Hi all,
I have just finished an obfuscator for {SmartAssembly}. I need some tests for it. You can download it here. Please login to view content.

http://rongchaua.net/tools-mainmenu-36/85-desmart-deobfuscator-for-smartassembly

I have tested it with crackme of LibX. It can restore all of source code in readable form.
http://rongchaua.net/Web/Tmp/TestRun_patch.zip

If you have a file obfuscated with {SA} and no time to test, then upload it somewhere and give me link. I need more files to test this tool.

@Kurapica and UFO: It will be great if you can send me a file packed with the newest version of {SA}. I can not bring {SA} run on my machine. :D.

Regards.
rongchaua.

This is cool shit !!

I always wanted to code this shit but I'm too lazy as you know !!

Anyway this is something I coded and used SA 3.0 to protect.

http://www.filesend.net/download.php?f=4c92b7fc1ace91a89b8b9d3ec644448e

Enjoy :D

@Kurapica:Thank for you file. I have tested your file with my tools. I think I should make some mirror improvements.
@all: I am waiting more files obfuscated with {SA}. :)

This is another target for you rongchaua !

It's a DLL file not exe

Enjoy...

Good: String decryption.
Renaming. I like that it has button1_Click, is that automatic?
Bad: Control flow deobfuscation
Sometimes control flow deobfuscation doesn't work and leaves obfuscated code (for instance Namespace_02.Class_02.ctor), sometimes it leaves broken code! For example Namespace_02.Class_02.Method_02 in your version:
public static byte[] Method_02()
{
// This item is obfuscated and can not be translated.
byte[] destinationArray = new byte[Field_08.Length];
Array.Copy(Field_08, destinationArray, Field_08.Length);
int num = 0;
if (num >= destinationArray.Length)
{
return destinationArray;
}
}
Good version:
public static byte[] Method_2()
{
byte[] destinationArray = new byte[Field_8.Length];
Array.Copy(Field_8, destinationArray, Field_8.Length);
for (int i = 0; i < destinationArray.Length; i++)
{
destinationArray[i] = (byte) (destinationArray[i] ^ 0x40);
}
return destinationArray;
}

Here's my deobfuscated version of LibX's crackme, with my control flow deobfuscator and Kurapica's renamer:
http://rapidshare.com/files/110427787/my_TestRun.exe

I have updated some mirror improvement. It still can not make all functions into readable form but it now actual status. I did my best. :).
Regards.

Version 1.0.0.4 is out. See link above.
Restore up to 99% source code to readable form.
Support {SA} version 1,2,3.

Thanks for the update.

Why should I register to download !! It's annoying ???!!

would be nice if you post here or on FileSend.net

Hi Kurapica,
I don't want that too. Please read this post to understand why I must activate Login section.

http://rongchaua.net/blog/Reverse_Engineering_violates_DMCA_Yes_it_does

Regards.

Version 1.0.0.5 is out.
- Add Update Function.
- Use same GUI as the other.
- Fix mirror bugs.

Version 1.0.0.6 ist out
- Support SA 3.2
- I don't know if it work with version < 3.2. It is nice if someone can share me an assembly which be protected by SA 2.x
- I have tested with this file http://reteam.org/board/showthread.php?t=1386
- Some strings still encrypted after deobfuscating. I don't know why :D.
- Link to download tool: http://rongchaua.net/tools-mainmenu-36/85-desmart-deobfuscator-for-smartassembly

Nice tool my friend...

- Some strings still encrypted after deobfuscating. I don't know why :D.

In case you missed it in the other thread.


Also would be cool if you made it options in desmart. So that you can choose the decrypt string and/or anti control flow and/or renaming.

Also something I added to my code.

Instruction GetNext(Instruction ins)
{
ins = ins.Next;
while (ins != null && (ins.OpCode == OpCodes.Br || ins.OpCode == OpCodes.Br_S))
{
ins = ins.Operand as Instruction;
}
return ins;
}

Because control flow obfuscation is applied after string encryption so sometimes you get.

ldc 435
br somewhere
call stringdecrypt

Hi high6,
thank for your help. But the problem don't lie at the flow control because I fixed the flow control before decrypting strings.
It lies at the decrypt function because this function does not work with some Id. It works with most of Ids, but not with all IDs.
I think the decrypt routine of SA has errors. However I am not sure. And I do not intend to check that. ;).
For example: You can try your old code with this assembly http://reteam.org/board/showthread.php?t=1386 . The Id 33e8 will not be accepted although it is used in this function

private static bool Method_02(bool flag1)
{
DateTime time = DateTime.Parse("2009-02-22T00:00:00");
if ((DateTime.Now <= time) && (DateTime.Now >= time.AddDays(-21.0)))
{
return true;
}
string name = Assembly.GetExecutingAssembly().GetName().Name;
string message = string.Format(Class_04.Method_00(0x33e8), name, time.ToString("D"));
if (flag1)
{
throw new Exception(message);
}
Class_02 mainForm = new Class_02(message, "{smartassembly} License Exception", "error");
Method_00();
Application.Run(mainForm);
return false;
}

Hm, my version decrypts all the strings fine, I checked for all references to the decrypt call and there arent any after running mine.

Also that string is

"\'{0}\' has been built with an evaluation version of {{smartassembly}}, which has expired on {1}.\n\nYou need to purchase a license of {{smartassembly}}."

I posted my code in the other thread. Do you think it has something to do with your deobfuscating method?

thank rongchaua for this good tool

Version 1.0.0.7 ist out:
[1.0.0.7] : Bugfix in decrypting string. It works now better.

Regards.
rca.

Well done rongchaua !! yourr tools are excellent.

love em too always very usefull and time saving ;)

Am I the only one where this doesn't work?

Issues:
Breaks any .exe I use it on, "Error system.typeinitialization". ALL VERSIONS
Doesn't decrypt strings in a few versions
Freezes up sometimes towards the end (Seems to be fixed in 1.0.0.7 though)

It is still nice, but I thought I would bring the issues to your attention.

I don't have a specific application to give you, as these are problems that always occur.

Breaks any .exe I use it on, "Error system.typeinitialization". ALL VERSIONS
Doesn't decrypt strings in a few versions
Freezes up sometimes towards the end (Seems to be fixed in 1.0.0.7 though)
Yes, these problems can occur because I do not have many samples to test.

I don't have a specific application to give you, as these are problems that always occur.
That makes me sad. :(. It is always better with an example. You know, it is just my hobby to write these tools. I have no motivation to find a sample which makes my tool break. :(.
Thank you for your feedback.
Regards.
rca

Yes, these problems can occur because I do not have many samples to test.


That makes me sad. :(. It is always better with an example. You know, it is just my hobby to write these tools. I have no motivation to find a sample which makes my tool break. :(.
Thank you for your feedback.
Regards.
rca

This program breaks it: http://rapidshare.com/files/198615947/ClubLiveLBI_1.0.rar. I don't care too much if you can but just thought I would help.

What do you mean "This program breaks it"? You mean the file after deobfuscating does not run anymore. Then it's right. Because the file was changed but I did not resign the assembly. Check with new version if it works. Please take a note that your sample file needs other dlls to run.

Homepage : http://rongchaua.net/tools-mainmenu-36/85-desmart-deobfuscator-for-smartassembly
Version : 1.0.0.9

[1.0.0.9] : Bugfix in fixing branch and handling exception.

Regards.
rca.

http://rapidshare.com/files/225505732/mla_sql.dll.html

it has Phoenix Protector+ SmartAssembly.
i had OutofMemoryException.

Trying the extract Artisteer 2.0
http://www.artisteer.com/?p=downloads (54.6 MB)

Using the latest 1.0.0.9 DeSmart but the tool just crashes with System.OutofMemoryException

Any plan's to update for the latest Smart Assembly release? can supply a obfusicated exe if you want to check it out

I also would like to see support and have an assembly that I think is protected by the latest {sa}.

Hi rongchaua:
I use DeSmart (V1.0.0.9]) Extract dll,but have some Issues:

System.OutOfMemoryException
in System.Collections.Geneic.List.1.set_capcaity(int3 2.value)
....
here is dll
http://www.filesend.net/download.php?f=60362984ee5f198bd6d3f0f970e0374b or http://rapidshare.com/files/337605630/EntLibEC.View.rar.html

!Thanks you

Hi, rongchaua!

latest version of the subject crashes, here is the info from crash box:

---------------------------
Reverse Engineering Association
---------------------------
Exception of type 'System.OutOfMemoryException' was thrown.

at System.Collections.Generic.List`1.set_Capacity(Int 32 value)

at System.Collections.Generic.List`1.EnsureCapacity(I nt32 min)

at ?19?.?50?..ctor(BinaryReader ?1067?)

at ?19?.?47?..ctor(BinaryReader ?1067?, ?22? ?1093?)

at ?19?.?22?..ctor(BinaryReader ?1067?, ?34? ?1074?)

at ?19?.?34?..ctor(String ?1044?)
---------------------------
OK
---------------------------

and here is the info from Details button pressed:

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.NullReferenceException: Object reference not set to an instance of an object.
at ?1?.?7?.?471?(String ?1041?, TextBox& ?1042?)
at ?1?.?9?.?485?(Object ?1048?, EventArgs ?1049?)
at System.Windows.Forms.Control.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnMouseUp(MouseEventAr gs mevent)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ButtonBase.WndProc(Message& m)
at System.Windows.Forms.Button.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.O nMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.W ndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


any chances this get fixed?
Thanks