petikvx
commented
1 year ago Thank you. I will try. Best way will be to mke automatic extract. :)
Closed DartPower closed 1 year ago
petikvx
commented
1 year ago Thank you. I will try. Best way will be to mke automatic extract. :)
DartPower
commented
1 year ago You can use de4dot-cex with batch/bash automation
And ILSpy (ilspycmd) https://stackoverflow.com/questions/60856709/is-there-a-way-to-do-automated-decompilation-with-ilspy
DartPower
commented
1 year ago Example for Windows
For de4dot-cex
for /r %%G in ("*.exe";"*.dll") do de4dot-cex "%%G"
For ilspycmd ("-cleaned" its after de4dot-cex)
``` for /r %%G in ("-cleaned.exe";"*-cleaned.dll") do ilspycmd "%%G" -p -o "C:\MalwareDecompiled\%%G" ```
petikvx
commented
1 year ago Thx for the details. What is the better for you ?
DartPower
commented
1 year ago PLZ test it before launch on normal IL files (like Terraria.exe or any other known C#/VB.NET app) - this script just can work but need to test
And:
Just create two files and launch:
"_1_Deobfuscate.cmd" with this code
for /r %%G in ("*.exe";"*.dll") do de4dot-cex "%%G"
"_2_Decompile.cmd"
for /r %%G in ("*-cleaned.exe";"*-cleaned.dll") do ilspycmd "%%G" -p -o "C:\MalwareDecompiled\%%G"
And launch first 1, and after 1 - launch 2.
Don't forgot to change path (C:\MalwareDecompiled) or create this folder
I think this method is more friendly with decompiled MSIL executables and/or libs because many files like "うんざりする.cs" this is not a good idea 😃
petikvx
commented
1 year ago Hello, _1_Deobfuscate.cmd step is good.
but for ilspycmd I don't see this program.
Only ILSpy.exe but not run correctly.
DartPower
commented
1 year ago "_2_Decompile.cmd"
for /r %%G in ("*-cleaned.exe";"*-cleaned.dll") do ilspycmd "%%G" -p -o "%%G"
Try this
DartPower
commented
1 year ago Oh i also see you maybe using a Windows Sandbox I recommended to use *.wsb scripts for it
This is my code :D
<Configuration>
<Networking>Disable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>Q:\Aurora\StorageRO</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
<MappedFolder>
<HostFolder>Q:\Aurora\StorageRW</HostFolder>
<ReadOnly>false</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\StorageRO</Command>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\StorageRW</Command>
</LogonCommand>
</Configuration>You can it just launch
This example contains a folders for easy transfering files from your system to virtualized
petikvx
commented
1 year ago Lol I'm so stupid :) I will try
petikvx
commented
1 year ago I have to install this one : https://github.com/icsharpcode/ILSpy/tree/master/ICSharpCode.ILSpyCmd https://www.nuget.org/packages/ilspycmd/
petikvx
commented
1 year ago I really noob I think
Sorry it's in French but cannot resolve 'ilspycmd (>= 0.0.0)' for 'net6.0'.
DartPower
commented
1 year ago You need this https://dotnet.microsoft.com/en-us/download/dotnet/6.0
petikvx
commented
1 year ago I will try but already install dotnet 6.0 sdk I think.
DartPower
commented
1 year ago I will try but already install dotnet 6.0 sdk I think.
Need runtime :)
petikvx
commented
1 year ago Begin of success
petikvx
commented
1 year ago And seems working on Linux :)
I just have to find equivalent of de4dot for Linux :)
petikvx
commented
1 year ago Work Finish
petikvx
commented
1 year ago Result here : https://github.com/petikvx/test-decompile-msil
DartPower
commented
1 year ago Wow, cool 👍
You can also use this decompilers: https://github.com/icsharpcode/ILSpy https://github.com/dnSpyEx
And this deobfuscator https://github.com/ViRb3/de4dot-cex