Exetools

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   Babel-Deobfuscator (https://forum.exetools.com/showthread.php?t=20782)

CodeCracker 12-14-2023 00:51
Babel-Deobfuscator
 
1 Attachment(s)
Babel-Deobfuscator:
original link:
https://github.com/JenildoHaxhiraj/Babel-Deobfuscator
* added support for last Babel version;
* added resources decryption;

You will need to dump files with MegaDumper - detected so change file name of MegaDumper exe to random name.
You will still need to use de4dot-3.1 once after using this tools else while running unpacked program may report some method as having Invalid body.

Babel-Deobfuscator.exe is inside Babel-Deobfuscator_Src_BinInDllFolder.rar\Babel-Deobfuscator_Src\Babel-Deobfuscator\Babel-Deobfuscator\dll
Enjoy.

CodeCracker 12-15-2023 20:06
Babel-Deobfuscator - Fixed a bug
 
1 Attachment(s)
Babel-Deobfuscator:
- *new: Fixed a bug - a method had body empty (no instructions after restoring).

CodeCracker 05-14-2025 23:33
Babel-DeobfuscatorNET8
 
1 Attachment(s)
Babel-DeobfuscatorNET7- with config to run on .NET 8 is in Babel-DeobfuscatorNET7.zip\Babel-DeobfuscatorNET7\ReleaseExe
Fixed for Quadspinner Gaea 2:
https://forum.exetools.com/showthread.php?p=133132

Mendax47 05-15-2025 10:24
Quote:
Originally Posted by CodeCracker (Post 133136)
Babel-DeobfuscatorNET7- with config to run on .NET 8 is in Babel-DeobfuscatorNET7.zip\Babel-DeobfuscatorNET7\ReleaseExe
Fixed for Quadspinner Gaea 2:
https://forum.exetools.com/showthread.php?p=133132
If some assembly is directly marged in the target file then it throws exception that Could not load file or assembly 'Babel.Licensing....
Edit: Resolved...

CodeCracker 05-15-2025 16:34
Here is Babel.Licensing, Version=10.9.0.0 dumped:
https://workupload.com/file/LXu3VEetDrU

Mendax47 05-15-2025 18:40
Quote:
Originally Posted by CodeCracker (Post 133146)
Here is Babel.Licensing, Version=10.9.0.0 dumped:
https://workupload.com/file/LXu3VEetDrU
I have dumped the dll file using your dumper... after deobsucation of Gaea.dll program crashes rapidly..... however deobsucation of Gaea.Engine.dll sucessfully starts the program...

However It seems that only one patch in Gaea.Engine.dll can active the full application

CodeCracker 05-16-2025 05:05
QuadSpinner.Gaea.App.OnStartup(StartupEventArgs e)
// Token: 0x0600046A RID: 1130 RVA: 0x00036A38 File Offset: 0x00034C38
protected override void OnStartup(StartupEventArgs e)

CodeCracker 05-16-2025 23:12
Babel-DeobfuscatorNET7_Fixed2
 
1 Attachment(s)
Babel-DeobfuscatorNET7_Fixed2:
Fixed 2 errors: 1. one on control flow deobfuscation on the above:
QuadSpinner.Gaea.App.OnStartup(StartupEventArgs e)
// Token: 0x0600046A RID: 1130 RVA: 0x00036A38 File Offset: 0x00034C38
protected override void OnStartup(StartupEventArgs e)
\ControlFlow\De4Dot.cs
There was an unnecessarily
//List<Block> allBlocks = blocks.MethodBlocks.GetAllBlocks();
which is now marked with comment

2. Second error on getting Type from IntPtr (on resolve local variables).
SuperDynamicReader.cs
TypeSig ISignatureReaderHelper.ConvertRTInternalAddress(IntPtr address)

Here is the completely unpacked dll Gaea.dll:
https://workupload.com/file/jy5LcPeQUMJ

CodeCracker 01-20-2026 01:06
Babel-DeobfuscatorNET4_fixed4
 
1 Attachment(s)
Babel-DeobfuscatorNET4_fixed4:
- specially build last version of Babel; https://www.babelfor.net/sdm_downloads/babel-obfuscator-1150/
deobfuscating Babel.Licensing.dll file.
First time execute only VM Decryption so press E key on console window when asked. I got to do this is because VM Decryption stuff execute some craps.
Second time; after saving you should have a full de-obfuscated assembly.


All times are GMT +8. The time now is 20:56.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX