search

puff / EazyDevirt

A tool for automatically reconstructing IL code from an assembly virtualized with Eazfuscator.NET
GNU General Public License v3.0
148 stars 33 forks source link

eaz Engine #21

Closed chinasmu closed 5 months ago

chinasmu commented 5 months ago

It looks like eaz will decrypt part of the real VM Engine with Real Names. Check it here: image image image image image I think it will be very helpful to handle OpCodeMapping stage.

puff commented 5 months ago

I don't think it would be reliable to use for OpCodeMapping because I have never seen these names in a real sample.

chinasmu commented 5 months ago

I don't think it would be reliable to use for OpCodeMapping because I have never seen these names in a real sample.

Yes, all above just exist in Eazfuscator.NET when it starting to vm a program. Not in a sample. `<?xml version="1.0" encoding="utf-8"?>

Yezo.VM.Execution Yezo.VM.Execution.dll Yezo.VM.Core.Instructions.VMGrammar <Eazfuscator CI>.a.h Add Q Add_Ovf g Add_Ovf_Un w And S Arglist I Beq K Bge L Bge_Un e Bgt m Bgt_Un z Ble c Ble_Un C Blt Z Blt_Un i Bne_Un j Box U Br k Break V Brfalse n Brtrue h Call o Calli P Callvirt G Castclass a Ceq x Cgt E Cgt_Un q Ckfinite f Clt F Clt_Un X Constrained T Conv_I M Conv_I1 W Conv_I2 A Conv_I4 l Conv_I8 Y Conv_Ovf_I r Conv_Ovf_I_Un y Conv_Ovf_I1 d Conv_Ovf_I1_Un N Conv_Ovf_I2 D Conv_Ovf_I2_Un t Conv_Ovf_I4 u Conv_Ovf_I4_Un J Conv_Ovf_I8 s Conv_Ovf_I8_Un b Conv_Ovf_U v Conv_Ovf_U_Un O Conv_Ovf_U1 B Conv_Ovf_U1_Un p Conv_Ovf_U2 R Conv_Ovf_U2_Un H Conv_Ovf_U4 Qd Conv_Ovf_U4_Un gd Conv_Ovf_U8 wd Conv_Ovf_U8_Un Sd Conv_R_Un Id Conv_R4 Kd Conv_R8 Ld Conv_U ed Conv_U1 md Conv_U2 zd Conv_U4 cd Conv_U8 Cd Cpblk Zd Cpobj id Div jd Div_Un Ud Dup kd Endfilter Vd Endfinally nd Initblk hd Initobj od Isinst Pd Jmp Gd Ldarg ad Ldarg_0 xd Ldarg_1 Ed Ldarg_2 qd Ldarg_3 fd Ldarg_S Fd Ldarga Xd Ldarga_S Td Ldc_I4 Md Ldc_I4_0 Wd Ldc_I4_1 Ad Ldc_I4_2 ld Ldc_I4_3 Yd Ldc_I4_4 rd Ldc_I4_5 yd Ldc_I4_6 dd Ldc_I4_7 Nd Ldc_I4_8 Dd Ldc_I4_M1 td Ldc_I4_S ud Ldc_I8 Jd Ldc_R4 sd Ldc_R8 bd Ldelem vd Ldelem_I Od Ldelem_I1 Bd Ldelem_I2 pd Ldelem_I4 Rd Ldelem_I8 Hd Ldelem_R4 Qy Ldelem_R8 gy Ldelem_Ref wy Ldelem_U1 Sy Ldelem_U2 Iy Ldelem_U4 Ky Ldelema Ly Ldfld ey Ldflda my Ldftn zy Ldind_I cy Ldind_I1 Cy Ldind_I2 Zy Ldind_I4 iy Ldind_I8 jy Ldind_R4 Uy Ldind_R8 ky Ldind_Ref Vy Ldind_U1 ny Ldind_U2 hy Ldind_U4 oy Ldlen Py Ldloc Gy Ldloc_0 ay Ldloc_1 xy Ldloc_2 Ey Ldloc_3 qy Ldloc_S fy Ldloca Fy Ldloca_S Xy Ldnull Ty Ldobj My Ldsfld Wy Ldsflda Ay Ldstr ly Ldtoken Yy Ldvirtftn ry Leave yy Localloc dy Mkrefany Ny Mul Dy Mul_Ovf ty Mul_Ovf_Un uy Neg Jy Newarr sy Newobj by Nop vy Not Oy Or By Pop py Prefix1 Ry Prefix2 Hy Prefix3 Q4 Prefix4 g4 Prefix5 w4 Prefix6 S4 Prefix7 I4 Prefixref K4 Readonly L4 Refanytype e4 Refanyval m4 Rem z4 Rem_Un c4 Ret C4 Rethrow Z4 Shl i4 Shr j4 Shr_Un U4 Sizeof k4 Starg V4 Starg_S n4 Stelem h4 Stelem_I o4 Stelem_I1 P4 Stelem_I2 G4 Stelem_I4 a4 Stelem_I8 x4 Stelem_R4 E4 Stelem_R8 q4 Stelem_Ref f4 Stfld F4 Stind_I X4 Stind_I1 T4 Stind_I2 M4 Stind_I4 W4 Stind_I8 A4 Stind_R4 l4 Stind_R8 Y4 Stind_Ref r4 Stloc y4 Stloc_0 d4 Stloc_1 N4 Stloc_2 D4 Stloc_3 t4 Stloc_S u4 Stobj J4 Stsfld s4 Sub b4 Sub_Ovf v4 Sub_Ovf_Un O4 Switch B4 Tailcall p4 Throw R4 Unaligned H4 Unbox Qv Unbox_Any gv Volatile wv Xor Sv IntCall Iv HEBeginRegion Kv HEEndRegion Lv Yezo.VM.Execution.Security.Cryptography.BranchingEncryptionHelper <Eazfuscator CI>.a.gy GetModulus N1JQ434P6f0GlqIKzI1y3 Ceq cunk7hubdIoOZwDqhQTwn4g15PfQZl DecryptData eHm836x1sWMAaDSZm2ZBJL6X0 Yezo.VM.Execution.Security.Cryptography.CryptoStreamHelper <Eazfuscator CI>.a.Sy CreateReadableStream UUqOHGwdobVM1ycYYlKu Yezo.VM.Execution.VirtualMachine <Eazfuscator CI>.a.Ly GetCodeCryptoSalt iCvsJKE2CdOn8BtHKQ GetMethodLabelCryptoSalt nKr5MDBUHD6hHe MakeDispatchTable urXa5w3QQDYhuZiIwMX ExecuteInstructionsCore gcfjaVjV9lqrQekNX IsTransparentProxy JHVHTGCOsFAb6qcGmn PreserveStackTrace ItzWUGQ34cxhBtUUyuXRhX968v ThrowException dJVJqlmGyjM4NODlQup Run kMrmLvmPKWbzWMhQ8lG541YpA RunF2 ixwqYE2FAAvE RunF3 TxHRMfi91LsUevdef AptcaLevel2 Q IsSecurityIssuePossible g ` I will try to find more to reasearch.
puff commented 5 months ago

I see what you mean. It could be useful when updating the tool to different versions of Eazfuscator. Thank you for the share, however, this project will remain targeted at 2022.2.

chinasmu commented 4 months ago

Tested with ver.2024.1 and working fine.