An open source (GPLv3) deobfuscator and unpacker for Eziriz .NET Reactor
Home Page: https://www.CodeStrikers.org
License: GNU General Public License v3.0
NETReactorSlayer is an open source (GPLv3) deobfuscator and unpacker for Eziriz .NET Reactor.
| GUI | CLI |
|---|---|
 |
 |
Get the latest stable version from GitHub releases.
Check out the Wiki for guides and information on how to use it.
Want to contribute to this project? Feel free to open a pull request.
NETReactorSlayer is licensed under GPLv3.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Sorry..i dunno a bout this
message come out when i try to DEOBFUSCATION..
WARNING: CODE VIRTUALIZATION HAS BEEN DETECTED, INCOMPLETE DEOBFUSCATION OF THE ASSEMBLY MAY RESULT.
the app when i check with debugger program..it's look like good deobfus..but wont run..
Hi friend, I have problem to unpack assembly with detect as below:
I try to use your tool, and it take no responses:
please help
i think there are nothing about restoring encrypted tokens for ldtoken opcode
they are something like :
Type.GetTypeFromHandle(\u0086\u0086\u0086\u000D\u000A\u0086\u0086\u0086\u0086\u0099\u0091.\u0086\u0086\u0086\u000D\u000A\u0086\u0086\u0086\u0087\u0089\u0089(33554439))
file: https://ufile.io/7m5ho9q2
ss:
As usual, Eziriz has made some changes in the new version of .NET Reactor (6.9.0.0). We should update .NETReactorSlayer to support the latest version of .NET Reactor.
Describe the bug
decrypt necrobit Methods failed
Target obfuscated file
Fiddler.WebUi.zip
Screenshots
OS Version:
win 10
Additional context
parameters that may be used for encryption
dotNET_Reactor.Console.exe^
-antitamp 1^
-antidebug 1^
-control_flow 1^
-flow_level 9^
-necrobit 1^
-naming stealth^
-mapping_file 1^
Banner of the tool is not properly rendered in standard cmd.exe console
eg:
ver 6.4.0 from NETReactorSlayer.CLI-net6.0-win64.zip package
[✓] 14/14 Modules loaded...
[!] Couldn't load assembly using reflaction.
[X] An unexpected error occurred during decrypting methods.
[✓] 699 Equations resolved.
[✓] Anti debugger removed.
[!] Couldn't find anti tamper method.
[!] Couldn't find any proxied call.
[X] An unexpected error occurred during decrypting strings.
[!] Couldn't find any encrypted resource.
[✓] 14 Metadata tokens deobfuscated.
[✓] 1 Booleans decrypted.
[!] Couldn't find strong name removal protection.
[✓] Restoring the actual type of fields & parameters...
[✓] 7 Calls to obfuscator types removed.
[✓] Renaming obfuscated symbols...
[✓] 297 Methods inlined.
Describe the bug
Anti tamper doesn't work correctly, whenever I try to open the deobfuscated app it crashes. I have tried running it under a debugger and apparently It crashed because of an exception named "???" and no exception message. I also tried manually removing anti tamper by following what the source code does and this produced the same effect. I believe that this anti-tamper removal method no longer works.
Target obfuscated file
I would rather not share the file. I would love to get in contact though, If I could get your Discord that would be great.
Screenshots
There isn't much to show, the correct method is removed and all the other features work correctly.
OS Version:
Windows 8 64bit
Additional context
No additional context.
Describe the bug
I notice that some Fields and Methods that are not used within the program being decompiled end up being removed. This is an issue as the same program is linked against when making extensions for said program. It is also then used to compile said extensions. As a result, when a program is finished being decompiled and someone loads an extension that uses one of the deleted fields or methods, it fails to compile.
I believe the SymbolRenamer.cs stage may be what's doing this as it happens with only that stage selected in the application (or switch set in the CLI). Any hints as to where exactly that may be would provide some help with me trying to find a fix that I could PR.
Describe the bug
after using the tool wiht default settings the produced output is having 99% of the protector functions
Target obfuscated file
attached
OS Version:
W10
Additional context
Rector verion 6.9
Expectations
no protector junk is left (or at least not hat much as for the moment)
NETReactorSlayer.CLI-netcoreapp3.1-linux64.zip
➜ unzip NETReactorSlayer.CLI-netcoreapp3.1-linux64.zip.zip
Archive: NETReactorSlayer.CLI-netcoreapp3.1-linux64.zip.zip
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
note: NETReactorSlayer.CLI-netcoreapp3.1-linux64.zip.zip may be a plain executable, not an archive
unzip: cannot find zipfile directory in one of NETReactorSlayer.CLI-netcoreapp3.1-linux64.zip.zip or
NETReactorSlayer.CLI-netcoreapp3.1-linux64.zip.zip.zip, and cannot find NETReactorSlayer.CLI-netcoreapp3.1-linux64.zip.zip.ZIP, period.
We should port from .NET Framework to .NET Core to make .NETReactorSlayer available on Linux and macOS.
Describe the bug
This tool fails to unpack native image and embedded assemblies packed by net reactor.
Target obfuscated file
Here is the file link:-
Password is 123
https://workupload.com/file/KWGwnkNsc2f
OS Version:
Windows 11 64bit
The dll is damaged possibly due to deobfuscation. There is nothing I can do for it. There is no support for obfuscated dlls.
If it works, that's just lucky; if it doesn't, you find another way to fix it by yourself.
The damaged method is XsmpMax.D
XsmpMax_2023_Slayed-bak.zip
ragDrops.DragDrop/<>c::method_0(System.Windows.Point).
Parameter "p" is used to rename properties.
The repair code is:
this.chkRename.Tag = "--rename ntmfpe";
As usual, Eziriz has made some changes in the new version of .NET Reactor (6.9.0.0). We should update .NETReactorSlayer to support the latest version of .NET Reactor.
Is it possible to save the deprotected output file nearby the input one?
for the moment the tool writes into c:\ drive which is not very convenient (and might need admin rights to do so...)
When trying to use fresh dnlib version 4.0.0 Slayer shows never ending exceptions (when working inside VS), eg:
Exception thrown: 'System.NullReferenceException' in dnlib.dll
Object reference not set to an instance of an object.
Exception thrown: 'System.NullReferenceException' in dnlib.dll
Object reference not set to an instance of an object.
Exception thrown: 'System.NullReferenceException' in dnlib.dll
Object reference not set to an instance of an object.
.....
from within VS:
this issue refs to pending PR #73
Describe the bug
After using NetReactorSlayer Executable file is not working. I also try it with PreserveAllMDToken and KeepOldMaxStack but problem still there
Target obfuscated file
Archive Password is 123
Download Link is here:-
https://workupload.com/file/Q2kgRpZY3Lv
OS Version:
Windows 11 64bit
Describe the bug
errors during work
output exe is not clean, some methods can't be even decompiled, decompiler throws exception on these...
Target obfuscated file
Screenshots
OS Version:
W10
Additional context
Started deobfuscation: 2023-05-07 13:45:16
Assembly: RosreestrXML.exe
Architecture: X86
CLI Started, PID: 8432
=====================================
[INFO] 15/15 Modules loaded...
[INFO] 6047 Methods decrypted.
[WARN] Couldn't find any equation to resolve.
[WARN] Couldn't find anti tamper method.
[WARN] Couldn't find anti debugger method.
[WARN] Couldn't find any proxied call.
[INFO] 2621 Strings decrypted.
[WARN] Couldn't find any encrypted resource.
[INFO] 35 Metadata tokens deobfuscated.
[ERROR] An unexpected error occurred during decrypting booleans. Value cannot be null.
Parameter name: key.
[INFO] 536 Calls to obfuscator types removed.
[INFO] Renaming obfuscated symbols...
[INFO] 10596 Methods inlined.
[INFO] Saved to: RosreestrXML_Slayed.exe
example of broken methods:
As usual, Eziriz has made some changes in the new version of .NET Reactor (6.9.0.0). We should update .NETReactorSlayer to support the latest version of .NET Reactor.
Release 2.0.0.0 from bin.zip
can't run x64 exe:
Win7 x64 SP1
C:\123>NetReactorSlayer-x64.exe
Unhandled Exception: System.BadImageFormatException: Could not load file or assembly 'NetReactorSlayer.Core, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. An attem
pt was made to load a program with an incorrect format.
at NetReactorSlayer_x64.Program.Main(String[] args)
There is a problem when restoring hidden method, in version 2.1 it did not happen,
same configuration to deobfuscate, in both versions (2.1 and 3.0)
Thanks
Describe the bug
using default parameters, latest release version 4.0.0.0
Target obfuscated file
https://www.sendspace.com/file/r4hb4o
Screenshots
majority of methods after deobfuscation are not decompiled throwing exception in ILspy, dnSpy
eg:
Reason:
at the method entry the IL code is like follows:
/* 209C0B0000 */ IL_0000: ldc.i4 2972
/* 2800000006 */ IL_0005: call <null>
....
OS Version:
W7x64
Describe the bug
After cleaning through Net Reactor Slayer When we Compose SMS in Software. AT every character we enter software gives error.
Target obfuscated file
https://workupload.com/file/Q2kgRpZY3Lv
Screenshots
https://ibb.co/FWXMTPk
OS Version:
Windows 11 64bit
I use the same target file ,under 2.1 , all is ok,but with 4.0 , errors occurs.
below is in 2.1
public virtual void AddContactToThreatList(Contact theContact)
{
if (this._Threats.Contains(theContact))
return;
this._Threats.Add(theContact);
}
tht's ok
below is in 4.0
public virtual void AddContactToThreatList(Contact theContact)
{
while (!this._Threats.Contains(theContact))
{
int num = 0;
if (\u003CModule\u003E\u007Bfa6f17c6\u002D332f\u002D4cdc\u002Db5a0\u002D75732f27f089\u007D.m_e65d593cc11a4827b2cafe7449027426 != 0)
goto label_3;
label_2:
this._Threats.Add(theContact);
if (\u003CModule\u003E\u007Bfa6f17c6\u002D332f\u002D4cdc\u002Db5a0\u002D75732f27f089\u007D.m_7755c96b29fa46dbb79a3a1db034ec2b == 0)
break;
num = 0;
label_3:
switch (num)
{
case 0:
return;
case 1:
goto label_2;
case 2:
continue;
default:
return;
}
}
}
Target obfuscated file
I have post the target file days ago , it's the same.
Screenshots
If applicable, add screenshots to help explain your problem.
OS Version:
win10 x64
after using the tool I see some dnr internal methods in lots of ctors, eg:
the first two calls are dot net reactor leftovers....
public Test101()
{
z8VqVd2BoDB0euGJcb.IoRGjEXTw();
hZGJKrMNSweI9iZoJp.urf8l2TrZXBjv();
base..ctor();
}
PS I see much more DNR leftover code inside assembly body, but not sure if the tool is capable of deleting that too?...
Describe the bug
GUI NOT WORKING GIVING ERROR ON RESOURCES
OS Version:
Windows 11 22H2 64bit
Video Link: -
https://workupload.com/file/wgc89H2jQyv
Exceção Sem Tratamento: System.Security.Cryptography.CryptographicException: The padding is invalid and cannot be removed.
em System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
em System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
em NETReactorSlayer.Core.Helper.De4dot.DeobUtils.AesDecrypt(Byte[] data, Byte[] key, Byte[] iv) na C:\Users\Administrator\source\repos\NETReactorSlayer\NETReactorSlayer.Core\Helper\De4dot\DeobUtils.cs:linha 96
em NETReactorSlayer.Core.Deobfuscators.ResourceDecryptor.V1.Decrypt(EmbeddedResource resource) na C:\Users\Administrator\source\repos\NETReactorSlayer\NETReactorSlayer.Core\Deobfuscators\ResourceDecryptor.cs:linha 273
em NETReactorSlayer.Core.Deobfuscators.BooleanDecryptor.Execute() na C:\Users\Administrator\source\repos\NETReactorSlayer\NETReactorSlayer.Core\Deobfuscators\BooleanDecryptor.cs:linha 68
em NETReactorSlayer.Core.Program.Main(String[] args) na C:\Users\Administrator\source\repos\NETReactorSlayer\NETReactorSlayer.Core\Program.cs:linha 62
em NETReactorSlayer.Program.Main(String[] args) na C:\Users\Administrator\source\repos\NETReactorSlayer\NETReactorSlayer.CLI\Program.cs:linha 22
Hello, when I run the cli (latest release), I am getting the exception below. (Same as well for GUI when I click to "Start Deobfuscation" button)
Unhandled Exception: System.IO.FileLoadException: Could not load file or assembly 'dnlib, Version=3.6.0.0, Culture=neutral, PublicKeyToken=50e96378b6e77999' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)
at NETReactorSlayer.Core.Stages.ControlFlowDeobfuscator..ctor()
at NETReactorSlayer.Core.Options..ctor(IReadOnlyList`1 args) in D:\a\NETReactorSlayer\NETReactorSlayer\NETReactorSlayer.Core\Options.cs:line 215
at NETReactorSlayer.Core.Program.Main(String[] args) in D:\a\NETReactorSlayer\NETReactorSlayer\NETReactorSlayer.Core\Program.cs:line 41
at NETReactorSlayer.CLI.Program.Main(String[] args) in D:\a\NETReactorSlayer\NETReactorSlayer\NETReactorSlayer.CLI\Program.cs:line 22
I am not sure if there is a problem in my end but I doubt. Any help appreciated.
Some Applications are not working after using net reactor slayer giving Object reference not set to a instance of an object.
For example application like SMS Deliverer 1.39 Ultimate.
Is your feature request related to a problem? Please describe.
Can you please introduce option for DestPath. I want to integrate your tool to CAPE sandbox and that would remove some secondary code to move file for proper destination after deobfuscation
Describe the solution you'd like
some option for CLI version like --destpath would be great. Thank you
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Describe the bug
Failed to Decrypt Necrobit.
Gives Assembly Resolver Error
Target obfuscated file
((https://www.raidrive.com/download))
Screenshots
OS Version:
Windows 11 22H2 64bit
Hello! I'm trying to decrypt the file, but I get a decryptor error and virtualization detection. Please tell me if there is any solution or nothing can be done?
[INFO] 15/15 Modules loaded...
[ERROR] An unexpected error occurred during decrypting methods. Could not initialize decrypter.
[INFO] 3297 Equations resolved.
[INFO] Anti tamper removed.
[WARN] Couldn't find anti debugger method.
[WARN] Couldn't find any proxied call.
[INFO] 2501 Strings decrypted.
[INFO] Assembly resources decrypted
[INFO] 210 Metadata tokens deobfuscated.
[INFO] 3413 Calls to obfuscator types removed.
[INFO] Renaming obfuscated symbols...
[INFO] 1138 Methods inlined.
[WARN] WARNING: CODE VIRTUALIZATION HAS BEEN DETECTED, INCOMPLETE DEOBFUSCATION OF THE ASSEMBLY MAY RESULT.
[INFO] Saved to: tt_Slayed.exe
If the protected assembly has got some classes with generics the tool does not remove switch/case spaghetti
eg: public class List : IEnumerable, IEnumerable
will have left following junk and more
private bool MoveNext()
{
int num = 6;
int num4 = default(int);
List<T> list = default(List<T>);
while (true)
{
int num2 = _003C_003E1__state;
int num3 = 5;
if (smethod_0())
{
while (true)
{
switch (num3)
{
case 15:
_003Ci_003E5__2 = num4 + 1;
num3 = 14;
if (smethod_0())
{
continue;
}
goto IL_0028;
case 12:
case 14:
if (_003Ci_003E5__2 < list.Count)
{
num3 = 0;
if (smethod_1() == null)
{
continue;
}
goto IL_0122;
}
goto case 8;
case 10:
if (num2 == 0)
{
goto case 4;
}
goto case 2;
case 4:
_003C_003E1__state = -1;
num3 = 1;
if (smethod_1() == null)
{
continue;
}
goto IL_0028;
case 2:
if (num2 != 1)
{
goto case 11;
}
_003C_003E1__state = -1;
num3 = 3;
if (smethod_0())
{
continue;
}
goto IL_0028;
case 5:
list = _003C_003E4__this;
goto case 10;
case 3:
num4 = _003Ci_003E5__2;
num3 = 15;
if (smethod_0())
{
continue;
}
goto IL_0028;
case 1:
_003Ci_003E5__2 = 0;
goto case 12;
case 6:
break;
case 11:
return false;
default:
goto IL_0122;
case 9:
goto IL_013a;
case 13:
goto end_IL_0108;
case 8:
{
return false;
}
IL_0028:
num3 = num;
continue;
}
break;
}
continue;
}
goto IL_0122;
IL_013a:
_003C_003E1__state = 1;
num = 13;
break;
IL_0122:
_003C_003E2__current = list.method_1()[_003Ci_003E5__2];
goto IL_013a;
continue;
end_IL_0108:
break;
}
return true;
}
MethodDecrypter failed:
Seems it encrypted using .net reactor 6.9.0.0.
For decrypting necrobit it using DecrypterV2 it cannot fetch DecryptionKey and DecryptionIV:
Main method seems have Control Flow Obfuscation via goto:
It cannot fetch DecryptionKey and DecryptionIV, because these arrays declaration not liner, it also obfuscated:
When we tried deobfuscate this Control Flow Obfuscation code:
It replaced a little equations. And code looks better, but also contains "proxy" boolean methods:
Hi mr SycicBoy
on this target whit latest v3.0.0.0 :
https://mega.nz/file/n01l2TDJ#671mPggfXRmNU8evhFkXBPvx-emHb5aY8FSSUJ081hI
Protettore: Eziriz .NET Reactor(6.x.x.x)[By Dr.FarFar]
I'm unable to obtain a startable exe..
any idea?
Tks..
Describe the bug
Target obfuscated file
available
Screenshots
OS Version:
win7 x64
Additional context
latest release used version 4.0.0.0
Describe the bug
FILE GIVING EXCEPTION AFTER DEOBFUSCATION
Target obfuscated file
https://workupload.com/file/Kss7CaWttWa
Password is 123
OS Version:
Windows 11 22H2 64bit
Additional context
Scanner Shows that .Net Reactor 6.x and 4.8-4.9 and Dr.FarFar
The string decrypt method just like below. Tried with "de4dot xxx.exe --strtyp delegate --strtok 0600117A", but it didn't worked.
// Token: 0x0600117A RID: 4474 RVA: 0x0004E274 File Offset: 0x0004C474
public bool method_20(Class151 class151_0)
{
XmlDocument xmlDocument = new XmlDocument();
this.Save(xmlDocument);
return class151_0.method_1(xmlDocument, this.method_22(new byte[] { 236, 242, 240, 9, 250, 15, 14, 13, 254 }));
}
// Token: 0x0600117E RID: 4478 RVA: 0x0004E670 File Offset: 0x0004C870
private string method_22(byte[] byte_0)
{
byte b = 18;
byte b2 = 137;
byte[] array = new byte[byte_0.Length];
Array.Copy(byte_0, array, byte_0.Length);
int i;
for (i = 0; i < array.Length; i++)
{
byte[] array2 = array;
int num = i;
array2[num] ^= b2;
byte[] array3 = array;
int num2 = i;
array3[num2] -= b;
if (array[i] == 0)
{
break;
}
}
return Encoding.UTF8.GetString(array, 0, i);
}
can you add support for the new .net 8 version?
add is where you can deobfuscator armdot obfuscator
ArmDot
I"d like to get back to #5
by default the latest binary can't save the file as by default it is being saved to root of drive C:
eg:
__ __ _____ __ _ __ _
/\ \ \/__\/__ \ /__\ ___ __ _ ___| |_ ___ _ __ / _\ | __ _ _ _ ___ _ __
/ \/ /_\ / /\/ / \/// _ \/ _` |/ __| __/ _ \| '__| \ \| |/ _` | | | |/ _ \ '__|
_/ /\ //__ / / / _ \ __/ (_| | (__| || (_) | | _\ \ | (_| | |_| | __/ |
(_)_\ \/\__/ \/ \/ \_/\___|\__,_|\___|\__\___/|_| \__/_|\__,_|\__, |\___|_|
|___/
.NET Reactor Slayer by CS-RET
Website: www.CodeStrikers.org
Latest version on Github: https://github.com/SychicBoy/NetReactorSlayer
Version: 2.1.0.0
Supported .NET Reactor versions: (6.0) (6.2) (6.3) (6.5) (6.7) (6.8)
==========================
[DONE] Methods decrypted.
[DONE] 1105 Arithmetic equations resolved.
[WARN] Couldn't find anti tamper method.
[WARN] Couldn't find anti debugger method.
[DONE] 3392 Proxied calls removed.
[WARN] Couldn't find any hidden call.
[DONE] 430 Strings decrypted.
[WARN] Couldn't find any encrypted resource.
[WARN] Couldn't find any embedded assembly.
[DONE] 10 Tokens decrypted.
[PROMPT] Do you want to preserve all MD tokens? (Y/n): n
[PROMPT] Do you want to keep old MaxStack value? (Y/n): n
[ERROR] Failed to save file. Access to the path 'c:\test_asm.dll' is denied.
There is a PR ready that mitigates this issue...
#7
Thank you
Describe the bug
When i try to slay .net reactor 6.4 protected file and disable the renaming it ends up like that
it even look on detect it easy as protected
Target obfuscated file
Private
Screenshots
OS Version:
Windows 10
Additional context
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.