de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly.

Features

Here's a pseudo random list of the things it will do depending on what obfuscator was used to obfuscate an assembly:

Inline methods. Some obfuscators move small parts of a method to another static method and calls it.
Decrypt strings statically or dynamically
Decrypt other constants. Some obfuscators can also encrypt other constants, such as all integers, all doubles, etc.
Decrypt methods statically or dynamically
Remove proxy methods. Many obfuscators replace most/all call instructions with a call to a delegate. This delegate in turn calls the real method.
Rename symbols. Even though most symbols can't be restored, it will rename them to human readable strings. Sometimes, some of the original names can be restored, though.
Devirtualize virtualized code
Decrypt resources. Many obfuscators have an option to encrypt .NET resources.
Decrypt embedded files. Many obfuscators have an option to embed and possibly encrypt/compress other assemblies.
Remove tamper detection code
Remove anti-debug code
Control flow deobfuscation. Many obfuscators modify the IL code so it looks like spaghetti code making it very difficult to understand the code.
Restore class fields. Some obfuscators can move fields from one class to some other obfuscator created class.
Convert a PE exe to a .NET exe. Some obfuscators wrap a .NET assembly inside a Win32 PE so a .NET decompiler can't read the file.
Removes most/all junk classes added by the obfuscator.
Fixes some peverify errors. Many of the obfuscators are buggy and create unverifiable code by mistake.
Restore the types of method parameters and fields

Supported obfuscators/packers

Agile.NET (aka CliSecure)
Babel.NET
CodeFort
CodeVeil
CodeWall
CryptoObfuscator
DeepSea Obfuscator
Dotfuscator
.NET Reactor
Eazfuscator.NET
Goliath.NET
ILProtector
MaxtoCode
MPRESS
Rummage
Skater.NET
SmartAssembly
Spices.Net
Xenocode

Some of the above obfuscators are rarely used (eg. Goliath.NET), so they have had much less testing. Help me out by reporting bugs or problems you find. Warning

Sometimes the obfuscated assembly and all its dependencies are loaded into memory for execution. Use a safe sandbox environment if you suspect the assembly or assemblies to be malware.

Even if the current version of de4dot doesn't load a certain assembly into memory for execution, a future version might.

Title	Content
Title	de4dot .NET deobfuscator & unpacker
Version	latest version
Author	0xd4d
Author website	https://github.com/0xd4d/de4dot
Description	de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly. Features Here's a pseudo random list of the things it will do depending on what obfuscator was used to obfuscate an assembly: Inline methods. Some obfuscators move small parts of a method to another static method and calls it. Decrypt strings statically or dynamically Decrypt other constants. Some obfuscators can also encrypt other constants, such as all integers, all doubles, etc. Decrypt methods statically or dynamically Remove proxy methods. Many obfuscators replace most/all call instructions with a call to a delegate. This delegate in turn calls the real method. Rename symbols. Even though most symbols can't be restored, it will rename them to human readable strings. Sometimes, some of the original names can be restored, though. Devirtualize virtualized code Decrypt resources. Many obfuscators have an option to encrypt .NET resources. Decrypt embedded files. Many obfuscators have an option to embed and possibly encrypt/compress other assemblies. Remove tamper detection code Remove anti-debug code Control flow deobfuscation. Many obfuscators modify the IL code so it looks like spaghetti code making it very difficult to understand the code. Restore class fields. Some obfuscators can move fields from one class to some other obfuscator created class. Convert a PE exe to a .NET exe. Some obfuscators wrap a .NET assembly inside a Win32 PE so a .NET decompiler can't read the file. Removes most/all junk classes added by the obfuscator. Fixes some peverify errors. Many of the obfuscators are buggy and create unverifiable code by mistake. Restore the types of method parameters and fields Supported obfuscators/packers `Agile.NET (aka CliSecure) Babel.NET CodeFort CodeVeil CodeWall CryptoObfuscator DeepSea Obfuscator Dotfuscator .NET Reactor Eazfuscator.NET Goliath.NET ILProtector MaxtoCode MPRESS Rummage Skater.NET SmartAssembly Spices.Net Xenocode` Some of the above obfuscators are rarely used (eg. Goliath.NET), so they have had much less testing. Help me out by reporting bugs or problems you find. Warning Sometimes the obfuscated assembly and all its dependencies are loaded into memory for execution. Use a safe sandbox environment if you suspect the assembly or assemblies to be malware. Even if the current version of de4dot doesn't load a certain assembly into memory for execution, a future version might.
View:	18050
Publish time	5 years ago 2018-08-26 19:05:51
Download	de4dot.zip [Size: 950.26 KB ] [Downloads: 7,972 ]
AcTioN	[ Abuse / Report ]

#webscene

de4dot .NET deobfuscator & unpacker