Skip to content

Latest commit

 

History

History
101 lines (77 loc) · 3.95 KB

README.md

File metadata and controls

101 lines (77 loc) · 3.95 KB

EazyDevirt

EazyDevirt is an open-source tool that automatically restores the original IL code from an assembly virtualized with Eazfuscator.NET.

InstallationUsageFeaturesRoadmapSupport

forthebadge

GPLv3 License

Usage

$ EazyDevirt <assembly> [<output>] [options]
Arguments:
  <assembly>  Path to target assembly
  <output>    Path to output directory [default: ./eazydevirt-output]

Options:
  -v, --verbose <verbosity>  Level of verbosity [1: Verbose, 2: Very Verbose, 3: Very Very Verbose] [default: 0]
  --preserve-all             Preserves all metadata tokens [default: False]
  --no-verify                Don't verify labels or compute max stack for devirtualized methods [default: False]
  -kt, --keep-types          Keeps obfuscator types [default: False]
  --save-anyway              Saves output of devirtualizer even if it fails [default: False]
  --only-save-devirted       Only saves successfully devirtualized methods (This option only matters if you use the
                             save anyway option) [default: False]
  --version                  Show version information
  -?, -h, --help             Show help and usage information

Example:

$ EazyDevirt.exe test.exe -v 3 --preserve-all --save-anyway true

Notes

Don't rename any members before devirtualization, as Eazfuscator.NET resolves members using names rather than tokens.

EazyDevirt requires control flow and other protections (such as string encryption or delegate proxies) to be removed first. To remove string encryption, you can use EazFixer.

For control flow obfuscation, you can try using de4dot:

$ de4dot <assembly> --only-cflow-deob

Installation

To clone the project use:

$ git clone --recurse-submodules https://github.com/puff/EazyDevirt.git

Then you can use your favourite IDE or build from the command line:

$ dotnet restore
$ dotnet build -c Release

Features

  • Automatically identify virtual opcodes and devirtualize methods
  • Emulated binary reader using Echo

Roadmap

See the open issues for a list of proposed features (and known issues).

Support

EazyDevirt is targeted at version 2022.2 of Eazfuscator.NET. If the version you're trying this tool on is not supported, you will need to add support for it yourself. You can take a look at the differences between the branches to see what you need to change.
The old-2022 branch supports a different version of 2022.2 than the main branch. The old-2021 branch supports an unknown version from 2021.

Credits

And a thank you, to all other contributors.