Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Output may fail to run on virtualized assemblies. #13

Closed
holly-hacker opened this issue Aug 17, 2018 · 8 comments
Closed

Output may fail to run on virtualized assemblies. #13

holly-hacker opened this issue Aug 17, 2018 · 8 comments

Comments

@holly-hacker
Copy link
Owner

Virtualized assemblies can have virtualized code that references the string decryptor (or other normally removed code). Once these types get removed, the virtualized code will fail to run since it cannot resolve it anymore. Related, it could be that we're changing MDTokens when we save the assembly, we shouldn't do that by default (see de4dot's --keep-tokens).

It should be easy to fix this by adding a commandline flag similar to de4dot's --keep-types.

See #12.
@holly-hacker holly-hacker mentioned this issue Aug 17, 2018
Closed
@CreateAndInject
Copy link

What is virtualized? Does de4dot devirtualize methods for old Eazfusctor version?

@holly-hacker
Copy link
Owner Author

To make virtualized methods, EazFuscator creates a virtual machine that executed IL or IL-like instructions and will use that to run the method. You can find more on their documentation here. As far as I know, de4dot does not devirtualize EazFuscator. However, there is eazdevirt by Saneki or my fork of it, although both are outdated by now.

@ghost
Copy link

ghost commented Aug 27, 2018

Any hopes for devirtualization?

@holly-hacker
Copy link
Owner Author

Devirtualization is a very large beast to tackle. It takes a very long time to implement in the first place, and keeping it updated is a very boring job I wouldn't wish on anyone. There is a good reason why it is the most secure protection EazFuscator has to offer. To give you an idea on how annoying updating devirtualizers is: I've already turned down hundreds of dollars just so I wouldn't have to do it.

For now, I have no plans to add devirtualization to EazFixer, and I don't think I will accept PRs adding the functionality because then I will be burdened with keeping it updated. Perhaps in the future I will make one, but I wouldn't count on it.

@ghost
Copy link

ghost commented Aug 27, 2018

I am planing to invest $1k for that implementation only for one time no updates are required for me.

@DevinoPro
Copy link

DevinoPro commented Aug 27, 2018
edited

Hi reason behind blocking please.

@notsquirr3l
Copy link
Contributor

@DevinoPro virtual opcodes are in a giant list, EazFuscator itself is not a great obfuscator its just boring to make a tool, if you want a dirty method but doesnt support code you cannot execute just attach a debugger to the the program and step through method stubs and look what it invokes.

@holly-hacker
Copy link
Owner Author

Fixed since #15, you can now use --fix-virt or --keep-types.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@CreateAndInject @holly-hacker @notsquirr3l @DevinoPro