DotFuckScator is a reversing engineering tool used to remove string encryption
from dotfuscator protected files

If the original file was strong name signed DotFuckScator will create a new keypair
and re-sign the file with this pair, be carefull since file depending on this file will
need to be edited manualy to support the new strong name signature.
You can use RE-Sign for this and the editor of your choice

Also if you like the file re-signed with a specific key place your key in the same
folder as the file you are about to process and rename it to DotFuckScator.snk
now DotFuckScator will use this key for the re-sign process.

http://www.reteam.org/tools/ts35.gif

Check the reteam.org tool page for the download link

lool ! nice work again.
I especially like the name of this tool :D
and I'm sure 'they' will love it aswell :p

LibX can you update this to work with the latest dotfuscator? Or do you know how the newest encryption work?

Because with my own tool and this I get a ton of half decrypted strings.

I have the encrypted string.

\uf285\uf087\ufe89\ud98b\ufd8d\uf58f\ue091

which decodes to

txtuser

but my tool and yours decodes it as

txt癳ser

I think it has something to do with the flag at the end of the user string. Because if you change the flag from 1 to 0 it causes the program to decrypt to that too.

I think it has something to do with the flag at the end of the user string. Because if you change the flag from 1 to 0 it causes the program to decrypt to that too.

I see the problem but iam not sure what ur trying to tell me in the last part, could u explain this please?

Ok check lastest release of DotFuckScator its fixed
Thx for the bugreport :)

Regards
LibX // RETeam

Ok check lastest release of DotFuckScator its fixed
Thx for the bugreport :)

Regards
LibX // RETeam

How did you fix it? I am curious to how you did, I can't figure it out.

Edit:

Hmm it gives me a

"Object reference not set to an instance of an object"

when I tried it.

Great Work mate :)

How did you fix it? I am curious to how you did, I can't figure it out.

Edit:

Hmm it gives me a

"Object reference not set to an instance of an object"

when I tried it.

Did you get this error while u started dotfuckscator or when you tried to process a protected file?
Could u please put a copy of the file you have problems with online?

Regards
LibX

Did you get this error while u started dotfuckscator or when you tried to process a protected file?
Could u please put a copy of the file you have problems with online?

Regards
LibX

It happened when processing the protected file.

Here is the file.

http://rapidshare.com/files/140017644/ICHC_v0.7.zip.html

Did you get this error while u started dotfuckscator or when you tried to process a protected file?
Could u please put a copy of the file you have problems with online?

Regards
LibX

It happened when processing the protected file.

Here is the file.

http://rapidshare.com/files/140017644/ICHC_v0.7.zip.html

Download the latest version please this one should process the file just fine. (v1.2)

Thx for the bug report :)

Regards
LibX

thanks.

Also what was wrong with the original decryption?

Edit:

When I try to run it, it crashes and gives me an invalid program exception.

Hey LibX. I've been trying to get up to speed on .net reversing, so first off, I just wanted to say I really appreciate all the stuff you guys have put together here at the RET board. It's really helped.

That being said :p ... in case it helps you work any kinks out of the tool, I just wanted to let you know that I tried running dotfuckscator against a dotobfuscated binary the other day, and while being able to see the (mostly) decoded strings in the disassembler was great, I found that in any given class, many strings weren't fully decoded and still had several chars that were still in the '\u####' format.

If you wanted to take a look, the program I was messing around with was "Video Thumbnails Maker by Scorp". You can grab it here: http://www.suu-design.com/downloads.html.

Just as a quick disclaimer, the app is already free/donationware, and I was only using it as something to practice on.

Anyway, thanks again for the great tool, and if you happen to find any time to figure out why some strings are only being partially decoded, would love to hear back from you.

thanks.

Also what was wrong with the original decryption?

Edit:

When I try to run it, it crashes and gives me an invalid program exception.
Well since your the only one i know of with this problem i think there is something wrong with your system's configuration :confused:
I have tested this tool on Vista x86/64 / windows 2008 server 64 / windows xp x86/64 and windows 2003 x86 and its all working just fine.
Do u have .NET framework 2.0 with latest service pack installed?

Gr
LibX

Hey LibX. I've been trying to get up to speed on .net reversing, so first off, I just wanted to say I really appreciate all the stuff you guys have put together here at the RET board. It's really helped.

That being said :p ... in case it helps you work any kinks out of the tool, I just wanted to let you know that I tried running dotfucksator against a dotobfuscated binary the other day, and while being able to see the (mostly) decoded strings in the disassembler was great, I found that in any given class, many strings weren't fully decoded and still had several chars that were still in the '\u####' format.

If you wanted to take a look, the program I was messing around with was "Video Thumbnails Maker by Scorp". You can grab it here: http://www.suu-design.com/downloads.html.

Just as a quick disclaimer, the app is already free/donationware, and I was only using it as something to practice on.

Anyway, thanks again for the great tool, and if you happen to find any time to figure out why some strings are only being partially decoded, would love to hear back from you.
Thanks for the bugreport ender il take a look at this file :)
And happy to hear you find the tools usefull :)

regards
LibX

Well since your the only one i know of with this problem i think there is something wrong with your system's configuration :confused:
I have tested this tool on Vista x86/64 / windows 2008 server 64 / windows xp x86/64 and windows 2003 x86 and its all working just fine.
Do u have .NET framework 2.0 with latest service pack installed?

Gr
LibX

Ok lol i just checked it out and i found that some strings from this application are for difrent languages on of them is rusian so that explains the \uxxx stuff ;)
So everything is decrypted just fine you just can't display the russian characters on your windows i think (they do show here becouse i have virtualy all codepages installed)
Anyway if you find other bugs lemme know

Regards
LibX

thanks.

Also what was wrong with the original decryption?

Edit:

When I try to run it, it crashes and gives me an invalid program exception.
Sorry didnt respond to this yet, well the problem is the string reading function from Mono Cecil and not the decryption process itself
Cecil uses Encoding.Unicode.GetString against a byte array but in some cases the result from this function isn't correct.
I fixed it with my own function that reads the string as raw bytes first then convert all of them to chars and create a new string out of this wich i then decrypt to get the proper result

Hope this helps

Regards
LibX

Ok lol i just checked it out and i found that some strings from this application are for difrent languages on of them is rusian so that explains the \uxxx stuff ;)
So everything is decrypted just fine you just can't display the russian characters on your windows i think (they do show here becouse i have virtualy all codepages installed)
Anyway if you find other bugs lemme know

Regards
LibX

Hey LibX, I just wanted to double check, but was this response intended only for high6, or did you think my problem was also related to the inclusion of strings in various languages.

As a quick side note (while I am aware the prog I am looking into has strings encoded from different languages) the "half decrypted" strings I was talking about were all in English (in some cases the "space" character wasn't decoded, or a miscellaneous letter wasn't decoded from the middle of the application title for instance, but the letters before and after were).

Anyway, thanks for your quick response, and just ignore this if your previous response didn't have anything to do with me.

Hey LibX, I just wanted to double check, but was this response intended only for high6, or did you think my problem was also related to the inclusion of strings in various languages.

As a quick side note (while I am aware the prog I am looking into has strings encoded from different languages) the "half decrypted" strings I was talking about were all in English (in some cases the "space" character wasn't decoded, or a miscellaneous letter wasn't decoded from the middle of the application title for instance, but the letters before and after were).

Anyway, thanks for your quick response, and just ignore this if your previous response didn't have anything to do with me.

That reply was for another problem ;)
But are you sure you are running the latest version of DotFuckScator since i made a dump here of all strings that are decrypted and all strings are perfectly fine here :S
Latest version is v1.2 the title bar of the form should show this.

If its still not working please post a screenshot of the problem

regards
LibX

Anyway just released v1.3 the output will also be able to run now fixed a royal fuckup ;x

Anyway just released v1.3 the output will also be able to run now fixed a royal fuckup ;x

I was running v1.2 (which was the latest version at the time). I even redownloaded it and ran it against a fresh install of the app I was looking into before I posted (to make sure I'm not just talking out of my ass), but I got the same results (with not all strings being fully decoded).

I just tried v1.3 however, and whatever you changed fixed the problem, so thanks :D . Mind if I ask what the "royal fuckup" was?

I was running v1.2 (which was the latest version at the time). I even redownloaded it and ran it against a fresh install of the app I was looking into before I posted (to make sure I'm not just talking out of my ass), but I got the same results (with not all strings being fully decoded).

I just tried v1.3 however, and whatever you changed fixed the problem, so thanks :D . Mind if I ask what the "royal fuckup" was?
Well i don't know how it fixed the problem since i didnt change a single byte of code in the string decrypt function.. :S
But i forgot to fix a for loop that replaced the call to the string decrypt function with nops.
Now its working :)

Regards
LibX

just downloaded 1.3 and it didn't break the app this time.

Thanks :D

Haven't really had much time to try my hand at reversing anything since the last time I posted on this board, that said, I wanted to see if I could make a proper keygen for particular app and when I ran your dotFuckScator tool it decrypted most of the strings in the program, but there were several that were most definitely not decrypted. All the sections that weren't decrypted tended to be longer sections of text. I'm not sure if this has something to do with how your string "finding" routine works, but the only other thing I noticed is that bits and pieces of the string (usually at the very beginning of the string, but in one case at the very end of the string) did get decrypted.

The particular program in question is a freeware app (the same one I had previously tried to reverse). It's called "Video Thumbnails Maker" by Scorp. I'm only mentioning the app incase you thought you might be able to debug the program or had any ideas why it might not be decrypting some string.

In particular, if you run the app through dotFuckScator, if you look in main "m" class using reflector or somesuch, and scroll about halfway down the decompiled IL, you'll see a bunch of non-decrypted strings.

Thanks once again for the great tool and also for any help you might be able to give. If you have any idea what might be the prob, hope to hear back from you.