Skip to content

A tool for automatically reconstructing IL code from an assembly virtualized with Eazfuscator.NET

License

Notifications You must be signed in to change notification settings

puff/EazyDevirt

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

EazyDevirt

EazyDevirt is an open-source tool that automatically restores the original IL code from an assembly virtualized with Eazfuscator.NET.

InstallationUsageFeaturesRoadmapSupport

forthebadge

GPLv3 License

Usage

$ EazyDevirt <assembly> [<output>] [options]
Arguments:
  <assembly>  Path to target assembly
  <output>    Path to output directory [default: ./eazydevirt-output]

Options:
  -v, --verbose <verbosity>  Level of verbosity [1: Verbose, 2: Very Verbose, 3: Very Very Verbose] [default: 0]
  --preserve-all             Preserves all metadata tokens [default: False]
  --no-verify                Don't verify labels or compute max stack for devirtualized methods [default: False]
  -kt, --keep-types          Keeps obfuscator types [default: False]
  --save-anyway              Saves output of devirtualizer even if it fails [default: False]
  --only-save-devirted       Only saves successfully devirtualized methods (This option only matters if you use the
                             save anyway option) [default: False]
  --version                  Show version information
  -?, -h, --help             Show help and usage information

Example:

$ EazyDevirt.exe test.exe -v 3 --preserve-all --save-anyway true

Notes

Don't rename any members before devirtualization, as Eazfuscator.NET resolves members using names rather than tokens.

EazyDevirt requires control flow and other protections (such as string encryption or delegate proxies) to be removed first. To remove string encryption, you can use EazFixer.

For control flow obfuscation, you can try using de4dot:

$ de4dot <assembly> --only-cflow-deob

Installation

To clone the project use:

$ git clone --recurse-submodules https://github.com/puff/EazyDevirt.git

Then you can use your favourite IDE or build from the command line:

$ dotnet restore
$ dotnet build -c Release

Features

  • Automatically identify virtual opcodes and devirtualize methods
  • Emulated binary reader using Echo

Roadmap

See the open issues for a list of proposed features (and known issues).

Support

EazyDevirt is targeted at version 2022.2 of Eazfuscator.NET. If the version you're trying this tool on is not supported, you will need to add support for it yourself. You can take a look at the differences between the branches to see what you need to change.
The old-2022 branch supports a different version of 2022.2 than the main branch. The old-2021 branch supports an unknown version from 2021.

Credits

And a thank you, to all other contributors.

About

A tool for automatically reconstructing IL code from an assembly virtualized with Eazfuscator.NET

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages