search

SychicBoy / NETReactorSlayer

An open source (GPLv3) deobfuscator and unpacker for Eziriz .NET Reactor
https://www.CodeStrikers.org
GNU General Public License v3.0
965 stars 227 forks source link

[ERROR] An unexpected error occurred during decrypting booleans. Value cannot be null. Parameter name: key. #69

Open greenozon opened 1 year ago

greenozon commented 1 year ago

Describe the bug errors during work output exe is not clean, some methods can't be even decompiled, decompiler throws exception on these...

Target obfuscated file

input.zip

Screenshots image

OS Version: W10

Additional context


  Started deobfuscation: 2023-05-07 13:45:16
  Assembly: RosreestrXML.exe
  Architecture: X86
  CLI Started, PID: 8432
  =====================================

  [INFO] 15/15 Modules loaded...
  [INFO] 6047 Methods decrypted.
  [WARN] Couldn't find any equation to resolve.
  [WARN] Couldn't find anti tamper method.
  [WARN] Couldn't find anti debugger method.
  [WARN] Couldn't find any proxied call.
  [INFO] 2621 Strings decrypted.
  [WARN] Couldn't find any encrypted resource.
  [INFO] 35 Metadata tokens deobfuscated.
  [ERROR] An unexpected error occurred during decrypting booleans. Value cannot be null.
Parameter name: key.
  [INFO] 536 Calls to obfuscator types removed.
  [INFO] Renaming obfuscated symbols...
  [INFO] 10596 Methods inlined.
  [INFO] Saved to: RosreestrXML_Slayed.exe

example of broken methods:

image

![Uploading image.png…]()

JBou commented 10 months ago

If you change the order of the Stages https://github.com/SychicBoy/NETReactorSlayer/blob/0d0a631124e8871f1e69c68be342db6fa45cf37d/NETReactorSlayer.Core/Options.cs#L218-L220 to this order (move the MethodInliner before the ControlFlowDeobfuscator):

new MethodInliner(),
new ControlFlowDeobfuscator(),
new AntiManipulationPatcher(),

It is not throwing that error, and dnSpy is not throwing an exception. Also, there are 11824 methods inlined instead of 10596 before and more obfuscator types removed. But I don't know if it breaks other functions. In this particular case, it seems to work.

Output:

  [INFO] 6047 Methods decrypted.
  [WARN] Couldn't find any equation to resolve.
  [WARN] Couldn't find anti tamper method.
  [WARN] Couldn't find anti debugger method.
  [WARN] Couldn't find any proxied call.
  [INFO] 2621 Strings decrypted.
  [WARN] Couldn't find any encrypted resource.
  [INFO] 35 Metadata tokens deobfuscated.
  [INFO] 184 Booleans decrypted.
  [INFO] 774 Calls to obfuscator types removed.
  [INFO] 11824 Methods inlined.

As another try, using the original order of Stages, I also tried to comment out these 2 lines: https://github.com/SychicBoy/NETReactorSlayer/blob/0d0a631124e8871f1e69c68be342db6fa45cf37d/NETReactorSlayer.Core/Stages/ControlFlowDeobfuscator.cs#L38 https://github.com/SychicBoy/NETReactorSlayer/blob/0d0a631124e8871f1e69c68be342db6fa45cf37d/NETReactorSlayer.Core/Stages/ControlFlowDeobfuscator.cs#L40 Seems that these deobfuscations corrupt the IL code if they are run before the MethodInliner Stage.