• .Net脱壳工具 de4dot参数说明/简易教程


    de4dot  /? 帮助原文

     使用方法

    de4dot "d:xx.exe" -p xc 
    
    -p xc  指定壳类型 , 这里是xc,表示Xenocode壳.
    这样会在exe的相同目录生成一个 xx_cleaned.exe 的文件, 拖进ILSpy什么的去看代码吧.
    要指定输出路径请使用 -o "d:outputxx.exe"

    一般选对壳了大部分都可以脱掉,脱不掉的首先尝试使用最新版的de4dot, 脱完之后一部分类/方法名会恢复, 另一部分会变成Class123,、method_123之类的, ,不过总比那些都显示不出来的字符可强多了,简单修改一下即可编译了。 突然想到有没有人搞个de4dot GUI工具呢?

    放俩图对比一下:

    de4dot v3.1.41592.3405 Copyright (C) 2011-2014 de4dot@gmail.com
    Latest version and source code: https://bitbucket.org/0xd4d/de4dot
    
    Some of the advanced options may be incompatible, causing a nice exception.
    With great power comes great responsibility.
    
    de4dot <options> <file options>
    Options:
      -r DIR           Scan for .NET files in all subdirs
      -ro DIR          Output base dir for recursively found files
      -ru              Skip recursively found files with unsupported obfuscator
      -d               Detect obfuscators and exit
      --asm-path PATH  Add an assembly search path
      --dont-rename    Don't rename classes, methods, etc.
      --keep-names FLAGS
                       Don't rename n(amespaces), t(ypes), p(rops), e(vents), f(ields), m(ethods), a(rgs), g(enericparams), d(elegate fields). Can be combined, eg. efm
      --dont-create-params
                       Don't create method params when renaming
      --dont-restore-props
                       Don't restore properties/events
      --default-strtyp TYPE
                       Default string decrypter type
      --default-strtok METHOD
                       Default string decrypter method token or [type::][name][(args,...)]
      --no-cflow-deob  No control flow deobfuscation (NOT recommended)
      --load-new-process
                       Load executed assemblies into a new process
      --keep-types     Keep obfuscator types, fields, methods
      --preserve-tokens
                       Preserve important tokens, #US, #Blob, extra sig data
      --preserve-table FLAGS
                       Preserve rids in table: tr (TypeRef), td (TypeDef), fd (Field), md (Method), pd (Param), mr (MemberRef), s (StandAloneSig), ed (Event), pr (Property), ts (TypeSpec), ms (MethodSpec), all (all previous tables). Use - to disable (eg. all,-pd). Can be combined: ed,fd,md
      --preserve-strings
                       Preserve #Strings heap offsets
      --preserve-us    Preserve #US heap offsets
      --preserve-blob  Preserve #Blob heap offsets
      --preserve-sig-data
                       Preserve extra data at the end of signatures
      --one-file       Deobfuscate one file at a time
      -v               Verbose
      -vv              Very verbose
      -h               Show this help message
      --help           Same as -h
    
    File options:
      -f FILE          Name of .NET file
      -o FILE          Name of output file
      -p TYPE          Obfuscator type (see below)
      --strtyp TYPE    String decrypter type
      --strtok METHOD  String decrypter method token or [type::][name][(args,...)]
    
    Deobfuscator options:
    Type un (Unknown)
      --un-name REGEX  Valid name regex pattern (^[a-zA-Z_<{$][a-zA-Z_0-9<>{}$.`-]*$)
    
    Type an (Agile.NET)
      --an-name REGEX  Valid name regex pattern (^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
      --an-methods BOOL
                       Decrypt methods (True)
      --an-rsrc BOOL   Decrypt resources (True)
      --an-stack BOOL  Remove all StackFrameHelper code (True)
      --an-vm BOOL     Restore VM code (True)
      --an-initlocals BOOL
                       Set initlocals in method header (True)
    
    Type bl (Babel .NET)
      --bl-name REGEX  Valid name regex pattern (^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
      --bl-inline BOOL Inline short methods (True)
      --bl-remove-inlined BOOL
                       Remove inlined methods (True)
      --bl-methods BOOL
                       Decrypt methods (True)
      --bl-rsrc BOOL   Decrypt resources (True)
      --bl-consts BOOL Decrypt constants and arrays (True)
      --bl-embedded BOOL
                       Dump embedded assemblies (True)
    
    Type cf (CodeFort)
      --cf-name REGEX  Valid name regex pattern (!^[a-zA-Z]{1,3}$&!^[_<>{}$.`-]$&^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
      --cf-embedded BOOL
                       Dump embedded assemblies (True)
    
    Type cv (CodeVeil)
      --cv-name REGEX  Valid name regex pattern (!^[A-Za-z]{1,2}$&^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
    
    Type cw (CodeWall)
      --cw-name REGEX  Valid name regex pattern (!^[0-9A-F]{32}$&!^[_<>{}$.`-]$&^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
      --cw-embedded BOOL
                       Dump embedded assemblies (True)
      --cw-decrypt-main BOOL
                       Decrypt main embedded assembly (True)
    
    Type co (Crypto Obfuscator)
      --co-name REGEX  Valid name regex pattern (!^(get_|set_|add_|remove_)?[A-Z]{1,3}(?:`d+)?$&!^(get_|set_|add_|remove_)?c[0-9a-f]{32}(?:`d+)?$&^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
      --co-tamper BOOL Remove tamper protection code (True)
      --co-consts BOOL Decrypt constants (True)
      --co-inline BOOL Inline short methods (True)
      --co-ldnull BOOL Restore ldnull instructions (True)
    
    Type ds (DeepSea)
      --ds-name REGEX  Valid name regex pattern (^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
      --ds-inline BOOL Inline short methods (True)
      --ds-remove-inlined BOOL
                       Remove inlined methods (True)
      --ds-rsrc BOOL   Decrypt resources (True)
      --ds-embedded BOOL
                       Dump embedded assemblies (True)
      --ds-fields BOOL Restore fields (True)
      --ds-keys BOOL   Rename resource keys (True)
      --ds-casts BOOL  Deobfuscate casts (True)
    
    Type df (Dotfuscator)
      --df-name REGEX  Valid name regex pattern (!^(?:eval_)?[a-z][a-z0-9]{0,2}$&!^A_[0-9]+$&^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
    
    Type dr3 (.NET Reactor)
      --dr3-name REGEX Valid name regex pattern (^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
      --dr3-types BOOL Restore types (object -> real type) (True)
      --dr3-inline BOOL
                       Inline short methods (True)
      --dr3-remove-inlined BOOL
                       Remove inlined methods (True)
      --dr3-ns1 BOOL   Clear namespace if there's only one class in it (True)
      --dr3-sn BOOL    Remove anti strong name code (True)
    
    Type dr4 (.NET Reactor)
      --dr4-name REGEX Valid name regex pattern (^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
      --dr4-methods BOOL
                       Decrypt methods (True)
      --dr4-bools BOOL Decrypt booleans (True)
      --dr4-types BOOL Restore types (object -> real type) (True)
      --dr4-inline BOOL
                       Inline short methods (True)
      --dr4-remove-inlined BOOL
                       Remove inlined methods (True)
      --dr4-embedded BOOL
                       Dump embedded assemblies (True)
      --dr4-rsrc BOOL  Decrypt resources (True)
      --dr4-ns1 BOOL   Clear namespace if there's only one class in it (True)
      --dr4-sn BOOL    Remove anti strong name code (True)
      --dr4-sname BOOL Rename short names (False)
    
    Type ef (Eazfuscator.NET)
      --ef-name REGEX  Valid name regex pattern (!^[a-zA-Z]$&!^#=&!^dje_.+_ejd$&^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
    
    Type go (Goliath.NET)
      --go-name REGEX  Valid name regex pattern (!^[A-Za-z]{1,2}(?:`d+)?$&^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
      --go-inline BOOL Inline short methods (True)
      --go-remove-inlined BOOL
                       Remove inlined methods (True)
      --go-locals BOOL Restore locals (True)
      --go-ints BOOL   Decrypt integers (True)
      --go-arrays BOOL Decrypt arrays (True)
      --go-sn BOOL     Remove anti strong name code (True)
    
    Type il (ILProtector)
      --il-name REGEX  Valid name regex pattern (^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
    
    Type mc (MaxtoCode)
      --mc-name REGEX  Valid name regex pattern (!^[oO01l]+$&!^[A-F0-9]{20,}$&^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
      --mc-cp INT      String code page (936)
    
    Type mp (MPRESS)
      --mp-name REGEX  Valid name regex pattern (^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
    
    Type rm (Rummage)
      --rm-name REGEX  Valid name regex pattern (!.)
    
    Type sk (Skater .NET)
      --sk-name REGEX  Valid name regex pattern (!`[^0-9]+&^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
    
    Type sa (SmartAssembly)
      --sa-name REGEX  Valid name regex pattern (^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
      --sa-error BOOL  Remove automated error reporting code (True)
      --sa-tamper BOOL Remove tamper protection code (True)
      --sa-memory BOOL Remove memory manager code (True)
    
    Type sn (Spices.Net)
      --sn-name REGEX  Valid name regex pattern (!^[a-zA-Z0-9]{1,2}$&^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
      --sn-inline BOOL Inline short methods (True)
      --sn-remove-inlined BOOL
                       Remove inlined methods (True)
      --sn-ns1 BOOL    Clear namespace if there's only one class in it (True)
      --sn-rsrc BOOL   Restore resource names (True)
    
    Type xc (Xenocode)
      --xc-name REGEX  Valid name regex pattern (!^[oO01l]{4,}$&!^(get_|set_|add_|remove_|_)?[x_][a-f0-9]{16,}$&^[u2E80-u9FFFa-zA-Z_<{$][u2E80-u9FFFa-zA-Z_0-9<>{}$.`-]*$)
    
    String decrypter types
      none             Don't decrypt strings
      default          Use default string decrypter type (usually static)
      static           Use static string decrypter if available
      delegate         Use a delegate to call the real string decrypter
      emulate          Call real string decrypter and emulate certain instructions
    
    Multiple regexes can be used if separated by '&'.
    Use '!' if you want to invert the regex. Example: !^[a-zd]{1,2}$&!^[A-Z]_d+$&^[w.]+$
    
    Examples:
    de4dot -r c:myfiles -ro c:myoutput
    de4dot file1 file2 file3
    de4dot file1 -f file2 -o file2.out -f file3 -o file3.out
    de4dot file1 --strtyp delegate --strtok 06000123
    ERROR: 
    ERROR: 
    ERROR: ERROR: File "/?" does not exist.
    ERROR: 

    支持的混淆器种类(从github复制来的)

    • Agile.NET (aka CliSecure)
    • Babel.NET
    • CodeFort
    • CodeVeil
    • CodeWall
    • CryptoObfuscator
    • DeepSea Obfuscator
    • Dotfuscator
    • .NET Reactor
    • Eazfuscator.NET
    • Goliath.NET
    • ILProtector
    • MaxtoCode
    • MPRESS
    • Rummage
    • Skater.NET
    • SmartAssembly
    • Spices.Net
    • Xenocode

     下载地址: http://pan.baidu.com/s/1hqvcNkS

     github : https://github.com/0xd4d/de4dot

  • 相关阅读:
    贝叶斯公式由浅入深大讲解—AI基础算法入门
    再谈前端HTML模板技术
    再谈angularJS数据绑定机制及背后原理—angularJS常见问题总结
    mac版chrome升级到Version 65.0.3325.18后无法打开百度bing搜狗
    图说js中的this——深入理解javascript中this指针
    web app响应式字体设置!rem之我见
    【2020-04-18】 加班
    【2020-04-06】汇郡海下的沉思
    【2020-03-28】Dubbo源码杂谈
    【2020-03-21】Dubbo本地环境搭建-实现服务注册和消费
  • 原文地址:https://www.cnblogs.com/adinet/p/7425604.html
Copyright © 2020-2023  润新知