool for devirtualizing older version of EazFuscator.
eazdevirt fork, my abandoned fork of eazdevirt, may work slightly better on newer samples.

Credits

This tool uses the following (open source) software:

dnlib by 0xd4d, licensed under the MIT license, for reading/writing assemblies.
Harmony by Andreas Pardeike, licensed under the MIT license, for patching the stacktrace which allows for reflection invocation to be used.

eazfixer's People

Contributors

Stargazers

Watchers

Forkers

destnity techlord-rce ghostfish2018 lkmvip dandanyouxiang mortany notkeca rastar2000 hoangduit puffingin2d peterg75 tanasittx notsquirr3l ahmadmansoor securecloud-biz m4n4vi z01wvay deltafox79 authrequest d0p1ng techlord-official csharphub hmyit r0nn exploitdev exys228 congviet masterxv alehacksp little3388 crackercat dr-chaos plentyofnoobs sunwm518 veselv2010 ittech25 superdan xlfj5211 saeidmh83 parhelia512 harikrishna43 tejassvic kkacer otmarpetersen ankurmay1988 lucia361 flleeppyy xsjames rmcj04e nazer775003731 cslily pushandpop airkek null0b anomise ols3er anotherhuman123456 sagavis hooface gorgiaxx skynet1979 sashaxser geedawn winnxk nauj42 kenuosec assrepo modulexcite porserver lion1986 zixing131 zhouzu ammogcoder tecnoweb punikekk coldblackice ali13007 moocher0 h4sh3m liufeias nyamisty hongweichang jianyunli schrodyn master861 ikabsd mmillerxyz peterzaher derpfaked data-gami waklqk21 gmh5225 formylover warfarecode khang06 coders-vechai evilhawk00 ygzhong000 johnny-chs thisharros

eazfixer's Issues

Failed reflection resolving for .NET Core runtimes

Thanks for this!
For string encryption I get this error

Use Echo to work after control flow obfuscation

Eaz does not currently use very strong control flow obfuscation, but once they do it may be useful to use Echo to resolve stack dependencies for the string decrypter method.

Virtualization obfuscation

Resolvers don't work.

I try to deobfuscate a program but i have this error:

Executing memory patches...
Initializing modules...
Processing...
Cleanup...

Applied patches:
StringFixer: Success
ResourceResolver: Failed (Init error: Could not find resolver type)
AssemblyResolver: Failed (Init error: Could not find resolver type)

Writing new assembly...
DONE
Press any key to exit...

The target program is: http://www.filedropper.com/zcrackroblox

Handle multiple embedded assemblies with the same name.

The sample from #14 has multiple LibTongue.resources.dll files, for different cultures. Right now, only the very last one gets written to disk, which is not the behavior I want.

Possible ways of handling this are:

Only writing the DLL with a matching culture, falling back to neutral if needed.
Writing all DLLs, but suffixing non-neutral assemblies with their shortened culture name (eg. en-US).

Method Names Still Obfuscated

https://www.sendspace.com/file/hfwtzb

Proof:
http://prntscr.com/l477j8

unpacked problem

Executing memory patches...
Initializing modules...
Processing...
Cleanup...

Applied patches:
StringFixer: Success
ResourceResolver: Failed (Init error: Could not find resolver type)
AssemblyResolver: Failed (值不能为 null。
参数名: source)

Writing new assembly...
Done.

Allow passing only file path instead of requiring --file

Currently, running on a file without any options requires using the --file /path/to/file flag. Removing the need for --file will also allow drag-and-drop to work again.

build

you can build it and put it in realese?

The output can not work.

1.zip

if (type.IsGenericType) //type is null
{
flag2 = false;
}

It seems this method is generated by eaz, your tool doesn't clean completely

whole code

// #=qhV51mqsmZyKWrUetPxG5f8m$h3XhMl0AIaoJwVc$D1E=
[DebuggerNonUserCode]
private MethodBase #=z8v9YWyfC6tuClV80LCgyA_1FwG3San9xrA==(int #=zrn90pR8=, #=qKwaTyl6Rv9mcRmvdxY4NXmcIEkJcl0OEF11sG53sWvk= #=zCl9$JzU=)
{
	Dictionary<int, object> dictionary = #=qhV51mqsmZyKWrUetPxG5f8m$h3XhMl0AIaoJwVc$D1E=.#=z8vSQRPg=;
	Dictionary<int, object> dictionary2;
	if (3 != 0)
	{
		dictionary2 = dictionary;
	}
	object obj = dictionary2;
	if (true)
	{
		Monitor.Enter(obj);
	}
	MethodBase result;
	try
	{
		bool flag = true;
		bool flag2;
		if (6 != 0)
		{
			flag2 = flag;
		}
		object obj2;
		if (flag2 && #=qhV51mqsmZyKWrUetPxG5f8m$h3XhMl0AIaoJwVc$D1E=.#=z8vSQRPg=.TryGetValue(#=zrn90pR8=, out obj2))
		{
			MethodBase methodBase = (MethodBase)obj2;
			if (2 != 0)
			{
				result = methodBase;
			}
		}
		else if (#=zCl9$JzU=.#=zX1wW8IsArNpN_oBDfg==() == 1)
		{
			MethodBase methodBase2 = this.#=zf2bab1g=.ResolveMethod(#=zCl9$JzU=.#=zrIrFLDNPcENt9pkCVvza8mL0m1p0());
			MethodBase methodBase3;
			if (true)
			{
				methodBase3 = methodBase2;
			}
			if (flag2)
			{
				#=qhV51mqsmZyKWrUetPxG5f8m$h3XhMl0AIaoJwVc$D1E=.#=z8vSQRPg=.Add(#=zrn90pR8=, methodBase3);
			}
			MethodBase methodBase4 = methodBase3;
			if (5 != 0)
			{
				result = methodBase4;
			}
		}
		else
		{
			#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo= _#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo= = (#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=)#=zCl9$JzU=.#=z2m1nqKAQIf_jctR6PdUesuijy4gxvv9CZIRuQFqHSCty();
			#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo= _#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2;
			if (2 != 0)
			{
				_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2 = _#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=;
			}
			if (_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zuc1ElAJDK6tNfflOZNdk01A=())
			{
				result = this.#=z3ArTbSmHWfuj5Q64DCej4Sshg_3p(_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2);
			}
			else
			{
				Type type = this.#=ziG5bIhoUvy8pBi1kvJtL67DfE0AX573nXuXvc35gLmcw(_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zDV1gSv8XgtF_MjvpkH0e08Q=().#=zrIrFLDNPcENt9pkCVvza8mL0m1p0(), false);
				Type type2 = this.#=ziG5bIhoUvy8pBi1kvJtL67DfE0AX573nXuXvc35gLmcw(_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zoVLjew9ZtCpdRsundXmEQWKvSguy().#=zrIrFLDNPcENt9pkCVvza8mL0m1p0(), true);
				Type[] array = new Type[_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zRZYXzc5RlHjvU$D1BQ==().Length];
				for (int i = 0; i < array.Length; i++)
				{
					array[i] = this.#=ziG5bIhoUvy8pBi1kvJtL67DfE0AX573nXuXvc35gLmcw(_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zRZYXzc5RlHjvU$D1BQ==()[i].#=zrIrFLDNPcENt9pkCVvza8mL0m1p0(), true);
				}
				if (type.IsGenericType)
				{
					flag2 = false;
				}
				if (_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zV$HlPelviP3L6394IwTa60IKPn0D() == ".ctor")
				{
					ConstructorInfo constructor = type.GetConstructor(BindingFlags.Instance | BindingFlags.Public | BindingFlags.NonPublic, null, CallingConventions.Any, array, null);
					if (constructor == null)
					{
						throw new Exception();
					}
					if (flag2)
					{
						#=qhV51mqsmZyKWrUetPxG5f8m$h3XhMl0AIaoJwVc$D1E=.#=z8vSQRPg=.Add(#=zrn90pR8=, constructor);
					}
					result = constructor;
				}
				else
				{
					BindingFlags bindingAttr = #=qhV51mqsmZyKWrUetPxG5f8m$h3XhMl0AIaoJwVc$D1E=.#=za_3ai5XgP4YmJt4xaj9EeXILLULi(_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=z_SqDH4WDUufAqV3c5AegaJxjWWggFlUHFvQ8RDw=());
					MethodBase methodBase5 = null;
					try
					{
						methodBase5 = type.GetMethod(_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zV$HlPelviP3L6394IwTa60IKPn0D(), bindingAttr, null, CallingConventions.Any, array, null);
					}
					catch (AmbiguousMatchException)
					{
						foreach (MethodInfo methodInfo in type.GetMethods(bindingAttr))
						{
							if (!(methodInfo.Name != _#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zV$HlPelviP3L6394IwTa60IKPn0D()) && methodInfo.ReturnType == type2)
							{
								ParameterInfo[] parameters = methodInfo.GetParameters();
								if (parameters.Length == array.Length)
								{
									bool flag3 = false;
									for (int k = 0; k < array.Length; k++)
									{
										if (parameters[k].ParameterType != array[k])
										{
											flag3 = true;
											break;
										}
									}
									if (!flag3)
									{
										methodBase5 = methodInfo;
										break;
									}
								}
							}
						}
					}
					if (methodBase5 == null)
					{
						throw new Exception(string.Format("Cannot bind method: {0}.{1}", type.Name, _#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zV$HlPelviP3L6394IwTa60IKPn0D()));
					}
					if (flag2)
					{
						#=qhV51mqsmZyKWrUetPxG5f8m$h3XhMl0AIaoJwVc$D1E=.#=z8vSQRPg=.Add(#=zrn90pR8=, methodBase5);
					}
					result = methodBase5;
				}
			}
		}
	}
	finally
	{
		Monitor.Exit(dictionary2);
	}
	return result;
}

sample packed exe for eazdevirt

Hi,
I see you made improvement for eazdevirt https://github.com/HoLLy-HaCKeR/eazdevirt now I want to try to make it compatible with latest eaz, do you have sample unpackme that compatible with your modified eazdevirt?

Add CI

People are lazy and want precompiled builds. Seems fair enough.

Create issue templates

AssemblyResolver component is broken for samples from latest version.

Hello,
It looks like in one of the newer Eazfuscator versions (I can't specify a exact version number, sorry!), the assembly resolver component has had a change made to it which resulted in this tool breaking.

The breaking change:
https://github.com/HoLLy-HaCKeR/EazFixer/blob/a99eca4c84cc022d8afd6c5eb152fd3b09c65462/EazFixer/Processors/AssemblyResolver.cs#L136
In the newer versions i is initialized to 1 instead of 0 in the loop. This causes a IndexOutOfRangeException to occur later in the process as the tool tries to read out of the bounds of the split array.

Picture of change:

Non-breaking change:
Eazfuscator seems to have added a new f flag. Luckily it doesn't affect this tool at all.

Sample which can be used to reproduce this issue:
Sample-all.zip

String DeObfuscation

In Eazfsucator 2019.1 String decryption does not works.

I'm getting that error:

Executing memory patches ...
Wrong MethodAttributes or CallingConventions for DynamicMethod. Only "public", "static" and "standard" are supported

Target .NET Core exclusively

The name 'asmEnumerator' does not exist in the current context

The error is on Line 67 in AssemblyResolver.cs

error prompt

Applied patches:
StringFixer: Failed (Init error: Could not find decrypter method)
ResourceResolver: Failed (Init error: Could not find resolver type)
AssemblyResolver: Failed (StringFixer is required!)

Keep MDTokens

There should be an option to keep mdtokens, without using --keep-types.

dnlib folder is empty

Is the dnlib folder supposed to be empty??

Maybe new version of Eazfuscator?

I have a file that is partly obfuscated by Eazfuscator, these are the classes that appear in dnSpy

I have never seen them called like that so maybe it's a new version of the obfuscator?

Exception error

I'm getting error given below:

Could not load file or assembly 'xxxxx, Version=1.0 Culture=neutral, PublicKeyToken=null' or one of its dependencies. Attempt to load an unverifiable executable with fixups (IAT with more than 2 sections or a TLS section.) (Exception from HRESULT: 0x80131019)

Checklist:

I have checked that I am dealing with an EazFuscator binary, and believe that it can't be another obfuscator such as ConfuserEx.
[-] I understand that an error message may mean that a certain protection was not present.
I can share a sample that can reproduce the bug

cant GetType

maybe I know why

Thanks

===========================================================

dnspy show have class \u0003\u0003\u001B\u0010

how to ?

Thanks

Unfortunetly doesnt work for Eazfuscator.NET 2019.4

unfortunately doesn't work for this .this program apparently obfuscating with latest version

License.zip

ResourceResolver and AssemblyResolver Failed (Init error: Could not find resolver type)

This program is protected with Eazfuscator.NET v2020.x - 2021.3 and I am trying to deobfuscate the program.

I first use String Decryptor 2.0 to decrypt strings, and the program decrypted 123 strings + 2 methods

Then I use EazFixer.exe --file and this is the output:

Executing memory patches...
Initializing modules...
Processing...
Cleanup...

Applied patches:
StringFixer: Success
ResourceResolver: Failed (Init error: Could not find resolver type)
AssemblyResolver: Failed (Init error: Could not find resolver type)

Writing new assembly...
Done.

Am I doing something wrong? Thank you for your support.

Another weird case

This one seems to be protected with a recent version of the obfuscator.
de4dot can decrypt some of the strings but no resources or embedded assemblies at all.
EazFixer can decrypt most strings but that's it because only the StringFixer displays "Success".

I tried your fork of eazdevirt and it doesn't seem to find any traces of virtualizationr.

c.zip

Entrypoint obfuscation

Use proper cli parsing

Turns out #15 made a really bad cli parser. I should probably use an existing one instead of handrolling a bad one.

Deofuscation .dll instead of .exe

Good, I try to pass the program an obfuscated dll, but it does not work, it is contemplated the defocusing of dll.

Use emulation

Currently we use invocation to fix strings, which can be very dangerous. Using emulation when Echo provides it would help.

Output may fail to run on virtualized assemblies.

Virtualized assemblies can have virtualized code that references the string decryptor (or other normally removed code). Once these types get removed, the virtualized code will fail to run since it cannot resolve it anymore. Related, it could be that we're changing MDTokens when we save the assembly, we shouldn't do that by default (see de4dot's --keep-tokens).

It should be easy to fix this by adding a commandline flag similar to de4dot's --keep-types.

See #12.

Latest version 2018.2 isnt supported?

Executing memory patches...
Initializing modules...
Processing...
Cleanup...

Applied patches:
StringFixer: Failed (Exception has been thrown by the target of an invocation.)
ResourceResolver: Failed (Init error: Could not find resolver type)
AssemblyResolver: Failed (Init error: Could not find resolver type)

Writing new assembly...
Done.

how to solved?

// this can fail

Type type = ass.GetType(meth.DeclaringType.ReflectionFullName);
return type?.GetMethod(meth.Name, flags, null, args, null);

how to?

thanks

how to remove bug labels?

Method Was Removed that is still referenced by this module

https://gyazo.com/63d065da67bca62356680c4301e94d56
I'm not sure what causes this bug, but the methods are defined.

Unhandled Exception: System.Exception: Unable to find crypto stream TypeDef #8

Unhandled Exception: System.Exception: Unable to find crypto stream TypeDef

Unhandled Exception: System.Exception: Unable to find crypto stream TypeDef
at eazdevirt.EazModule.Initialize() in E:\xxxx\eazdevirt-master\src\eazdevirt\Core\EazModule.cs:line 86
at eazdevirt.EazModule..ctor(ModuleDefMD module, ILogger logger) in E:\xxx\eazdevirt-master\src\eazdevirt\Core\EazModule.cs:line 77
at eazdevirt.Program.TryLoadModule(String path, ILogger logger, EazModule& module) in E:\xxx\eazdevirt-master\src\eazdevirt\Program.cs:line 192
at eazdevirt.Program.DoDevirtualize(MonoOptions options) in E:\xxx\eazdevirt-master\src\eazdevirt\Program.Devirtualize.cs:line 168
at eazdevirt.Program.Main(String[] args) in E:\xxx\eazdevirt-master\src\eazdevirt\Program.cs:line 139

Issue in patch instance

Unhandled Exception: System.NotSupportedException: Wrong MethodAttributes or CallingConventions for DynamicMethod. Only public, static, standard supported
at System.Reflection.Emit.DynamicMethod.CheckConsistency(MethodAttributes attributes, CallingConventions callingConvention)
at System.Reflection.Emit.DynamicMethod.Init(String name, MethodAttributes attributes, CallingConventions callingConvention, Type returnType, Type[] signature, Type owner, Module m, Boolean skipVisibility, Boolean transparentMethod, StackCrawlMark& stackMark)
at System.Reflection.Emit.DynamicMethod..ctor(String name, MethodAttributes attributes, CallingConventions callingConvention, Type returnType, Type[] parameterTypes, Type owner, Boolean skipVisibility)
at Harmony.DynamicTools.CreateDynamicMethod(MethodBase original, String suffix)
at Harmony.MethodPatcher.CreatePatchedMethod(MethodBase original, List1 prefixes, List1 postfixes, List1 transpilers) at Harmony.PatchFunctions.UpdateWrapper(MethodBase original, PatchInfo patchInfo) at Harmony.PatchProcessor.Patch() at Harmony.HarmonyInstance.<PatchAll>b__6_0(Type type) at Harmony.CollectionExtensions.Do[T](IEnumerable1 sequence, Action`1 action)
at Harmony.HarmonyInstance.PatchAll(Assembly assembly)
at EazFixer.Harmony.Patch() in C:\test\EazFixer\EazFixer\Harmony.cs:line 13
at EazFixer.Program.Main(String[] args) in C:\test\EazFixer\EazFixer\Program.cs:line 19

Releases

Can you add releases?