DeReactor – Tool to deobfuscate .Net Reactor assembly

Yesterday, I visited forum of RETEAM and found a thread asking which obfuscator is applied on the target. So curious, I downloaded the target and try to identify with my tool .Net Id and he could not identify which packer was used. The packer used for the target is .Net Reactor. My tool does not work becauseĀ  of my programming fault. I fixed it and it works again. I already added a new signature for PE Compact. During analyzing the assembly, I found that it is not difficult to write a tool to deobfuscate the target. Therefore I started to write DeReactor to deobfuscate .Net Reactor.

As you know, the obfuscator obfuscate all of functions, variable’s name, encrypt string and flow control. DeReactor will help you to achieve an assembly with easy-to-read source code.

Flow control

.Net Reactor uses a simple tip to anti-decompile with .Net Reflector. He just added 3 instructions before each method so that Reflector confuses. They areĀ  ‘branch’, ‘pop’ and ‘load int 0’ instructions as you can see in the figure below:

This trick is also used in many other obfuscators. They just add some useless instructions in the header of each method and then put jump command to entry point at the top. With this way, they did not destroy or obfuscate any flow control but this trick can prevent Reflector from decompiling. This trick is pretty weak against an expert reverser but it is a good candidate to fight against script kiddie. It is also pretty simple to implement.

Encrypt string

The second feature of .Net Reactor is that it will encrypt all of string into a unreadable form so that the reverser has no clue to find which he really wants. The way.Net Reactor works to decrypt the string during executing is pretty simple. He just encrypt the clear text and replace the clear text with encrypted one. Then inserted the decrypt function below this ‘ldstr’ instruction and this function will decrypt the string to original form and gives it back to the program as the figure below.

There are still a lot of things to do with this tool. But I hope in this beta version it will help you a little so that you can analyze your assembly easier.

Unpack .Net Reactor 3.9.8.0

Yesterday I made an article about unpacking .Net Reactor 3.9.8.0. You can can find it in my portal at post How to unpack .Net Reactor. In this article I introduce new way to unpack .Net Reactor. It is not the same as the ways which are used around the world now. I think it’ll help the others to find the other methods to unpack .Net assembly.

During writing this article and export it to PDF I found that there is a problem with my PDF converter. I write my article in Word and use an open source program PDF Creator to convert it to PDF. In my article I use hyperlinks to the website of tools. Instead of showing direct hyperlinks I hide the hyperlinks under the description. And PDF Creator can not render it. They just ignore the hyperlinks and therefore after converting into PDF, I can not click on the description to open the hyperlinks anymore. I do not know if there is another open source PDF converter. I thing PDF Creator is the best one but he did not support indirect hyperlinks until now. That is a big disadvantages. I have such problem in another open source software, that is FileZilla. FileZilla is a popular open source FTP Client but it does not support to get link after uploading. That is a big advantage that man must do it manually by copying the path and paste the file name behind. Sometimes I see that some popular open source software is not good enough as I expect. They try to implement something which I do need and pass all basic functions.

And last thing of yesterday is that with help of my cousin I found one of my beloved flash which I forgot its name after a long time. You can see it here, it is very meaningful. The interview with god.

The first news of today is that my soap comes back. Someone who stole it, gave it back. The way that my soap came back is exactly same as the way it went. Just after a night, it is here. :)).