search

ViRb3 / de4dot-cex

📦 de4dot deobfuscator with full support for vanilla ConfuserEx
GNU General Public License v3.0
491 stars 122 forks source link

Exception while decompiling an exe #14

Open theerfan opened 4 years ago

theerfan commented 4 years ago

When I run:

de4dot-x64 Program.exe

I get:

Array dimensions exceeded supported range. Array dimensions exceeded supported range. Detected ConfuserEx v0.6.0 (G:\Blah\de4dot-cex\Debug\Program.exe) Cleaning G:\Blah\de4dot-cex\Debug\Program.exe

Unhandled Exception: System.ApplicationException: Invalid new target, it's null at de4dot.blocks.Block.ReplaceLastInstrsWithBranch(Int32 numInstrs, Block target) in G:\Blah\de4dot-cex\de4dot.blocks\Block.cs:line 139 at de4dot.blocks.Block.ReplaceBccWithBranch(Boolean isTaken) in G:\Blah\de4dot-cex\de4dot.blocks\Block.cs:line 154 at de4dot.blocks.cflow.BlockCflowDeobfuscator.de4dot.blocks.cflow.IBranchHandler.HandleNormal(Int32 stackArgs, Boolean isTaken) in G:\Blah\de4dot-cex\de4dot.blocks\cflow\BlockCflowDeobfuscator.cs:line 66 at de4dot.blocks.cflow.BranchEmulator.EmulateBranch(Int32 stackArgs, Boolean isTaken) in G:\Blah\de4dot-cex\de4dot.blocks\cflow\BranchEmulator.cs:line 82 at de4dot.blocks.cflow.BranchEmulator.EmulateBranch(Int32 stackArgs, Bool3 cond) in G:\Blah\de4dot-cex\de4dot.blocks\cflow\BranchEmulator.cs:line 78 at de4dot.blocks.cflow.BranchEmulator.Emulate_Brfalse() in G:\Blah\de4dot-cex\de4dot.blocks\cflow\BranchEmulator.cs:line 238 at de4dot.blocks.cflow.BranchEmulator.Emulate(Instruction instr) in G:\Blah\de4dot-cex\de4dot.blocks\cflow\BranchEmulator.cs:line 65 at de4dot.blocks.cflow.BlockCflowDeobfuscator.Deobfuscate(Block block) in G:\Blah\de4dot-cex\de4dot.blocks\cflow\BlockCflowDeobfuscator.cs:line 54 at de4dot.blocks.cflow.BlockDeobfuscator.Deobfuscate(List1 allBlocks) in G:\Blah\de4dot-cex\de4dot.blocks\cflow\BlockDeobfuscator.cs:line 40 at de4dot.blocks.cflow.BlocksCflowDeobfuscator.Deobfuscate(IEnumerable1 bds, List1 allBlocks) in G:\Blah\de4dot-cex\de4dot.blocks\cflow\BlocksCflowDeobfuscator.cs:line 106 at de4dot.blocks.cflow.BlocksCflowDeobfuscator.Deobfuscate() in G:\Blah\de4dot-cex\de4dot.blocks\cflow\BlocksCflowDeobfuscator.cs:line 90 at de4dot.code.ObfuscatedFile.Deobfuscate(MethodDef method, BlocksCflowDeobfuscator cflowDeobfuscator, MethodPrinter methodPrinter, Boolean isVerbose, Boolean isVV) in G:\Blah\de4dot-cex\de4dot.code\ObfuscatedFile.cs:line 640 at de4dot.code.ObfuscatedFile.DeobfuscateMethods() in G:\Blah\de4dot-cex\de4dot.code\ObfuscatedFile.cs:line 589 at de4dot.code.ObfuscatedFile.Deobfuscate() in G:\Blah\de4dot-cex\de4dot.code\ObfuscatedFile.cs:line 401 at de4dot.cui.FilesDeobfuscator.DeobfuscateAllFiles(IEnumerable1 allFiles) in G:\Blah\de4dot-cex\de4dot.cui\FilesDeobfuscator.cs:line 374 at de4dot.cui.FilesDeobfuscator.DeobfuscateAll() in G:\Blah\de4dot-cex\de4dot.cui\FilesDeobfuscator.cs:line 134 at de4dot.cui.FilesDeobfuscator.DoIt() in G:\Blah\de4dot-cex\de4dot.cui\FilesDeobfuscator.cs:line 91 at de4dot.cui.Program.Main(String[] args) in G:\Blah\de4dot-cex\de4dot.cui\Program.cs:line 118 at de4dot_x64.Program.Main(String[] args) in G:\Blah\de4dot-cex\de4dot-x64\Program.cs:line 23

I had previously checked the file with Detect It Easy to make sure it used ConfuserEx. I tried running the code via an .exe that Visual Studio compiled from the source code and via the pre-built binaries, both returned the exact same results.

ViRb3 commented 4 years ago

You would need to upload the binary that you are deobfuscating for anybody to be able to help. It might be a modified ConfuserEx version - Detect It Easy only reads the version metadata which can be faked or simply unchanged. Or it could be a bug in the deobfuscator. Unfortunately I don't have the time to check this right now, but hopefully soon™.

theerfan commented 4 years ago

Ok, thanks. :)) Here's the file: Program.zip