Closed DartPower closed 1 year ago
Thank you. I will try. Best way will be to mke automatic extract. :)
You can use de4dot-cex with batch/bash automation
And ILSpy (ilspycmd) https://stackoverflow.com/questions/60856709/is-there-a-way-to-do-automated-decompilation-with-ilspy
Example for Windows
For de4dot-cex
for /r %%G in ("*.exe";"*.dll") do de4dot-cex "%%G"
For ilspycmd ("-cleaned" its after de4dot-cex)
``` for /r %%G in ("-cleaned.exe";"*-cleaned.dll") do ilspycmd "%%G" -p -o "C:\MalwareDecompiled\%%G" ```
Thx for the details. What is the better for you ?
PLZ test it before launch on normal IL files (like Terraria.exe or any other known C#/VB.NET app) - this script just can work but need to test
And:
Just create two files and launch:
"_1_Deobfuscate.cmd" with this code
for /r %%G in ("*.exe";"*.dll") do de4dot-cex "%%G"
"_2_Decompile.cmd"
for /r %%G in ("*-cleaned.exe";"*-cleaned.dll") do ilspycmd "%%G" -p -o "C:\MalwareDecompiled\%%G"
And launch first 1, and after 1 - launch 2.
Don't forgot to change path (C:\MalwareDecompiled) or create this folder
I think this method is more friendly with decompiled MSIL executables and/or libs because many files like "うんざりする.cs" this is not a good idea 😃
Hello, _1_Deobfuscate.cmd step is good.
but for ilspycmd I don't see this program. Only ILSpy.exe but not run correctly.
"_2_Decompile.cmd"
for /r %%G in ("*-cleaned.exe";"*-cleaned.dll") do ilspycmd "%%G" -p -o "%%G"
Try this
Oh i also see you maybe using a Windows Sandbox I recommended to use *.wsb scripts for it
This is my code :D
<Configuration>
<Networking>Disable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>Q:\Aurora\StorageRO</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
<MappedFolder>
<HostFolder>Q:\Aurora\StorageRW</HostFolder>
<ReadOnly>false</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\StorageRO</Command>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\StorageRW</Command>
</LogonCommand>
</Configuration>
You can it just launch
This example contains a folders for easy transfering files from your system to virtualized
Lol I'm so stupid :) I will try
I have to install this one : https://github.com/icsharpcode/ILSpy/tree/master/ICSharpCode.ILSpyCmd https://www.nuget.org/packages/ilspycmd/
I really noob I think Sorry it's in French but cannot resolve 'ilspycmd (>= 0.0.0)' for 'net6.0'.
You need this https://dotnet.microsoft.com/en-us/download/dotnet/6.0
I will try but already install dotnet 6.0 sdk I think.
I will try but already install dotnet 6.0 sdk I think.
Need runtime :)
Begin of success
And seems working on Linux :)
I just have to find equivalent of de4dot for Linux :)
Work Finish
Result here : https://github.com/petikvx/test-decompile-msil
Wow, cool 👍
You can also use this decompilers: https://github.com/icsharpcode/ILSpy https://github.com/dnSpyEx
And this deobfuscator https://github.com/ViRb3/de4dot-cex