From Collaborative RCE Tool Library
Deobfuscation Tools
| Tool name: | Malzilla |
| ||
|---|---|---|---|---|
| Author: | Boban bobby Spasic | |||
| Website: | http://malzilla.sourceforge.net | |||
| Current version: | 1.2.0 | |||
| Last updated: | November 2, 2008 | |||
| Direct D/L link: | N/A | |||
| License type: | Free / Open Source | |||
| Description: | Malware hunting tool. Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell. | |||
| Also listed in: | Javascript Debuggers, Javascript Deobfuscators | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | .NET DeObfuscator |
| ||
|---|---|---|---|---|
| Author: | Kurapica | |||
| Website: | http://www.woodmann.com/forum/showthread.php?t=11810 | |||
| Current version: | 0.5 | |||
| Last updated: | June 11, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | This is a tool to deobfuscate names only in Assemblies, It doesn't deobfuscate control-flow. This tool is supposed to make our life easier when exploring in Reflector, so the deobfuscated assembly in most cases won't run and it's meant to be used in Reflector for analysis only. What this tool does is that it renames Classes and other member of assembly like Procedures and Fucntion into more understandable names for easier analysis, for example it renames a Class of type Form to "Class10_Form" instead of "xhfkd9oekfpklgpf" as we see in assemblies obfuscated with xenocode or any other obfuscator, I didn't want it to release it at first, but when I added type detection to renaming process it became more useful. | |||
| Also listed in: | .NET Deobfuscation Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CodeDoctor |
| ||
|---|---|---|---|---|
| Author: | hnedka | |||
| Website: | N/A | |||
| Current version: | 0.90 | |||
| Last updated: | November 12, 2009 | |||
| Direct D/L link: | see details | |||
| License type: | freeware | |||
| Description: | <nowiki>CodeDoctor is a plugin for Olly and IDA. History: 11.11.2009 - 0.90 - initial public release ________________________________________________________________________________ Functions: 1) Deobfuscate Select instructions in disasm window and execute this command. It will try to clear the code from junk instructions. Example: Original: 00874372 57 PUSH EDI 00874373 BF 352AAF6A MOV EDI,6AAF2A35 00874378 81E7 0D152A41 AND EDI,412A150D 0087437E 81F7 01002A40 XOR EDI,402A0001 00874384 01FB ADD EBX,EDI 00874386 5F POP EDI Deobfuscated: 00874372 83C3 04 ADD EBX,4 ________________________________________________________ 2) Deobfuscate - Single Step This works like previous command, but does one transformation at a time _______________________________________________________ 3) Move NOPs to bottom Converts this: 00874396 50 PUSH EAX 00874397 90 NOP 00874398 90 NOP 00874399 52 PUSH EDX 0087439A BA 3F976B00 MOV EDX,somesoft.006B973F to this: 00874396 50 PUSH EAX 00874397 52 PUSH EDX 00874398 BA 3F976B00 MOV EDX,somesoft.006B973F 0087439D 90 NOP 0087439E 90 NOP Limitations: it breaks all jumps and calls pointing inwards ________________________________________________________ 4) Undo / Redo Undo or Redo last operation (from one of the above functions) ________________________________________________________ 5) Retrieve Jumpy function This will statically parse instructions and follow all jumps. This is useful for situations, when program jumps here and there and here and there... When it encounters some instruction, that can't be followed, it stop and copies all parsed instruction to an allocated place in memory. Use settings to set some parameters: Step over calls - if set, it will step over calls, otherwise it will follow them Step over jccs - dtto, but for Jccs Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET, JMP reg/exp, CALL reg/exp; useful for multi-branch Example: Original: 00874389 /EB 05 JMP SHORT somesoft.00874390 0087438B | |||
| Also listed in: | IDA Extensions, OllyDbg Extensions, Resource Editors, Unpacking Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | DelForExp |
| ||
|---|---|---|---|---|
| Author: | Egbert van Nes | |||
| Website: | http://www.aew.wur.nl/uk/delforexp/ | |||
| Current version: | 2.5 | |||
| Last updated: | 2007 | |||
| Direct D/L link: | http://content.alterra.wur.nl/internet/webdocs/internet/aew/downloads/DelForEx.zip | |||
| License type: | freeware | |||
| Description: | DelForExp is a FREEWARE Delphi source code formatter that really works. It improves: * the indentation * spacing * capitalization * use of blank lines of Delphi source code. To do so the source code is parsed and lots of special constructs are tested. At default, the style of the Borland source code is followed closely, since this is the most widely accepted style. But formatting of Pascal code is much a matter of taste and debate. Therefore, some alternative rules are included. DelForExp is available as Delphi 2/3/4/5/6/7/9/2007 expert. It can optionally process the whole currently opened project. | |||
| Also listed in: | Code Beautifiers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | dotNetTools Win32 |
| ||
|---|---|---|---|---|
| Author: | PV Logiciels | |||
| Website: | http://dotnetprotector.pvlog.com/Tools.aspx | |||
| Current version: | 1.0 | |||
| Last updated: | November 8. 2008 | |||
| Direct D/L link: | http://dotnetprotector.pvlog.com/downloads/dotNetToolsWin32.msi | |||
| License type: | Free | |||
| Description: | dotNet Tools is a freeware suite that includes dotNet Sniffer, PvLog DeObfuscator and PvLog LicenseManagerKiller. dotNet Sniffer uses the .NET profiler API to save assemblies loaded from memory. PvLog Deobfuscator is a MSIL code optimizer that makes more readable obfuscated code. LicenseManagerKiller is a tool that removes LicenseProvider attributes in the assembly. | |||
| Also listed in: | .NET Deobfuscation Tools, .NET Tools, .NET Unpackers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Lore's Source to HTML Converter |
| ||
|---|---|---|---|---|
| Author: | Lars Haendel | |||
| Website: | http://www.newty.de/lsc/index.html | |||
| Current version: | 3.4b | |||
| Last updated: | 06/01/2005 | |||
| Direct D/L link: | http://www.newty.de/lsc/zip/Source2HTML.exe | |||
| License type: | GPL | |||
| Description: | Lore's Source to HTML Converter is a free software tool that converts source code of arbitrary programming or markup languages into syntax-highlighted HTML. The key features are: * Supports arbitrary programming or markup languages. Actually language definitions for C/C++, Java, Java Script, Delphi, LaTex, HTML, Ini files and BibTex exist. * Project files to easily store options and file lists for your different projects * Pre- and user defined syntax highlighting styles * Optimized output: Successive elements with the same color or style are formatted together and not separately * Fast on the fly conversion * Extensive syntax highlighting like in commercial compilers or editors. Take a look a the screenshot to get an idea ... Note, this tool does not actually alter source code so it's not a code beautifier in the traditional sense. It is purely intended to generate a formatted HTML representation of code. "Arbitrary languages" means that you can define your own lexer-style keywords and their associated formatting options. This tool is extremely useful for documenting source code (eg: in tutorials). | |||
| Also listed in: | Code Beautifiers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | MFC Decorated To Undecorated |
| ||
|---|---|---|---|---|
| Author: | ZaiRoN | |||
| Website: | http://zairon.wordpress.com/2006/10/13/mfc-decorated-to-undecorated/ | |||
| Current version: | 1.0 | |||
| Last updated: | October 13, 2006 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | This is a little application I wrote some times ago and it might come in handy when you need to convert a decorated c++ name into the undecorated version of the same name. You can convert a single name or an entire .def file, I sometimes convert mfc42.def when my preferred disassembler/debugger doesn’t recognise one or more names. | |||
| Also listed in: | Code Beautifiers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | PolyStyle |
| ||
|---|---|---|---|---|
| Author: | Matt Jones | |||
| Website: | http://www.polystyle.com | |||
| Current version: | 3.2zn | |||
| Last updated: | October 16, 2007 | |||
| Direct D/L link: | N/A | |||
| License type: | Shareware | |||
| Description: | Very nice and flexible code beautifier, for many languages. | |||
| Also listed in: | Code Beautifiers, Javascript Deobfuscators | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | PvLog DeObfuscator Win32 |
| ||
|---|---|---|---|---|
| Author: | PV Logiciels | |||
| Website: | http://dotnetprotector.pvlog.com/Tools.aspx | |||
| Current version: | 1.0 | |||
| Last updated: | November 8, 2008 | |||
| Direct D/L link: | http://dotnetprotector.pvlog.com/downloads/DeObfuscatorWin32.zip | |||
| License type: | Free | |||
| Description: | PvLog Deobfuscator is a MSIL code optimizer. One side effect of the optimizer is that it can make more readable obfuscated code. PvLog DeObfuscator can also rename the types and names of members to further improve readability. This tool does not require installation: you just need to run the executable. DeObfuscator is also available in 32 and 64 bit, but we recommend you use the version that corresponds to the architecture of the assembly to optimize. The assembly generated by Deobfusctator may not always run because of protective measures implemented in the assembly (protection against code modification), but should be able to load in reflector. NOTE: the attribute that prevents ILDASM is not removed by DeObfuscator... but it could ! | |||
| Also listed in: | .NET Deobfuscation Tools, .NET Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | pynary |
| ||
|---|---|---|---|---|
| Author: | c1de0x | |||
| Website: | http://code.google.com/p/openrce-snippets/wiki/pynary | |||
| Current version: | 0.0.1 | |||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Open Source | |||
| Description: | pynary will become a powerful platform independent framework for binary code analysis. The initial goal is to the implementation of function signature matching using graph isomorphism and an extensible 'write-your-own-heuristic' model to allow tweaks for particular targets. It will also identify standard library global constants and structure where possible. Once the initial goal is achieved, a number of cool features are planned: * stack frame analysis * un-inliner * exception handling parsing/analysis * 'functionally equivalent' matching * c++ template function matching * meta-data transfer between IDBs * c++ class reconstruction (with/without RTTI) * ... This project is still in its infancy, and looking for volunteers. | |||
| Also listed in: | Executable Diff Tools, Reverse Engineering Frameworks, Programming Libraries, Exe Analyzers, Diff Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Windows Script Decoder |
| ||
|---|---|---|---|---|
| Author: | Mr Brownstone | |||
| Website: | http://www.virtualconspiracy.com/content/scrdec/intro | |||
| Current version: | 1.8 | |||
| Last updated: | April 10, 2005 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | The Windows Script Encoder (screnc.exe) is a Microsoft tool which can be used to encode your scripts (i.e. JScript, ASP pages, VBScript). Yes: encode, not encrypt. The use of this tool is to be able to prevent people from looking at, or modifying, your scripts. Microsoft recommends using the Script Encoder to obfuscate your ASP pages, so in case your server is compromised the hacker would be unable to find out how your ASP applications work. The Windows Script Decoder is a tool that I wrote which can be used to decode all scripts that have been encoded with the Windows Script Encoder. Please note that this program was originally written to demonstrate the ease of a cryptoanalysis attack against a tool like the Windows Script Encoder. Nowadays, script encoding is used often to hide malicious scripting commands and the script decoder can be very useful to uncover the original code. Do not use this tool to violate copyright. That's not what it is meant for. | |||
| Also listed in: | Automated Unpackers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
Subcategories
There are 3 subcategories to this category.
