de4dot plugin update new version 2.0.1 out
Updated support for most obfuscators. The rest will be supported later.
de4dot is now using dnlib instead of Mono.Cecil since Mono.Cecil can't handle obfuscated files
Mixed mode (eg. C++/CLI) assemblies are now supported
dnlib is much more stable so if you can execute an assembly, dnlib can load and save it
Preserving the important metadata tokens is now possible 100% of the time. The old hack I used with Mono.Cecil worked most of the time, but only for the "def" tables.
Junk at the end of #Blob signatures can now be saved (--preserve-sig-data)
You can now disable renaming certain things. Eg., when deobfuscating Confuser protected assemblies, try --keep-names d (keep delegate field names, but rename everything else)
--keep-types no longer preserves MD tokens.
New command line options: --keep-names, --dont-create-params, --preserve-tokens, --preserve-table, --preserve-strings, --preserve-us, --preserve-blob, --preserve-sig-data
The actual Win32 resources (not the whole .rsrc) section is copied to the output. Mono.Cecil copied the whole section.
When decrypting methods dynamically, the target's CLR version and CPU architecture is loaded instead of always defaulting to latest CLR version.
We have updated the de4dot plugin for JustDecompile. Please give it a try and let us know what you think.
use dnlib is a library that can read, write and create .NET assemblies and modules.
It was written for de4dot which must have a rock solid assembly reader and writer library since it has to deal with heavily obfuscated assemblies with invalid metadata. If the CLR can load the assembly, dnlib must be able to read it and save it.
Supports reading, writing and creating .NET assemblies/modules targeting any .NET framework (eg. desktop, Silverlight, Windows Phone, etc).
Supports reading and writing mixed mode assemblies (eg. C++/CLI)
Can read and write non-ECMA compatible .NET assemblies that MS' CLR can load and execute
Very stable and can handle obfuscated assemblies that crash other similar libraries.
High and low level access to the metadata
Output size of non-obfuscated assemblies is usually smaller than the original assembly
Metadata tokens and heaps can be preserved when saving an assembly
Assembly reader has hooks for decrypting methods and strings
Assembly writer has hooks for various writer events
Easy to port code from Mono.Cecil to dnlib
Add/delete Win32 resource blobs
Saved assemblies can be strong name signed and enhanced strong name signed