Awesome
eazdevirt
eazdevirt is an open source (GPLv3) toolkit for inspecting and devirtualizing executables that have been protected with Eazfuscator.NET's virtualization feature.
eazdevirt uses dnlib to read and write assemblies, which is included as a submodule.
Features
- Identify all methods (stubs) which have been virtualized
- Devirtualize methods for which all virtual opcodes are understood
- Inject method attributes to make identifying devirtualized methods easier
- Extract the embedded resource file containing virtualization info
- List all virtual opcodes and indicate which are identified
Common Issues / Solutions
Resolution of Types, Methods, etc.
Because of how Eazfuscator.NET's virtual machine works, resolving some types and methods requires that their names and MDTokens be as expected (more specifically, to match what is found in the embedded resource file). This means that running de4dot against an executable with the default options before attempting to devirtualize said executable might cause certain types/methods to not resolve correctly.
However, eazdevirt also requires (in most cases) the control flow of the program to be deobfuscated. Otherwise it might not detect certain virtual opcodes, and in some cases it might not work at all.
One way around this is the following:
de4dot --dont-rename --keep-types --preserve-tokens MyAssembly.exe
eazdevirt -d MyAssembly-cleaned.exe
de4dot MyAssembly-cleaned-devirtualized.exe
... leaving the result as MyAssembly-cleaned-devirtualized-cleaned.exe
If de4dot is having trouble decrypting strings, try appending --strtyp none
after the input filename:
de4dot --dont-rename --keep-types --preserve-tokens MyAssembly.exe --strtyp none
...
de4dot MyAssembly-cleaned-devirtualized.exe --strtyp none
Building
Mono
To build with Mono:
git submodule update --init
xbuild eazdevirt.sln
MSVS
On a Windows machine with MSVS installed, opening the solution file and building in Visual Studio should be sufficient (after updating the submodule as shown above).
msbuild eazdevirt.sln
should also work.