https://github.com/holly-hacker/eazfixer
A deobfuscation tool for Eazfuscator.
https://github.com/holly-hacker/eazfixer
deobfuscation deobfuscator eazfuscator
Last synced: about 1 year ago
JSON representation
A deobfuscation tool for Eazfuscator.
- Host: GitHub
- URL: https://github.com/holly-hacker/eazfixer
- Owner: holly-hacker
- License: mit
- Created: 2017-12-30T20:32:26.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2023-06-20T18:39:57.000Z (about 3 years ago)
- Last Synced: 2025-05-07T18:14:25.569Z (about 1 year ago)
- Topics: deobfuscation, deobfuscator, eazfuscator
- Language: C#
- Size: 74.2 KB
- Stars: 388
- Watchers: 30
- Forks: 129
- Open Issues: 6
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# EazFixer [](https://ci.appveyor.com/project/HoLLy-HaCKeR/eazfixer)
A deobfuscation tool for Eazfuscator.
## Downloading
You can download the latest master build at [AppVeyor](https://ci.appveyor.com/project/HoLLy-HaCKeR/eazfixer/build/artifacts). If there was no commit in the last 6 months, you will have to build it yourself. Please do not open issues asking for me to build it for you.
## Description
EazFixer is a deobfuscation tool for [Eazfuscator](https://www.gapotchenko.com/eazfuscator.net), a commercial .NET obfuscator. For a list of features, see the list below.
### Implemented fixes:
* String encryption
* Resource encryption
* Assembly embedding
### Not implemented, may be added in the future:
* Entrypoint obfuscation
* Data virtualization
### Out of scope:
* Code virtualization (consider using [EazyDevirt](https://github.com/puff/EazyDevirt))
* Symbol renaming (symbol names are either unrecoverable or encrypted. For symbol decryption in case of a known key, see [EazDecode](https://github.com/HoLLy-HaCKeR/EazDecode))
* Automatic code optimization (not an anti-feature!)
* Code control flow obfuscation (I didn't have any problems with my samples in dnSpy)
* Assemblies merging (doesn't seem probable, especially with symbol renaming)
* Control flow obfuscation (use de4dot)
## Usage
Call from the command line or drag and drop the file on and let it run or use the command line flag `--file`.
If your assembly is protected with control-flow obfuscation, run it through [de4dot](https://github.com/0xd4d/de4dot) with the
`--only-cflow-deob` flag first.
* --file path
* --keep-types
* --virt-fix
The flag `--file` is used for the input file.
The flag `--keep-types` is similar to the de4dot flag, Keeps obfuscator types and assemblies.
The flag `--virt-fix` keeps certain parts obfuscated to stay working with [virtualized](https://help.gapotchenko.com/eazfuscator.net/30/virtualization) assemblies.
example: `EazFixer.exe --file test.exe --keep-types`
## Building
Clone the repository and use the latest version of Visual Studio (2019, at the time of writing).
## Support
EazFixer is (and will always be) targeted at the latest version of Eazfuscator. If your version is not supported, try a more universal
deobfuscator like [de4dot](https://github.com/0xd4d/de4dot). If your version is newer than what this tool supports, create an issue only
**after** verifying with the latest version of Eazfuscator.
Also, I will not help you use this program. Consider it for advanced users only. If you do run into a problem and are sure it is a bug,
feel free to submit an issue but I cannot guarantee I will fix it.
## Related projects
- [EazDecode](https://github.com/HoLLy-HaCKeR/EazDecode), for decrypting encrypted symbol names in case of a known encryption key.
- [eazdevirt](https://github.com/saneki/eazdevirt), a tool for devirtualizing older version of EazFuscator.
- [eazdevirt fork](https://github.com/HoLLy-HaCKeR/eazdevirt), my abandoned fork of eazdevirt, may work slightly better on newer samples.
## Credits
This tool uses the following (open source) software:
* [dnlib](https://github.com/0xd4d/dnlib) by [0xd4d](https://github.com/0xd4d), licensed under the MIT license, for reading/writing assemblies.
* [Harmony](https://github.com/pardeike/Harmony) by [Andreas Pardeike](https://github.com/pardeike), licensed under the MIT license, for patching the stacktrace which allows for reflection invocation to be used.