de4dot

Deobfuscator for .NET

Description
de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly.

Features
Here's a pseudo random list of the things it will do depending on what obfuscator was used to obfuscate an assembly:
Inline methods. Some obfuscators move small parts of a method to another static method and calls it.

• Decrypt strings statically or dynamically
• Decrypt other constants. Some obfuscators can also encrypt other constants, such as all integers, all doubles, etc.
• Decrypt methods statically or dynamically
• Remove proxy methods. Many obfuscators replace most/all call instructions with a call to a delegate. This delegate in turn calls the real method.
• Rename symbols. Even though most symbols can't be restored, it will rename them to human readable strings. Sometimes, some of the original names can be restored, though.
• Devirtualize virtualized code
• Decrypt resources. Many obfuscators have an option to encrypt .NET resources.
• Decrypt embedded files. Many obfuscators have an option to embed and possibly encrypt/compress other assemblies.
• Remove tamper detection code
• Remove anti-debug code
• Control flow deobfuscation. Many obfuscators modify the IL code so it looks like spaghetti code making it very difficult to understand the code.
• Restore class fields. Some obfuscators can move fields from one class to some other obfuscator created class.
• Convert a PE exe to a .NET exe. Some obfuscators wrap a .NET assembly inside a Win32 PE so a .NET decompiler can't read the file.
• Removes most/all junk classes added by the obfuscator.
• Fixes some peverify errors. Many of the obfuscators are buggy and create unverifiable code by mistake.
• Restore the types of method parameters and fields

Supported obfuscators/packers

• Agile.NET (aka CliSecure)
• Babel.NET
• CodeFort
• CodeVeil
• CodeWall
• CryptoObfuscator
• DeepSea Obfuscator
• Dotfuscator
• .NET Reactor
• Eazfuscator.NET
• Goliath.NET
• ILProtector
• MaxtoCode
• MPRESS
• Rummage
• Skater.NET
• SmartAssembly
• Spices.Net
• Xenocode

How to use de4dot

Easy: Drag and drop the file(s) onto de4dot.exe and wait a few seconds.

Advanced: Start de4dot without any arguments and it will show all options.

Download

Please login or register to see this link.

UPDATED: June 19, 2016

This is my seconds .PDF guide including 

the software to reverse, and the tools "Detect It Easy" and "Exe2Aut" - Dnspy required !

- Im covering .Net reversing again, and dumping files also decompiling autoIT files.

Download = 

Please login or register to see this link.

since ill move away a bit from the scene and focus on other project for some time until now i thought about releasing some tools i collected / gathered in the time i did reversing. 

This is a screenshot of the tools folder :

Of course any experienced person in the game already have these or 90% of them on their drive but this may become a starter package for new guys.

Tell me what you think!

I dont know if i am allowed to post the complete collection here without providing any Virus Total links as you wont think i would upload every tool to VirusTotal dont you

Maybe you even want only some parts of it 

EDIT : Yes i know everybody wants that @Adolan OllyDbg

EDIT2 : Download (MEGA) 

Please login or register to see this link.

Download via MEGA : 

Please login or register to see this link.

Original one part download from tuts4you : 

Please login or register to see this link.

password is "tuts4you" without the " . 

Please login or register to see this link.

In this guide i show how to remove STEAM protection and modding the window title to display any text you want to . 

Anyways, here is the .PDF :

(a like or comment would be nice since this is free and took me quite some time)

- Download .PDF = 

Please login or register to see this link.

Virustotal Link for the PDF = 

Please login or register to see this link.

If you have questions you are free to ask

as i really wanted to use this software but got slowed down to hell with its Free Version download speed limit.

So i did some research and cracked it for my own purposes.. well here is what ive done.

1. The target is the DriverEasy Core dll lib inside the installation folder. The assembly is protected with DotFuscator or some other obfuscator i dont remember.

You can easily fire up DnSpy and load it into it. The obfuscation is not that hard to understand.

2. Use DnSpy to decompile the Class inside the dll called "EasyWare.Driver.Core.Register"

3. Inside the class is a get set function for a string called "Key" . you can find it directly in the License subclass.

4. This is the get set function :

public string Key
{
    // Token: 0x06000349 RID: 841 RVA: 0x00015C73 File Offset: 0x00013E73
    get
    {
        return this.b;
    }
    // Token: 0x0600034A RID: 842 RVA: 0x00015C7B File Offset: 0x00013E7B
    set
    {
        this.b = value;
    }
}

There in the get i edited the IL Code to just return a string that holds my personal key string.

Here is how the get looked before (original)

This is how i assembled it .

This will result in : 

public string Key
{
    // Token: 0x06000349 RID: 841 RVA: 0x00015C73 File Offset: 0x00013E73
    get
    {
        this;
        return "sandaasu lel";
    }
    // Token: 0x0600034A RID: 842 RVA: 0x00015C7B File Offset: 0x00013E7B
    set
    {
        this.b = value;
    }
}

You have to delete the IL Instruction above to get rid of the "this;".

Next thing to do is in the bool "Valid" :

public bool Valid
{
    // Token: 0x0600034C RID: 844 RVA: 0x00015CD4 File Offset: 0x00013ED4
    get
    {
        StringBuilder stringBuilder = new StringBuilder();
        stringBuilder.AppendLine("Please read below text before you change the code:");
        stringBuilder.AppendLine("");
        stringBuilder.AppendLine("We are appreciate your work, you are the HERO let more user enjoy the advance features,");
        stringBuilder.AppendLine("however due to the very expensive bandwidth cost,");
        stringBuilder.AppendLine("we still need to selling our service in order to cover the server fee,");
        stringBuilder.AppendLine("otherwise we may need to shutdown our business.");
        stringBuilder.AppendLine("");
        stringBuilder.AppendLine("So we just change the \"Professional Vx.xx.x\" to \"Professional (Speed Limited) Vx.xx.x\", without other limitiation,");
        stringBuilder.AppendLine("please do not remove this remind, otherwise there is another encryption & decryption war.");
        stringBuilder.AppendLine("");
        stringBuilder.AppendLine("We are more prefer to invest more manpower to improve our product, instead of encryption. Thanks a lot.");
        return this.c;
    }
    // Token: 0x0600034D RID: 845 RVA: 0x00015D71 File Offset: 0x00013F71
    set
    {
        this.c = value;
    }
}

Just use the IL Editor agin to assemble the code to : 

public bool Valid
{
    // Token: 0x06000356 RID: 854 RVA: 0x00015F3C File Offset: 0x0001413C
    get
    {
        return true;
    }
    // Token: 0x06000357 RID: 855 RVA: 0x00015FD9 File Offset: 0x000141D9
    set
    {
        this.c = value;
    }
}

This will return a simple TRUE to the software when it asks the lib if the license is valid .

The license.dat is located at your AppData Roaming folder. Subfolder EasyWare.

The last step is to save the modified / patched .DLL.

Just use DnSpy's menustrip File-> Save Module Dialogue for that. Paste your cracked dll in the installation folder and you have unlimited PRO usage.

Hope this was helpfull

UPX is mostly used for native executables or library files, where you can choose various packing options such as BRUTE or BEST etc.

Once a file was packed with UPX , UPX will write a Header into the file . Tools like PEiD or Protection ID detect that and notify you that this file was UPX Packed.

Then you can easily use "-d" on the UPX.exe to DECOMPRESS / UNPACK the packed file back to its "original" state BUT (!) there is some trick to prevent some noobs from doing that with your file! 

You can HEX edit that UPX header and just Hex edit the informations out . Resave the file and here you got a UPX Packed file that cannot be unpacked with the upx.exe anymore easily . 

i know two ways of how to unpack the file again even with this trick :

- PE Explorer UPX Plugin ( Automatically unpacks the file even with hexed header)

- Manual Unpacking (Requires time , brain and knowledge. Or a youtube video)

Hope that helps

Link download soft: 

Please login or register to see this link.

TKS

Anyone please help me i am having an issue with de4dot, I have a file name server.exe which is obfuscated with crypto .net,

when i try to unpack it or deobfuscate it by using de4dot, everything goes right till the end but I get no file saved as cleaned,

it detects the type of obfuscator is crypto, then it says cleaning the file and then says renaming all obfuscated symbols

at last it says saving the file as server-cleaned.exe. then the program says press any key to exit..

and the problem starts here even though it says saving unpacked /deobfuscated file, I get no unpacked file at the end of process,

I see nothing saved there, what is wrong i am not understanding, please help me i am noob..

for now 

i need to learn about cracker bot

but i think have a some problem

and it's better if anyone have a smartbot cracked file old vesion

better is have guide for me 

ty for your time

sorry for my english

i'm currently Working on Anthraxbot but i keep having troubles with it

i got pass the login check (i think) now theres a force update being called whens there no update 

if anybody wanna helps that would be amazing if anybody needs anthraxbot.exe i can do that too

im new to this im actually a ios hacker but wanted to take a step up

like i said any help would be awesome

With out further ado, here is a link to Critical Error's guide, He runs a great forum, and props to him.

Please login or register to see this link.

If you are looking for software to crack/patch/keygen/unpack and so on, I recently found these websites that provide great challenges, from beginner to the most advanced reverser.

Here are the websites:

• Please login or register to see this link.

• Please login or register to see this link.

They are all available in English.

I started some days ago with W3Challs. I've done 6/8 in Cracking and 6/17 in Hacking. If you have questions about the challenges proposed, I can help you with ones I already completed.

If anyone also knows websites like that, I can add it in the list.

Cheers

I use all of them personally, so im 99.9995% sure that they are all clean. The ones that are open source/free are from source.

This collection is the small one that is just my CTF tool kit, Just the basics. I may post another one with a larger collection of things, probably will include a lot more public tools and plugins (Search and Destory's Olly Cfg, UnConfuser/Ex, ida plugins, books, crackmes, links and so on.)

The bot i am trying to crack is "UltimateBot" which is a player buying bot for Fifa15.

It is written in C#

It uses ILProtector

De4dot throws up 4 errors when i try to run it with "dont-rename" and when reflector+reflexil compile a patch it fails to open.

It asks for license validation and connects to the server for its validation on start up.

Modifying the Host file causes bot to notice its mentioned in the file and fails to validate.

I have failed at spoofing a server response using Fiddler.

I would be very greatful if somebody who has a lot better grasp of cracking can help me or crack it for me.

File can be downloaded at

Please login or register to see this link.
 

For some background I have a intermediate ( of what I have been told by professors in my cs courses ) understanding of java and c#. I am currently learning c++ which is very similar in some ways to the previous two. Botting has been something that actually brought me into the wonderful world of computers and programming. I just could never figure out how to get started in the right direction being a person that learns from interactions with teachers and practice ( you gotta know what to practice sadly hahah).

Sorry for the horrible formatting, haven't been on a forums in ages and normally don't post anything of such length.  

IDA 6.5 (Recently leaked.)

 - Main program: 

Please login or register to see this link.

 - Plugins (HexRays decompiler etc.): 

Please login or register to see this link.

The 6.5 leak is a minor improvement to the previous leaks but it does not really offer much that can't be done with the previous known leaks. This is just a recent leak that some may find useful after being stuck with the older version(s) or demo for so long.

There are a lot of scrips and plugins for IDA on various scene / team websites, I encourage you to take a look for them. A lot of them can come in handy when working with various packers / protectors, as well as rebuilding information from vtables etc.

OllyDbg

 - v1: 

Please login or register to see this link.

 - v2: 

Please login or register to see this link.

OllyDbg is a debugger that is HIGHLY extendable via plugins. There are various sites that you can obtain popular plugins from. I will not give direct links as I do not want to break the advertisement rule, but search for sites like Tuts4You.

PEiD (Protection Detector)

 - v0.95: 

Please login or register to see this link.

PEiD is one of the oldest and well known protection detectors. However it has been long since discontinued. It is also another application that is highly extendable via plugins. You are recommended to locate them as well. Also, PEiD can load external user databases for detection patterns. It is recommended you find an updated pattern database as the internal one is for older protectors.

.NET Decompilers

 - ILSpy: 

Please login or register to see this link.

 - dotPeek: 

Please login or register to see this link.

Please login or register to see this link.

Now i don't know the original key and if i use the first option with verification skipping, it gives me a failed message. Is there a way to find the original key?

Thanks in advance.

"

I have been using BotExploit for D3 for quite a while as a registered user, however now I would like to try and crack it so I do not have to keep on purchasing the subscription.

I read somewhere that it is easy to crack, but could not find any more info on it or how to do it.

I prefer this bot to DB as it was one of the only bots to not get a single ban on the last ban wave that Blizzard did (I was using the bot at the time it hit and no ban).

So,  if any experts have any ideas on how I would do this or what approach to use to crack this I would love to hear any advice or suggestions.

I have never cracked programs before, so in that respect I am a noob, but I am fairly familiar with computers and have some basic programming experience.

Thanks for any advice!

Here is a link to their site:

Please login or register to see this link.

 I have bought 2 controllers (BOB) MK1 and installed the cncusb controller software from this link

Please login or register to see this link.

but when i connect the BOB to the pc the software show a license activation window that ask for registration key (related to bob serial) to activate the software or it is will work as evaluation version with 25 gcode lines to do only.

 its so expensive : 69 euro per each BOB !!!! 

 Can u help with this software so i can using it with these BOBs? 

Thanks all  

Here's my log

[19:16:23.593 N] Honorbuddy v2.5.13765.784 started.