|
1 | | -# NetReactorSlayer |
2 | | - |
3 | | -An open source (GPLv3) deobfuscator for [Eziriz .NET Reactor](https://www.eziriz.com/reactor_download.htm) |
4 | | - |
5 | | -# Preview: |
6 | | - |
7 | | - |
8 | | -# Currently Supported .NET Reactor Versions: |
9 | | -- From 6.0.0.0 To 6.8.0.0 |
10 | | - |
11 | | -# Features: |
12 | | -- Clean Control Flow |
13 | | -- Restore Hidden Calls |
14 | | -- Remove Proxy Calls |
15 | | -- Decrypt Strings |
16 | | -- Remove Anti Tamper |
17 | | -- Remove Anti Debugger |
18 | | -- Decrypt Resources |
19 | | -- Dump Embedded Assemblies |
20 | | -- Decrypt Methods (NecroBit) |
21 | | -- Unpack Native |
22 | | -- Decrypt Tokens |
23 | | - |
24 | | -# Usage: |
| 1 | +<img src="https://user-images.githubusercontent.com/53654076/161832792-a48d4bdd-6d5b-43fd-97fe-5962d7f25be4.png#gh-dark-mode-only" width="1000"> |
| 2 | +<img src="https://user-images.githubusercontent.com/53654076/161837192-25e10462-31a4-451b-b819-7cbe1b8c8c8c.png#gh-light-mode-only" width="1000"> |
| 3 | + |
| 4 | +# NetReactorSlayer <br />      |
| 5 | + |
| 6 | +**NetReactorSlayer** is an open source (GPLv3) deobfuscator for [Eziriz .NET Reactor](https://www.eziriz.com/reactor_download.htm) |
| 7 | + |
| 8 | +<h1 align="center">Preview</h1> |
| 9 | + |
| 10 | +GUI | CLI |
| 11 | +:-------------------------:|:-------------------------: |
| 12 | +<img src="https://user-images.githubusercontent.com/53654076/161821769-20cb6d1a-9530-4b95-9f23-718f086d81e5.png" width="700"> | <img src="https://user-images.githubusercontent.com/53654076/161823035-1b4df4db-2d2b-439b-8fd4-90e79a579534.png" width="700"> |
| 13 | + |
| 14 | +<br /> |
| 15 | + |
| 16 | +### Features & Commands: |
| 17 | + |
| 18 | +| Description | Command | Default Value | |
| 19 | +| ------ | ------ | ------ | |
| 20 | +| Decrypt Methods (NecroBit) | `--decrypt-method` `<BOOL>` | True | |
| 21 | +| Deobfuscate Control Flow | `--deobfuscate-cflow` `<BOOL>` | True | |
| 22 | +| Decrypt Hidden Calls | `--decrypt-hidden-calls` `<BOOL>` | True | |
| 23 | +| Remove Reference Proxies | `--remove-ref-proxies` `<BOOL>` | True | |
| 24 | +| Decrypt Strings | `--decrypt-strings` `<BOOL>` | True | |
| 25 | +| Remove Anti Tamper & Anti Debug | `--anti-tamper` `<BOOL>` | True | |
| 26 | +| Decrypt Assembly Resources | `--decrypt-resources` `<BOOL>` | True | |
| 27 | +| Dump Embedded Assemblies | `--dump-assemblies` `<BOOL>` | True | |
| 28 | +| Dump Assemblies That Embedded By Costura.Fody | `--dump-costura-assemblies` `<BOOL>` | True | |
| 29 | +| Decrypt Tokens | `--decrypt-tokens` `<BOOL>` | True | |
| 30 | +| Unpack Original Assembly From Native Image | | | |
| 31 | +| Close CLI immediately after finish deobfuscation | `--no-pause` `<BOOL>` | False | |
| 32 | +| Preserve All MD Tokens | `--preserve-all` `<BOOL>` | False | |
| 33 | +| Keep Old Max Stack Value | `--keep-stack` `<BOOL>` | False | |
| 34 | +| Cleanup obfuscator leftovers | `-cleanup` `<BOOL>` | True | |
| 35 | + |
| 36 | +### Usage: |
25 | 37 | Just drag and drop target obfuscated assembly on it. |
26 | 38 |
|
27 | | -# Optional commands: |
28 | | -``` |
29 | | ---no-necrobit Don't decrypt methods (NecroBit). |
30 | | ---no-anti-tamper Don't remove anti tamper. |
31 | | ---no-anti-debug Don't remove anti debugger. |
32 | | ---no-hide-call Don't restore hidden calls. |
33 | | ---no-str Don't decrypt strings. |
34 | | ---no-rsrc Don't decrypt assembly resources. |
35 | | ---no-deob Don't deobfuscate methods. |
36 | | ---no-arithmetic Don't resolve arithmetic equations. |
37 | | ---no-proxy-call Don't clean proxied calls. |
38 | | ---no-dump Don't dump embedded assemblies. |
39 | | ---no-remove Don't remove obfuscator methods, resources, etc... |
40 | | ---no-decrypt-token Don't decrypt tokens. |
41 | | -``` |
42 | | -# Known Issues: |
43 | | -- ### Strings are still encrypted after deobfuscation: |
44 | | -In some targets string decryptor method is virtualized, that's why NetReactorSlayer can't decrypt strings. |
45 | | -### How to know is string decryptor method is virtualized or not: |
46 | | -The normal string decryptor method should looks like this: |
47 | | - |
48 | | -And the virtualized string decryptor method should looks like one of below images: |
49 | | - |
50 | | - |
51 | | - |
52 | | - |
53 | | -- ### Control Flow Deobfuscator Not Working / Control Flow Deobfuscator Deleted Most OpCodes: |
54 | | -.NET Reactor 6.7 or above use some arithmetic equations to apply control flow: |
55 | | - |
56 | | -if you click on the class of field, You'll see one of class methods define the fields value on runtime: |
57 | | - |
58 | | -NetReactorSlayer get that fields value to deobfuscate control flow, but in some targets this method is virtualized and the method goanna looks like one of below images: |
59 | | - |
60 | | - |
61 | | - |
62 | | -That's why NetReactorSlayer get's failed to clean controlflow because it's don't have a feature yet to devirtualize virtualized methods. |
63 | | - |
64 | | -- ### Target file not working after deobfuscation: |
65 | | -- Try to save deobfuscated file with Preserve all MD tokens & Keep old MaxStack options: |
66 | | - |
67 | | - |
68 | | -# Note: |
69 | | -Its free, but there is no support for it, I'll keep updating it for latest .NET Reactor version as I can. |
70 | | - |
71 | | -# Credits: |
| 39 | +### Known Issues: |
| 40 | +- If target assembly not working after deobfuscation try using `--preserve-all` and/or `--keep-stack` command(s). |
| 41 | + |
| 42 | +- Since **NETReactorSlayer** does not yet have the ability to de-virtualize virtualized functions, if the target protected assembly contains virtualized functions, NETReactorSlayer may fail to de-obfuscate some protections such as string encryption and control flow. |
| 43 | + |
| 44 | +<details> |
| 45 | + <summary><b>➡️Click to see </b>few example of comparing virtualized functions with normal functions</summary> |
| 46 | + |
| 47 | +Normal | Virtualized |
| 48 | +:-------------------------:|:-------------------------: |
| 49 | +<img src="https://user-images.githubusercontent.com/53654076/144697746-85e928dd-ad5c-412a-a56c-6b96b3d79df8.png" width="600"> | <img src="https://user-images.githubusercontent.com/53654076/144697815-dcf2cda4-90f5-4225-8e64-e9b19d9a11b8.png" width="300"><br />Or<br /><img src="https://user-images.githubusercontent.com/53654076/144697787-4b7adc2f-4dde-49ef-9949-4459d6efb10c.png" width="300"> |
| 50 | + |
| 51 | +Normal | Virtualized |
| 52 | +:-------------------------:|:-------------------------: |
| 53 | +<img src="https://user-images.githubusercontent.com/53654076/144697246-cc975888-64ad-4371-96d8-af402bf0f8ed.png" width="600"> | <img src="https://user-images.githubusercontent.com/53654076/144697407-afcf26b2-2d95-4143-8e94-b10b84634174.png" width="300"><br />Or<br /><img src="https://user-images.githubusercontent.com/53654076/144697662-3b6d575c-b989-4efa-979d-fa6c4d6d38a2.png" width="300"> |
| 54 | +</details><br /> |
| 55 | + |
| 56 | +### Contribution: |
| 57 | +Want to contribute to this project? Feel free to open a [pull request](https://github.com/SychicBoy/NETReactorSlayer/pulls). |
| 58 | + |
| 59 | +### License: |
| 60 | +**NETReactorSlayer** is licensed under [GPLv3](https://www.gnu.org/licenses/gpl-3.0.en.html). |
| 61 | + |
| 62 | +### Credits: |
72 | 63 | - [dnlib](https://github.com/0xd4d/dnlib) |
73 | 64 | - [de4dot.blocks](https://github.com/de4dot/de4dot/tree/master/de4dot.blocks) |
74 | 65 | - [Harmony](https://github.com/pardeike/Harmony) |
0 commit comments