holly-hacker / eazfixer Goto Github PK
View Code? Open in Web Editor NEWA deobfuscation tool for Eazfuscator.
License: MIT License
A deobfuscation tool for Eazfuscator.
License: MIT License
People are lazy and want precompiled builds. Seems fair enough.
I'm getting error given below:
Could not load file or assembly 'xxxxx, Version=1.0 Culture=neutral, PublicKeyToken=null' or one of its dependencies. Attempt to load an unverifiable executable with fixups (IAT with more than 2 sections or a TLS section.) (Exception from HRESULT: 0x80131019)
Checklist:
The sample from #14 has multiple LibTongue.resources.dll
files, for different cultures. Right now, only the very last one gets written to disk, which is not the behavior I want.
Possible ways of handling this are:
Executing memory patches...
Initializing modules...
Processing...
Cleanup...
Applied patches:
StringFixer: Failed (Exception has been thrown by the target of an invocation.)
ResourceResolver: Failed (Init error: Could not find resolver type)
AssemblyResolver: Failed (Init error: Could not find resolver type)
Writing new assembly...
Done.
Is the dnlib folder supposed to be empty??
This one seems to be protected with a recent version of the obfuscator.
de4dot can decrypt some of the strings but no resources or embedded assemblies at all.
EazFixer can decrypt most strings but that's it because only the StringFixer displays "Success".
I tried your fork of eazdevirt and it doesn't seem to find any traces of virtualizationr.
Virtualized assemblies can have virtualized code that references the string decryptor (or other normally removed code). Once these types get removed, the virtualized code will fail to run since it cannot resolve it anymore. Related, it could be that we're changing MDTokens when we save the assembly, we shouldn't do that by default (see de4dot's --keep-tokens).
It should be easy to fix this by adding a commandline flag similar to de4dot's --keep-types.
See #12.
The error is on Line 67 in AssemblyResolver.cs
Good, I try to pass the program an obfuscated dll, but it does not work, it is contemplated the defocusing of dll.
Hello,
It looks like in one of the newer Eazfuscator versions (I can't specify a exact version number, sorry!), the assembly resolver component has had a change made to it which resulted in this tool breaking.
The breaking change:
https://github.com/HoLLy-HaCKeR/EazFixer/blob/a99eca4c84cc022d8afd6c5eb152fd3b09c65462/EazFixer/Processors/AssemblyResolver.cs#L136
In the newer versions i
is initialized to 1
instead of 0
in the loop. This causes a IndexOutOfRangeException
to occur later in the process as the tool tries to read out of the bounds of the split
array.
Non-breaking change:
Eazfuscator seems to have added a new f
flag. Luckily it doesn't affect this tool at all.
Sample which can be used to reproduce this issue:
Sample-all.zip
Currently we use invocation to fix strings, which can be very dangerous. Using emulation when Echo provides it would help.
Turns out #15 made a really bad cli parser. I should probably use an existing one instead of handrolling a bad one.
In Eazfsucator 2019.1 String decryption does not works.
I'm getting that error:
Executing memory patches ...
Wrong MethodAttributes or CallingConventions for DynamicMethod. Only "public", "static" and "standard" are supported
Eaz does not currently use very strong control flow obfuscation, but once they do it may be useful to use Echo to resolve stack dependencies for the string decrypter method.
Currently, running on a file without any options requires using the --file /path/to/file
flag. Removing the need for --file
will also allow drag-and-drop to work again.
I try to deobfuscate a program but i have this error:
Executing memory patches...
Initializing modules...
Processing...
Cleanup...
Applied patches:
StringFixer: Success
ResourceResolver: Failed (Init error: Could not find resolver type)
AssemblyResolver: Failed (Init error: Could not find resolver type)
Writing new assembly...
DONE
Press any key to exit...
The target program is: http://www.filedropper.com/zcrackroblox
Unhandled Exception: System.NotSupportedException: Wrong MethodAttributes or CallingConventions for DynamicMethod. Only public, static, standard supported
at System.Reflection.Emit.DynamicMethod.CheckConsistency(MethodAttributes attributes, CallingConventions callingConvention)
at System.Reflection.Emit.DynamicMethod.Init(String name, MethodAttributes attributes, CallingConventions callingConvention, Type returnType, Type[] signature, Type owner, Module m, Boolean skipVisibility, Boolean transparentMethod, StackCrawlMark& stackMark)
at System.Reflection.Emit.DynamicMethod..ctor(String name, MethodAttributes attributes, CallingConventions callingConvention, Type returnType, Type[] parameterTypes, Type owner, Boolean skipVisibility)
at Harmony.DynamicTools.CreateDynamicMethod(MethodBase original, String suffix)
at Harmony.MethodPatcher.CreatePatchedMethod(MethodBase original, List1 prefixes, List
1 postfixes, List1 transpilers) at Harmony.PatchFunctions.UpdateWrapper(MethodBase original, PatchInfo patchInfo) at Harmony.PatchProcessor.Patch() at Harmony.HarmonyInstance.<PatchAll>b__6_0(Type type) at Harmony.CollectionExtensions.Do[T](IEnumerable
1 sequence, Action`1 action)
at Harmony.HarmonyInstance.PatchAll(Assembly assembly)
at EazFixer.Harmony.Patch() in C:\test\EazFixer\EazFixer\Harmony.cs:line 13
at EazFixer.Program.Main(String[] args) in C:\test\EazFixer\EazFixer\Program.cs:line 19
Virtualization obfuscation
Can you add releases?
Applied patches:
StringFixer: Failed (Init error: Could not find decrypter method)
ResourceResolver: Failed (Init error: Could not find resolver type)
AssemblyResolver: Failed (StringFixer is required!)
Entrypoint obfuscation
https://gyazo.com/63d065da67bca62356680c4301e94d56
I'm not sure what causes this bug, but the methods are defined.
Unhandled Exception: System.Exception: Unable to find crypto stream TypeDef
Unhandled Exception: System.Exception: Unable to find crypto stream TypeDef
at eazdevirt.EazModule.Initialize() in E:\xxxx\eazdevirt-master\src\eazdevirt\Core\EazModule.cs:line 86
at eazdevirt.EazModule..ctor(ModuleDefMD module, ILogger logger) in E:\xxx\eazdevirt-master\src\eazdevirt\Core\EazModule.cs:line 77
at eazdevirt.Program.TryLoadModule(String path, ILogger logger, EazModule& module) in E:\xxx\eazdevirt-master\src\eazdevirt\Program.cs:line 192
at eazdevirt.Program.DoDevirtualize(MonoOptions options) in E:\xxx\eazdevirt-master\src\eazdevirt\Program.Devirtualize.cs:line 168
at eazdevirt.Program.Main(String[] args) in E:\xxx\eazdevirt-master\src\eazdevirt\Program.cs:line 139
if (type.IsGenericType) //type is null
{
flag2 = false;
}
It seems this method is generated by eaz, your tool doesn't clean completely
whole code
// #=qhV51mqsmZyKWrUetPxG5f8m$h3XhMl0AIaoJwVc$D1E=
[DebuggerNonUserCode]
private MethodBase #=z8v9YWyfC6tuClV80LCgyA_1FwG3San9xrA==(int #=zrn90pR8=, #=qKwaTyl6Rv9mcRmvdxY4NXmcIEkJcl0OEF11sG53sWvk= #=zCl9$JzU=)
{
Dictionary<int, object> dictionary = #=qhV51mqsmZyKWrUetPxG5f8m$h3XhMl0AIaoJwVc$D1E=.#=z8vSQRPg=;
Dictionary<int, object> dictionary2;
if (3 != 0)
{
dictionary2 = dictionary;
}
object obj = dictionary2;
if (true)
{
Monitor.Enter(obj);
}
MethodBase result;
try
{
bool flag = true;
bool flag2;
if (6 != 0)
{
flag2 = flag;
}
object obj2;
if (flag2 && #=qhV51mqsmZyKWrUetPxG5f8m$h3XhMl0AIaoJwVc$D1E=.#=z8vSQRPg=.TryGetValue(#=zrn90pR8=, out obj2))
{
MethodBase methodBase = (MethodBase)obj2;
if (2 != 0)
{
result = methodBase;
}
}
else if (#=zCl9$JzU=.#=zX1wW8IsArNpN_oBDfg==() == 1)
{
MethodBase methodBase2 = this.#=zf2bab1g=.ResolveMethod(#=zCl9$JzU=.#=zrIrFLDNPcENt9pkCVvza8mL0m1p0());
MethodBase methodBase3;
if (true)
{
methodBase3 = methodBase2;
}
if (flag2)
{
#=qhV51mqsmZyKWrUetPxG5f8m$h3XhMl0AIaoJwVc$D1E=.#=z8vSQRPg=.Add(#=zrn90pR8=, methodBase3);
}
MethodBase methodBase4 = methodBase3;
if (5 != 0)
{
result = methodBase4;
}
}
else
{
#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo= _#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo= = (#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=)#=zCl9$JzU=.#=z2m1nqKAQIf_jctR6PdUesuijy4gxvv9CZIRuQFqHSCty();
#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo= _#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2;
if (2 != 0)
{
_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2 = _#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=;
}
if (_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zuc1ElAJDK6tNfflOZNdk01A=())
{
result = this.#=z3ArTbSmHWfuj5Q64DCej4Sshg_3p(_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2);
}
else
{
Type type = this.#=ziG5bIhoUvy8pBi1kvJtL67DfE0AX573nXuXvc35gLmcw(_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zDV1gSv8XgtF_MjvpkH0e08Q=().#=zrIrFLDNPcENt9pkCVvza8mL0m1p0(), false);
Type type2 = this.#=ziG5bIhoUvy8pBi1kvJtL67DfE0AX573nXuXvc35gLmcw(_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zoVLjew9ZtCpdRsundXmEQWKvSguy().#=zrIrFLDNPcENt9pkCVvza8mL0m1p0(), true);
Type[] array = new Type[_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zRZYXzc5RlHjvU$D1BQ==().Length];
for (int i = 0; i < array.Length; i++)
{
array[i] = this.#=ziG5bIhoUvy8pBi1kvJtL67DfE0AX573nXuXvc35gLmcw(_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zRZYXzc5RlHjvU$D1BQ==()[i].#=zrIrFLDNPcENt9pkCVvza8mL0m1p0(), true);
}
if (type.IsGenericType)
{
flag2 = false;
}
if (_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zV$HlPelviP3L6394IwTa60IKPn0D() == ".ctor")
{
ConstructorInfo constructor = type.GetConstructor(BindingFlags.Instance | BindingFlags.Public | BindingFlags.NonPublic, null, CallingConventions.Any, array, null);
if (constructor == null)
{
throw new Exception();
}
if (flag2)
{
#=qhV51mqsmZyKWrUetPxG5f8m$h3XhMl0AIaoJwVc$D1E=.#=z8vSQRPg=.Add(#=zrn90pR8=, constructor);
}
result = constructor;
}
else
{
BindingFlags bindingAttr = #=qhV51mqsmZyKWrUetPxG5f8m$h3XhMl0AIaoJwVc$D1E=.#=za_3ai5XgP4YmJt4xaj9EeXILLULi(_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=z_SqDH4WDUufAqV3c5AegaJxjWWggFlUHFvQ8RDw=());
MethodBase methodBase5 = null;
try
{
methodBase5 = type.GetMethod(_#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zV$HlPelviP3L6394IwTa60IKPn0D(), bindingAttr, null, CallingConventions.Any, array, null);
}
catch (AmbiguousMatchException)
{
foreach (MethodInfo methodInfo in type.GetMethods(bindingAttr))
{
if (!(methodInfo.Name != _#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zV$HlPelviP3L6394IwTa60IKPn0D()) && methodInfo.ReturnType == type2)
{
ParameterInfo[] parameters = methodInfo.GetParameters();
if (parameters.Length == array.Length)
{
bool flag3 = false;
for (int k = 0; k < array.Length; k++)
{
if (parameters[k].ParameterType != array[k])
{
flag3 = true;
break;
}
}
if (!flag3)
{
methodBase5 = methodInfo;
break;
}
}
}
}
}
if (methodBase5 == null)
{
throw new Exception(string.Format("Cannot bind method: {0}.{1}", type.Name, _#=q0p7SnAY3GqJTIa5Cdjeux8Ehu4Rhzu_baBrMQqvVcNo=2.#=zV$HlPelviP3L6394IwTa60IKPn0D()));
}
if (flag2)
{
#=qhV51mqsmZyKWrUetPxG5f8m$h3XhMl0AIaoJwVc$D1E=.#=z8vSQRPg=.Add(#=zrn90pR8=, methodBase5);
}
result = methodBase5;
}
}
}
}
finally
{
Monitor.Exit(dictionary2);
}
return result;
}
Hi,
I see you made improvement for eazdevirt https://github.com/HoLLy-HaCKeR/eazdevirt now I want to try to make it compatible with latest eaz, do you have sample unpackme that compatible with your modified eazdevirt?
This program is protected with Eazfuscator.NET v2020.x - 2021.3 and I am trying to deobfuscate the program.
I first use String Decryptor 2.0 to decrypt strings, and the program decrypted 123 strings + 2 methods
Then I use EazFixer.exe --file
and this is the output:
Executing memory patches...
Initializing modules...
Processing...
Cleanup...
Applied patches:
StringFixer: Success
ResourceResolver: Failed (Init error: Could not find resolver type)
AssemblyResolver: Failed (Init error: Could not find resolver type)
Writing new assembly...
Done.
Am I doing something wrong? Thank you for your support.
// this can fail
Type type = ass.GetType(meth.DeclaringType.ReflectionFullName);
return type?.GetMethod(meth.Name, flags, null, args, null);
how to?
thanks
how to remove bug labels?
unfortunately doesn't work for this .this program apparently obfuscating with latest version
There should be an option to keep mdtokens, without using --keep-types.
you can build it and put it in realese?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.