Output may fail to run on virtualized assemblies.
holly-hacker opened this issue · 8 comments
Virtualized assemblies can have virtualized code that references the string decryptor (or other normally removed code). Once these types get removed, the virtualized code will fail to run since it cannot resolve it anymore. Related, it could be that we're changing MDTokens when we save the assembly, we shouldn't do that by default (see de4dot's --keep-tokens).
It should be easy to fix this by adding a commandline flag similar to de4dot's --keep-types.
See #12.
What is virtualized? Does de4dot devirtualize methods for old Eazfusctor version?
To make virtualized methods, EazFuscator creates a virtual machine that executed IL or IL-like instructions and will use that to run the method. You can find more on their documentation here. As far as I know, de4dot does not devirtualize EazFuscator. However, there is eazdevirt by Saneki or my fork of it, although both are outdated by now.
Any hopes for devirtualization?
Devirtualization is a very large beast to tackle. It takes a very long time to implement in the first place, and keeping it updated is a very boring job I wouldn't wish on anyone. There is a good reason why it is the most secure protection EazFuscator has to offer. To give you an idea on how annoying updating devirtualizers is: I've already turned down hundreds of dollars just so I wouldn't have to do it.
For now, I have no plans to add devirtualization to EazFixer, and I don't think I will accept PRs adding the functionality because then I will be burdened with keeping it updated. Perhaps in the future I will make one, but I wouldn't count on it.
I am planing to invest $1k for that implementation only for one time no updates are required for me.
Hi reason behind blocking please.
@DevinoPro virtual opcodes are in a giant list, EazFuscator itself is not a great obfuscator its just boring to make a tool, if you want a dirty method but doesnt support code you cannot execute just attach a debugger to the the program and step through method stubs and look what it invokes.
Fixed since #15, you can now use --fix-virt or --keep-types.