DeReactor – Tool to deobfuscate .Net Reactor assembly

Yesterday, I visited forum of RETEAM and found a thread asking which obfuscator is applied on the target. So curious, I downloaded the target and try to identify with my tool .Net Id and he could not identify which packer was used. The packer used for the target is .Net Reactor. My tool does not work becauseĀ  of my programming fault. I fixed it and it works again. I already added a new signature for PE Compact. During analyzing the assembly, I found that it is not difficult to write a tool to deobfuscate the target. Therefore I started to write DeReactor to deobfuscate .Net Reactor.

As you know, the obfuscator obfuscate all of functions, variable’s name, encrypt string and flow control. DeReactor will help you to achieve an assembly with easy-to-read source code.

Flow control

.Net Reactor uses a simple tip to anti-decompile with .Net Reflector. He just added 3 instructions before each method so that Reflector confuses. They areĀ  ‘branch’, ‘pop’ and ‘load int 0’ instructions as you can see in the figure below:

This trick is also used in many other obfuscators. They just add some useless instructions in the header of each method and then put jump command to entry point at the top. With this way, they did not destroy or obfuscate any flow control but this trick can prevent Reflector from decompiling. This trick is pretty weak against an expert reverser but it is a good candidate to fight against script kiddie. It is also pretty simple to implement.

Encrypt string

The second feature of .Net Reactor is that it will encrypt all of string into a unreadable form so that the reverser has no clue to find which he really wants. The way.Net Reactor works to decrypt the string during executing is pretty simple. He just encrypt the clear text and replace the clear text with encrypted one. Then inserted the decrypt function below this ‘ldstr’ instruction and this function will decrypt the string to original form and gives it back to the program as the figure below.

There are still a lot of things to do with this tool. But I hope in this beta version it will help you a little so that you can analyze your assembly easier.

10 thoughts on “DeReactor – Tool to deobfuscate .Net Reactor assembly”

  1. Doesn’t work at all with my .NET Reactor 4.0 protected files!! New string encryption, code encryption, control flow…. etc. If I enable control flow (level 1-9) much more is done than simply add 3 intructions. Removing 3 instructions doesn’t deflow the assemblies!

  2. What really is the purpose of this reverse engineering work? Why go out of your way to decompile someone’s software, and then turn around and publish your findings to the general public? Are you trying to show us that you can do it, or you have a higher purpose? I am sure their EULA will clearly state that you are not allowed to decompile their product.

  3. @johnd:
    I have no purpose when doing this reverse engineering. I just want to find out how the obfuscator works and I write my own deobfuscator for fun.
    I would like to remind you that I HAVE NEVER DECOMPILED ANY COMMERCIAL SOFTWARE, WRITTEN ANYTHING TO SHOW THAT I WAS DECOMPILING ANY COMMERCIAL SOFTWARE OR USED MY TOOL TO CRACK ANY COMMERCIAL SOFTWARE. I reversed MY OWN SOFTWARE.
    What do you mean with “show us”? Who are you? I do not even know who you are. How can I be trying to show you what I am doing. Reverse engineering is my hobby. When nobody uses my tool, I will continue my work. I make my tool for myself, for my hobby, not for anyone, not for showing anything.
    It’s for me always completely clear that I am not allowed to reverse a defined software without their permission. Anyway thank you for your reminding.
    At last, I don’t want to discuss this problem again. Believe me a war will be broken if we continue. Instead of scaring me with a lot of laws, you can go to Red Gate website and bring them to court because they made a so good decompiler. Without .Net Reflector all .net software will be safe against crackers.
    Regards.

  4. I tested .Net Reactor and found it buggy enough to decide not spend more time with it. Contacted support and no answer.
    Biggest issue found is:
    * The licensing schema does not work when you have a 64-bit OS.

  5. Hi, i have a .net program (c#) it was obfuscated with dot fuscator, but i can’t deobfuscate it’s symbols there are symbols like in chineese and more not showable how can i deobfuscate them?

Leave a Reply

Your email address will not be published. Required fields are marked *