Home

Awesome

eazdevirt

eazdevirt is an open source (GPLv3) toolkit for inspecting and devirtualizing executables that have been protected with Eazfuscator.NET's virtualization feature.

eazdevirt uses dnlib to read and write assemblies, which is included as a submodule.

Features

Common Issues / Solutions

Resolution of Types, Methods, etc.

Because of how Eazfuscator.NET's virtual machine works, resolving some types and methods requires that their names and MDTokens be as expected (more specifically, to match what is found in the embedded resource file). This means that running de4dot against an executable with the default options before attempting to devirtualize said executable might cause certain types/methods to not resolve correctly.

However, eazdevirt also requires (in most cases) the control flow of the program to be deobfuscated. Otherwise it might not detect certain virtual opcodes, and in some cases it might not work at all.

One way around this is the following:

de4dot --dont-rename --keep-types --preserve-tokens MyAssembly.exe
eazdevirt -d MyAssembly-cleaned.exe
de4dot MyAssembly-cleaned-devirtualized.exe

... leaving the result as MyAssembly-cleaned-devirtualized-cleaned.exe

If de4dot is having trouble decrypting strings, try appending --strtyp none after the input filename:

de4dot --dont-rename --keep-types --preserve-tokens MyAssembly.exe --strtyp none
...
de4dot MyAssembly-cleaned-devirtualized.exe --strtyp none

Building

Mono

To build with Mono:

git submodule update --init
xbuild eazdevirt.sln

MSVS

On a Windows machine with MSVS installed, opening the solution file and building in Visual Studio should be sufficient (after updating the submodule as shown above).

msbuild eazdevirt.sln should also work.

Special Thanks