An open source (GPLv3) deobfuscator for Eziriz .NET Reactor
- From 6.0.0.0 To 6.8.0.0
- Clean Control Flow
- Restore Hidden Calls
- Remove Proxy Calls
- Decrypt Strings
- Remove Anti Tamper
- Remove Anti Debugger
- Decrypt Resources
- Dump Embedded Assemblies
- Decrypt Methods (NecroBit)
- Unpack Native
- Decrypt Tokens
Just drag and drop target obfuscated assembly on it.
--no-necrobit Don't decrypt methods (NecroBit).
--no-anti-tamper Don't remove anti tamper.
--no-anti-debug Don't remove anti debugger.
--no-hide-call Don't restore hidden calls.
--no-str Don't decrypt strings.
--no-rsrc Don't decrypt assembly resources.
--no-deob Don't deobfuscate methods.
--no-arithmetic Don't resolve arithmetic equations.
--no-proxy-call Don't clean proxied calls.
--no-dump Don't dump embedded assemblies.
--no-remove Don't remove obfuscator methods, resources, etc...
--no-decrypt-token Don't decrypt tokens.
In some targets string decryptor method is virtualized, that's why NetReactorSlayer can't decrypt strings.
The normal string decryptor method should looks like this:
And the virtualized string decryptor method should looks like one of below images:
.NET Reactor 6.7 or above use some arithmetic equations to apply control flow:
if you click on the class of field, You'll see one of class methods define the fields value on runtime:
NetReactorSlayer get that fields value to deobfuscate control flow, but in some targets this method is virtualized and the method goanna looks like one of below images:
That's why NetReactorSlayer get's failed to clean controlflow because it's don't have a feature yet to devirtualize virtualized methods.
- Try to save deobfuscated file with Preserve all MD tokens & Keep old MaxStack options:
Its free, but there is no support for it, I'll keep updating it for latest .NET Reactor version as I can.