holly-hacker / EazFixer

A deobfuscation tool for Eazfuscator.
MIT License
376 stars 128 forks source link

Output may fail to run on virtualized assemblies. #13

Closed holly-hacker closed 6 years ago

holly-hacker commented 6 years ago

Virtualized assemblies can have virtualized code that references the string decryptor (or other normally removed code). Once these types get removed, the virtualized code will fail to run since it cannot resolve it anymore. Related, it could be that we're changing MDTokens when we save the assembly, we shouldn't do that by default (see de4dot's --keep-tokens).

It should be easy to fix this by adding a commandline flag similar to de4dot's --keep-types.

See #12.

CreateAndInject commented 6 years ago

What is virtualized? Does de4dot devirtualize methods for old Eazfusctor version?

holly-hacker commented 6 years ago

To make virtualized methods, EazFuscator creates a virtual machine that executed IL or IL-like instructions and will use that to run the method. You can find more on their documentation here. As far as I know, de4dot does not devirtualize EazFuscator. However, there is eazdevirt by Saneki or my fork of it, although both are outdated by now.

ghost commented 6 years ago

Any hopes for devirtualization?

holly-hacker commented 6 years ago

Devirtualization is a very large beast to tackle. It takes a very long time to implement in the first place, and keeping it updated is a very boring job I wouldn't wish on anyone. There is a good reason why it is the most secure protection EazFuscator has to offer. To give you an idea on how annoying updating devirtualizers is: I've already turned down hundreds of dollars just so I wouldn't have to do it.

For now, I have no plans to add devirtualization to EazFixer, and I don't think I will accept PRs adding the functionality because then I will be burdened with keeping it updated. Perhaps in the future I will make one, but I wouldn't count on it.

ghost commented 6 years ago

I am planing to invest $1k for that implementation only for one time no updates are required for me.

DevinoPro commented 6 years ago

Hi reason behind blocking please.

notsquirr3l commented 6 years ago

@DevinoPro virtual opcodes are in a giant list, EazFuscator itself is not a great obfuscator its just boring to make a tool, if you want a dirty method but doesnt support code you cannot execute just attach a debugger to the the program and step through method stubs and look what it invokes.

holly-hacker commented 6 years ago

Fixed since #15, you can now use --fix-virt or --keep-types.