Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ERROR] An unexpected error occurred during decrypting booleans. Value cannot be null. Parameter name: key. #69

Open
greenozon opened this issue May 7, 2023 · 1 comment
Open

[ERROR] An unexpected error occurred during decrypting booleans. Value cannot be null. Parameter name: key. #69

greenozon opened this issue May 7, 2023 · 1 comment

Comments

@greenozon
Copy link

greenozon commented May 7, 2023
edited

Describe the bug
errors during work
output exe is not clean, some methods can't be even decompiled, decompiler throws exception on these...

Target obfuscated file

input.zip

Screenshots
image

OS Version:
W10

Additional context


  Started deobfuscation: 2023-05-07 13:45:16
  Assembly: RosreestrXML.exe
  Architecture: X86
  CLI Started, PID: 8432
  =====================================

  [INFO] 15/15 Modules loaded...
  [INFO] 6047 Methods decrypted.
  [WARN] Couldn't find any equation to resolve.
  [WARN] Couldn't find anti tamper method.
  [WARN] Couldn't find anti debugger method.
  [WARN] Couldn't find any proxied call.
  [INFO] 2621 Strings decrypted.
  [WARN] Couldn't find any encrypted resource.
  [INFO] 35 Metadata tokens deobfuscated.
  [ERROR] An unexpected error occurred during decrypting booleans. Value cannot be null.
Parameter name: key.
  [INFO] 536 Calls to obfuscator types removed.
  [INFO] Renaming obfuscated symbols...
  [INFO] 10596 Methods inlined.
  [INFO] Saved to: RosreestrXML_Slayed.exe

example of broken methods:

image

Uploading image.png…
@JBou
Copy link

JBou commented Jan 28, 2024

If you change the order of the Stages

NETReactorSlayer/NETReactorSlayer.Core/Options.cs

Lines 218 to 220 in 0d0a631

new ControlFlowDeobfuscator(),
new AntiManipulationPatcher(),
new MethodInliner(),

to this order (move the MethodInliner before the ControlFlowDeobfuscator):

new MethodInliner(),
new ControlFlowDeobfuscator(),
new AntiManipulationPatcher(),

It is not throwing that error, and dnSpy is not throwing an exception. Also, there are 11824 methods inlined instead of 10596 before and more obfuscator types removed. But I don't know if it breaks other functions. In this particular case, it seems to work.

Output:

  [INFO] 6047 Methods decrypted.
  [WARN] Couldn't find any equation to resolve.
  [WARN] Couldn't find anti tamper method.
  [WARN] Couldn't find anti debugger method.
  [WARN] Couldn't find any proxied call.
  [INFO] 2621 Strings decrypted.
  [WARN] Couldn't find any encrypted resource.
  [INFO] 35 Metadata tokens deobfuscated.
  [INFO] 184 Booleans decrypted.
  [INFO] 774 Calls to obfuscator types removed.
  [INFO] 11824 Methods inlined.

As another try, using the original order of Stages, I also tried to comment out these 2 lines:

NETReactorSlayer/NETReactorSlayer.Core/Stages/ControlFlowDeobfuscator.cs

Line 38 in 0d0a631

SimpleDeobfuscator.Deobfuscate(method);

NETReactorSlayer/NETReactorSlayer.Core/Stages/ControlFlowDeobfuscator.cs

Line 40 in 0d0a631

SimpleDeobfuscator.DeobfuscateBlocks(method);

Seems that these deobfuscations corrupt the IL code if they are run before the MethodInliner Stage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@greenozon @JBou