EazyDevirt is an open-source tool that automatically restores the original IL code from an assembly virtualized with Eazfuscator.NET.
Installation • Usage • Features • Roadmap • Support
$ EazyDevirt <assembly> [<output>] [options]
Arguments:
<assembly> Path to target assembly
<output> Path to output directory [default: ./eazydevirt-output]
Options:
-v, --verbose <verbosity> Level of verbosity [1: Verbose, 2: Very Verbose, 3: Very Very Verbose] [default: 0]
--preserve-all Preserves all metadata tokens [default: False]
--no-verify Don't verify labels or compute max stack for devirtualized methods [default: False]
-kt, --keep-types Keeps obfuscator types [default: False]
--save-anyway Saves output of devirtualizer even if it fails [default: False]
--only-save-devirted Only saves successfully devirtualized methods (This option only matters if you use the
save anyway option) [default: False]
--version Show version information
-?, -h, --help Show help and usage information
$ EazyDevirt.exe test.exe -v 3 --preserve-all --save-anyway true
Don't rename any members before devirtualization, as Eazfuscator.NET resolves members using names rather than tokens.
EazyDevirt requires control flow and other protections (such as string encryption or delegate proxies) to be removed first. To remove string encryption, you can use EazFixer.
For control flow obfuscation, you can try using de4dot:
$ de4dot <assembly> --only-cflow-deob
To clone the project use:
$ git clone --recurse-submodules https://github.com/puff/EazyDevirt.git
Then you can use your favourite IDE or build from the command line:
$ dotnet restore
$ dotnet build -c Release
- Automatically identify virtual opcodes and devirtualize methods
- Emulated binary reader using Echo
See the open issues for a list of proposed features (and known issues).
EazyDevirt is targeted at version 2022.2 of Eazfuscator.NET.
If the version you're trying this tool on is not supported, you will need to add support for it yourself. You can take a look at the differences between the branches to see what you need to change.
The old-2022 branch supports a different version of 2022.2 than the main branch. The old-2021 branch supports an unknown version from 2021.
- void-stack for the many contributions.
- saneki for the eazdevirt project.
- TobitoFatitoRE for the HexDevirt project.
- Washi1337 for the AsmResolver and Echo libraries.
And a thank you, to all other contributors.