Autor
Sorry for the english but my spanish is very bad.
I am trying to deobfuscate (unpack) the following app:
http://www.chevolume.com/Download.aspx
It is a .Net app and I've tried many things but no success. I can successfuly use de4dot to rename the methods, fields and remove the delegates but if I try to run the executable it shows the splash screen and crashes. I am not sure if I am using the d34dot with the correct attributes.
The dlls are signed but at the moment I am not trying to change them.
steps I followed:
1)run de4dot to rename the methods: de4dot.exe --keep-names d CheVolume.exe (names are used by the delegates). Generated exe already crashes.
2)Remove delegates using DelegateKiller.
3)Try to run the resulting executable. It shows the splash screen and crashes.
I noticed that if I just open the original executable in Reflector and "save as" using Reflexil 2.0 the generated executable crashes, even if I don't change any IL instruction. I compared both EXE(s) and for some reason reflexil makes changes to the binary.
RDG Detector says that it is obfuscated but not crypted. I appreciate any help to "unpack" or at least solve the problem with Reflexil 2.0. If I can make the saved executable, generated by Reflexil, may be sufficient to progress with my analysis.
Thank you in advance.
En línea
