barnacleboy
commented
8 years ago symbols.map gets only generated if you use readable renaming by using the "mode" "decodable".
Closed ab-tools closed 8 years ago
barnacleboy
commented
8 years ago symbols.map gets only generated if you use readable renaming by using the "mode" "decodable".
ab-tools
commented
8 years ago Hello barnacleboy,
thanks for your comment, but that's wrong: the quite new mode "sequential" (which is not documented yet) generates a "symbols.map" file as well.
This also works fine, I mean the "symbols.map" file is generated, but as shown above not everything is renamend in a readable way.
That's the question: why this is the case?
ab-tools
commented
8 years ago I checked it once more now and found out that e. g. for the above constant private const int \u0039fA the name "\u0039fA" is not in the "symbols.map" file, but there is a name "9fA" in the file which would make sense. So it looks like there are all included in the "symbols.map" file, but some used with strange (probably unicode?) characters.
As that's really hard to decode again (e. g. when inside a stack trace) it would be great if really only readable characters could be used for renaming.
Or is there another reason why my disassmabling tool (using "dotPeek" at the moment) shows the name as "\u0039fA" instead of just "9fA" which it obviously is?
ivan-danilov
commented
8 years ago I guess that the reason is that in C# legitimate identifier can't start with digit. In ConfuserEx you can set "debug" flag, which encloses all identifiers with _, thus making it legit in C#. Perhaps this way you could confirm/reject my theory.
P.S. For obfuscated code I'd use dnSpy instead of dotPeek - it is much more robust when obfuscation did something nasty to the code, at least in my experience. Plus, it is definitely not so picky and shows identifiers starting with digits just fine without those ugly \uXXXX things.
yck1509
commented
8 years ago Hi, As mentioned by @ivan-danilov , your decompiler chose not to shown digits at the beginning of identifier. The renamed identifiers should still be readable. In your example, "\u0039" is character '9' in unicode form.
ab-tools
commented
8 years ago OK, thank you!
Unfortunately I found another strange behavior now in further testing.
I'm usung the "sequential" renaming mode that I can un-obfuscate my stack traces.
But when I look at the obfuscated source code some of the names are renamed with not readable characters for whatever reason:
As you can see most of them are just renamed to "w3" or "fFA" as expected, but others to something like "\u0038fA" which I also don't find in the "symbols.map" file. This happens to some variable, function and class names, but not to all.
What could be the reason for that?