This is a tool to deobfuscate names only in Assemblies, It doesn't deobfuscate control-flow.

Kurapica, I haven't tried it. But how can you deobfuscate names? It's a one way process. You can only rename them to names that can be compiled again after being decompiled. Do you mean that?

This tool is supposed to make our life easier when exploring in Reflector, so the deobfuscated assembly in most cases won't run and it's meant to be used in Reflector for analysis only.

What this tool does is that it renames Classes and other member of assembly like Procedures and Fucntion into more understandable names for easier analysis, for example it renames a Class of type Form to "Class10_Form" instead of "xhfkd9oekfpklgpf" as we see in assemblies obfuscated with xenocode or any other obfuscator, I didn't want it to release it at first, but when I added type detection to renaming process it became more useful.

I hope it's useful for every one.

The type renaming method is a good idea.

BUT there are some serious bugs. You rename even special methods (which aren't obfuscated) like cctor, property methods (get/set) etc. These methods need their name to be intact. Otherwise after the renaming you'll have an assembly which can't run. And the decompiling process becomes even more difficult, how you can see from the images:

http://ntoskrnl.pmode.net/name_deobf.jpg

Even if considering only the decompilation process, it gets harder to understand the code when such clear names are missing, not easier.

You should fix this behaviour considering the type flags.

Thanks for the tips and I will try to fix these issues in next release.

Yes, I read that, but since it depends only on that issue, it can be fixed and assembly will be able to run.

You're welcome.

CRCETL:
http://www.woodmann.com/collaborative/tools/.NET_DeObfuscator


Hey Kurapica, thanks for all the nice tools, and welcome to the board.

If it would be in any way possible, could you just add a few extra words of description about the tools you upload (like the very nice description you gave above to Daniel)? That would make them so much more valuable for everyone I think!

Thanks for the tips... :-)

I will add more description next times.

What's new

1 - Faster algo
2 - Excludes certain members for better renaming
3 - Minor bug fixes

Bug reports are welcome

Nice. CRCETL entry updated.

Please note that you can (and are very welcome to) update the CRCETL entries for your tools yourself when you release an update, simply press the edit button at the bottom of the tool's page, enter the new info and presto, it's updated!

Hello,

What a great tool !!
Why I didn't find it before doing myself the deobfuscation of xenocode assemblies
Hmm do you manage no printable chars ? (xenocode obfuscation create a lot of non printable chars)

I'v tried it on an assembly created with xenocode and it does a great job, and déobfuscate maybe 90% of the code (not the control flow indeed)

Well thanks a ton for this tool

Wow ... :-D
I'm happy some one found it useful !!


I didn't understand what you meant by 90% because it's supposed to fully rename all members up to 100%


Thanks for the nice words

for example



I think defined ressources keep there @@#\ name

Thanks for the help Kurapica!

Thanks a lot Kurapica !

Please help
doesn't work on this sample.?
http://rapidshare.com/files/164285331/bin.rar.html ("http://rapidshare.com/files/164285331/bin.rar.html")
Why ? can you help me?
Error : Index was out range.Must be non-negative and less then the size of collection Parameter name index

There are two files :

1- HoWaveRull.dll : not an assembly and can't be deobfuscated !
2- HoWaveVGO.dll : this one is an assembly but all its names and code are clear and not obfuscated, I tried to deobfuscate but the tool failed because some items were made invalid to kill reflector and similar tools, it will be added to future updates.

Hi.

Sorry for asking this but how do you use it?

I double clicked on it and nothing happened.

Many Thanks

Worf

first make sure the file PE structure is OK then click the "..." and select the file
Select the location where the new deobfuscated file will be saved
Click the "deobfuscate" button and watch the log for errors.

that's all

Hi Kurapica.

Thank you for your reply. Just found out that the one i downloaded was Version 0.1, got Version 0.5 now

Hi Kurapica,

I tested your tool .NET Deobfuscator 0.5version it works great, just one small feature you missed.
The feature must be look like this:
* Add new checkbox witch allow exclude from renaming all names witch
are valid by regular expression: ^[a-Z] what is mean, actually as I seen nobody could rename class or function or procedure and etc with numbers or not standart symbols. So idea wood be as exclude from renaming by ReGex all names witch valid. E.g. Most obfuscators obfuscate strings as not standart simbols or use numerics strings.

Will be nice if you add this feature, then will help a lot.

Regards,
Demon

Thanks for the tip, I will definitely take into consideration in the next version.

greetz