From Collaborative RCE Tool Library

Jump to: navigation, search

Deobfuscation Tools


Tool name: ExeInfo PE
Rating: 5.0 (1 vote)
Author: A.S.L.                        
Website: http://www.exeinfo.xn.pl
Current version: 0.0.4.1 with 902+35 signatures
Last updated: December 15, 2015
Direct D/L link: Locally archived copy
License type: Free
Description: Good detector for packers, compressors , compiler + unpack info + internal exe tools.
Internal Ripper for zip,rar,Flash swf,GFX-bmp/jpg/png/gif,cab,msi,bzip, ...
Colored Disassembler,Delphi Form viewer , .Zlib unpacker v1.2.8 , .NET exe info
Internal detector for non executable files.
Also listed in: .NET Tools, .NET Unpackers, Compiler Identifiers, Crypto Tools, Linux Unpackers, PE EXE Signature Tools, Packer Identifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Malzilla
Rating: 4.5 (2 votes)
Author: Boban bobby Spasic                        
Website: http://malzilla.sourceforge.net
Current version: 1.2.0
Last updated: November 2, 2008
Direct D/L link: http://malzilla.sourceforge.net/downloads.html
License type: Free / Open Source
Description: Malware hunting tool. Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell.
Also listed in: Javascript Debuggers, Javascript Deobfuscators, Javascript Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: pynary
Rating: 1.0 (1 vote)
Author: c1de0x                        
Website: http://code.google.com/p/openrce-snippets/wiki/pynary
Current version: 0.0.1
Last updated:
Direct D/L link: N/A
License type: Open Source
Description: pynary will become a powerful platform independent framework for binary code analysis.

The initial goal is to the implementation of function signature matching using graph isomorphism and an extensible 'write-your-own-heuristic' model to allow tweaks for particular targets. It will also identify standard library global constants and structure where possible.

Once the initial goal is achieved, a number of cool features are planned:

* stack frame analysis
* un-inliner
* exception handling parsing/analysis
* 'functionally equivalent' matching
* c++ template function matching
* meta-data transfer between IDBs
* c++ class reconstruction (with/without RTTI)
* ...

This project is still in its infancy, and looking for volunteers.
Also listed in: Executable Diff Tools, Reverse Engineering Frameworks, Programming Libraries, Exe Analyzers, Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET DeObfuscator
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://www.woodmann.com/forum/showthread.php?t=11810
Current version: 0.5
Last updated: June 11, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: This is a tool to deobfuscate names only in Assemblies, It doesn't deobfuscate control-flow.

This tool is supposed to make our life easier when exploring in Reflector, so the deobfuscated assembly in most cases won't run and it's meant to be used in Reflector for analysis only.

What this tool does is that it renames Classes and other member of assembly like Procedures and Fucntion into more understandable names for easier analysis, for example it renames a Class of type Form to "Class10_Form" instead of "xhfkd9oekfpklgpf" as we see in assemblies obfuscated with xenocode or any other obfuscator, I didn't want it to release it at first, but when I added type detection to renaming process it became more useful.
Also listed in: .NET Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: .NET Methods Parser
Rating: 0.0 (0 votes)
Author: Kurapica                        
Website: http://portal.b-at-s.info/download.php?view.463
Current version: 0.2
Last updated: July 19, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: A simple tool to analyze the "Methods" metadata table.
It has a good error and invalid data handling code so it will open most weird files.
Also listed in: .NET Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Bad Net Opcodes Finder
Rating: 0.0 (0 votes)
Author: whoknows                        
Website: http://portal.b-at-s.info/download.php?view.439
Current version: 0.6 beta
Last updated: December 18, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: A tool used to fix a nasty anti-decompiler trick, the trick is based on using invalid opcodes to make the decompilation process impossible with tools like Reflector.
So you can use this tool to kill these nasty invalid opcodes and see the code again in Reflector, You will find a small video which explains how to use this tool.
Also listed in: .NET Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CodeDoctor
Rating: 0.0 (0 votes)
Author: hnedka                        
Website: N/A
Current version: 0.90
Last updated: November 12, 2009
Direct D/L link: see details
License type: freeware
Description: <nowiki>CodeDoctor is a plugin for Olly and IDA.

History:
11.11.2009 - 0.90 - initial public release

________________________________________________________________________________
Functions:

1) Deobfuscate

Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.

Example:

Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

Deobfuscated:
00874372 83C3 04 ADD EBX,4

________________________________________________________

2) Deobfuscate - Single Step

This works like previous command, but does one transformation at a time
_______________________________________________________

3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F


to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP

Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________

4) Undo / Redo

Undo or Redo last operation (from one of the above functions)

________________________________________________________

5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful
for situations, when program jumps here and there and here and there... When
it encounters some instruction, that can't be followed, it stop and copies
all parsed instruction to an allocated place in memory.

Use settings to set some parameters:
Step over calls - if set, it will step over calls, otherwise it will follow them
Step over jccs - dtto, but for Jccs
Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET,
JMP reg/exp, CALL reg/exp; useful for multi-branch

Example:

Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B
Also listed in: IDA Extensions, OllyDbg Extensions, Resource Editors, Unpacking Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: de4dot
Rating: 0.0 (0 votes)
Author: 0xd4d                        
Website: https://bitbucket.org/0xd4d/de4dot/
Current version: 2.0.3
Last updated: January 12, 2013
Direct D/L link: https://bitbucket.org/0xd4d/de4dot/downloads
License type: GPLv3
Description: de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly.

Features:
-Inline methods. Some obfuscators move small parts of a method to another static method and calls it.
-Decrypt strings statically or dynamically
-Decrypt other constants. Some obfuscators can also encrypt other constants, such as all integers, all doubles, etc.
-Decrypt methods statically or dynamically
-Remove proxy methods. Many obfuscators replace most/all call instructions with a call to a delegate. This delegate in turn calls the real method.
-Rename symbols. Even though most symbols can't be restored, it will rename them to human readable strings. Sometimes, some of the original names can be restored, though.
-Devirtualize virtualized code
-Decrypt resources. Many obfuscators have an option to encrypt .NET resources.
-Decrypt embedded files. Many obfuscators have an option to embed and possibly encrypt/compress other assemblies.
-Remove tamper detection code
-Remove anti-debug code
-Control flow deobfuscation. Many obfuscators modify the IL code so it looks like spaghetti code making it very difficult to understand the code.
-Restore class fields. Some obfuscators can move fields from one class to some other obfuscator created class.
-Convert a PE exe to a .NET exe. Some obfuscators wrap a .NET assembly inside a Win32 PE so a .NET decompiler can't read the file.
-Removes most/all junk classes added by the obfuscator.
-Fixes some peverify errors. Many of the obfuscators are buggy and create unverifiable code by mistake.
-Restore the types of method parameters and fields

Supported obfuscators/packers:
Agile.NET (aka CliSecure)
Babel.NET
CodeFort
CodeVeil
CodeWall
CryptoObfuscator
DeepSea Obfuscator
Dotfuscator
.NET Reactor
Eazfuscator.NET
Goliath.NET
ILProtector
MaxtoCode
MPRESS
Rummage
Skater.NET
SmartAssembly
Spices.Net
Xenocode
Also listed in: .NET Deobfuscation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: DelForExp
Rating: 0.0 (0 votes)
Author: Egbert van Nes                        
Website: http://www.aew.wur.nl/uk/delforexp/
Current version: 2.5
Last updated: 2007
Direct D/L link: http://content.alterra.wur.nl/internet/webdocs/internet/aew/downloads/DelForEx.zip
License type: freeware
Description: DelForExp is a FREEWARE Delphi source code formatter that really works.
It improves:

* the indentation
* spacing
* capitalization
* use of blank lines of Delphi source code.

To do so the source code is parsed and lots of special constructs are tested. At default, the style of the Borland source code is followed closely, since this is the most widely accepted style. But formatting of Pascal code is much a matter of taste and debate. Therefore, some alternative rules are included. DelForExp is available as Delphi 2/3/4/5/6/7/9/2007 expert. It can optionally process the whole currently opened project.
Also listed in: Code Beautifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: dotNetTools Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 1.0
Last updated: November 8. 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/dotNetToolsWin32.msi
License type: Free
Description: dotNet Tools is a freeware suite that includes dotNet Sniffer, PvLog DeObfuscator and PvLog LicenseManagerKiller. dotNet Sniffer uses the .NET profiler API to save assemblies loaded from memory. PvLog Deobfuscator is a MSIL code optimizer that makes more readable obfuscated code. LicenseManagerKiller is a tool that removes LicenseProvider attributes in the assembly.
Also listed in: .NET Deobfuscation Tools, .NET Tools, .NET Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GCBE (Control Flow Graph Creation And Build Engine)
Rating: 0.0 (0 votes)
Author: Indy                        
Website: http://indy-vx.narod.ru
Current version:
Last updated: February 19, 2011
Direct D/L link: Locally archived copy
License type: Free
Description: GCBE(Control Flow Graph Creation And Build Engine) - this is the base engine for morphing(x86). To create and build the graph. Allows us to solve very complex problems associated with graphs.
Also listed in: Control Flow Analyzers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: jsunpack
Rating: 0.0 (0 votes)
Author:                         
Website: http://jsunpack.jeek.org
Current version: 0.3.2c
Last updated: June 2, 2010
Direct D/L link: N/A
License type: Free / Open Source
Description: A Generic JavaScript Unpacker.

jsunpack emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities.

It accepts many different types of input:

* PDF files - samples/sample-pdf.file
* Packet Captures - samples/sample-http-exploit.pcap
* HTML files
* JavaScript files
* SWF files
Also listed in: Javascript Deobfuscators, Javascript Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Lore's Source to HTML Converter
Rating: 0.0 (0 votes)
Author: Lars Haendel                        
Website: http://www.newty.de/lsc/index.html
Current version: 3.4b
Last updated: 06/01/2005
Direct D/L link: http://www.newty.de/lsc/zip/Source2HTML.exe
License type: GPL
Description: Lore's Source to HTML Converter is a free software tool that converts source code of arbitrary programming or markup languages into syntax-highlighted HTML. The key features are:

* Supports arbitrary programming or markup languages. Actually language definitions for C/C++, Java, Java Script, Delphi, LaTex, HTML, Ini files and BibTex exist.
* Project files to easily store options and file lists for your different projects
* Pre- and user defined syntax highlighting styles
* Optimized output: Successive elements with the same color or style are formatted together and not separately
* Fast on the fly conversion
* Extensive syntax highlighting like in commercial compilers or editors. Take a look a the screenshot to get an idea ...


Note, this tool does not actually alter source code so it's not a code beautifier in the traditional sense. It is purely intended to generate a formatted HTML representation of code. "Arbitrary languages" means that you can define your own lexer-style keywords and their associated formatting options. This tool is extremely useful for documenting source code (eg: in tutorials).
Also listed in: Code Beautifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MFC Decorated To Undecorated
Rating: 0.0 (0 votes)
Author: ZaiRoN                        
Website: http://zairon.wordpress.com/2006/10/13/mfc-decorated-to-undecorated/
Current version: 1.0
Last updated: October 13, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: This is a little application I wrote some times ago and it might come in handy when you need to convert a decorated c++ name into the undecorated version of the same name. You can convert a single name or an entire .def file, I sometimes convert mfc42.def when my preferred disassembler/debugger doesn’t recognise one or more names.
Also listed in: Code Beautifiers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PolyStyle
Rating: 0.0 (0 votes)
Author: Matt Jones                        
Website: http://www.polystyle.com
Current version: 3.2zn
Last updated: October 16, 2007
Direct D/L link: N/A
License type: Shareware
Description: Very nice and flexible code beautifier, for many languages.
Also listed in: Code Beautifiers, Javascript Deobfuscators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PvLog DeObfuscator Win32
Rating: 0.0 (0 votes)
Author: PV Logiciels                        
Website: http://dotnetprotector.pvlog.com/Tools.aspx
Current version: 1.0
Last updated: November 8, 2008
Direct D/L link: http://dotnetprotector.pvlog.com/downloads/DeObfuscatorWin32.zip
License type: Free
Description: PvLog Deobfuscator is a MSIL code optimizer. One side effect of the optimizer is that it can make more readable obfuscated code. PvLog DeObfuscator can also rename the types and names of members to further improve readability. This tool does not require installation: you just need to run the executable. DeObfuscator is also available in 32 and 64 bit, but we recommend you use the version that corresponds to the architecture of the assembly to optimize. The assembly generated by Deobfusctator may not always run because of protective measures implemented in the assembly (protection against code modification), but should be able to load in reflector. NOTE: the attribute that prevents ILDASM is not removed by DeObfuscator... but it could !
Also listed in: .NET Deobfuscation Tools, .NET Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Windows Script Decoder
Rating: 0.0 (0 votes)
Author: Mr Brownstone                        
Website: http://www.virtualconspiracy.com/content/scrdec/intro
Current version: 1.8
Last updated: April 10, 2005
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: The Windows Script Encoder (screnc.exe) is a Microsoft tool which can be used to encode your scripts (i.e. JScript, ASP pages, VBScript). Yes: encode, not encrypt. The use of this tool is to be able to prevent people from looking at, or modifying, your scripts. Microsoft recommends using the Script Encoder to obfuscate your ASP pages, so in case your server is compromised the hacker would be unable to find out how your ASP applications work.

The Windows Script Decoder is a tool that I wrote which can be used to decode all scripts that have been encoded with the Windows Script Encoder.

Please note that this program was originally written to demonstrate the ease of a cryptoanalysis attack against a tool like the Windows Script Encoder. Nowadays, script encoding is used often to hide malicious scripting commands and the script decoder can be very useful to uncover the original code. Do not use this tool to violate copyright. That's not what it is meant for.
Also listed in: Automated Unpackers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 3 subcategories to this category.





Views
Category Navigation Tree
   Needs New Category  (3)