Hello !

I’m sometimes scrolling youtube videos about RE and I notice most of them are only 2-3 minuts longs. They are only showing how to use freshly-made tool to remove X protector.

That’s quite sad because it gives bad habits to some unexperienced people which will call themselves « reverser » because they’re able to use de4dot and then confuserex-Unpacker and then XX-unpacker and so on…

On the other hand, I see lots of people which want to learn but who can’t find good resources. So, I don’t call me an experienced reverser but anyway, I’ll give you my advices to learn RE.

I’ll share here my useful resources as soon as I’ll get back my old hdd with all my RE tuts/resources/…

The most important word here is : HOW? How does de4dot works, how does confuserex encrypt an assembly, how do VMP virtualize methods, how does dnspy decompile assemblies. These examples are very hard one to begin with but these are only examples…

But, before that, a required skill is being able to code. You can’t understand how deobfuscation works if you can’t read them…

After that, you have to understand how does memory works. What is CIL, how the c# code is converted to machine-understandable code, what is the stack, how does a .net exe is made, what are opcode, … For that, I recommend you the book ECMA-355 (https://www.ecma-international.org/publications/standards/Ecma-355.htm). There’s also some books that you may find on the net like « The fundamental of CIL » by Washi and 766F6964 (I can’t give a link to avoid warez but it’s available on RTN) and « Kurapica .Net Reversing TIPS » (Available on tuts4you). You can find also some others books by yourself… Also, I also advice you to read old tutorials from 2005-2010. It was the period were de4dot, dnSpy and the others didn’t exist. They’re sometimes better if the person explain what he’s doing (I really love Kurapica papers that you can find. I don’t have a link here ) Tuts4you collection has also good content : https://forum.tuts4you.com/files/file/1865-tuts-4-you-collection-2011/ )

Okay, so now, you have some basic in Memory and in .net structure, let’s try to analyse some protector. Don’t begin with Appfuscator, Agile .net or even Confuserex. Begin with the most basic one : Phoenix Protector, Yano, Dotwall. Then, if you’re done with these one, try confuserex, appfuscator, agile.net. Look for analysis of other people. You can find some of them here ! To make an analysis, grab the protector and apply protection 1 by 1, then stack protections and look for the difference. If there’s something you don’t understand such as what is a calli, what is a delegate, go on MSDN or google it, there’s thousands resource waiting for you !

Next step if to start making you own deobfuscator. Like for the previous tips, start with the same one. Build a string decryptor for yano, a string decryptor for Dotwall. Then you can make a static string decryptor for confuser(ex). After, you can learn how control flow works to resolve it. You can look how a delegate is resolve and you can make a method restorer. Finally, look for protectors which use jit hook protection, (see this : https://ubbecode.wordpress.com/2014/05/12/how-does-sjithook-work/ ) and look at some VM protector (begin with some basical like .net reactor, MemeVM).

All that is not makable in 1 day. It tooks years to master reverse engineering. But please, read articles, deobfuscator sources, debug obfuscated exe, … The goal is to understand EVERY step that you mean, each line of code that you read. Why is this done and What does it ?

I give you 2 blogs that can be useful for you, there’re not the only I know but these are the first 2 coming in my mind.

UbbeLoL blog : https://ubbecode.wordpress.com/

Kao blog : https://lifeinhex.com/

Then, some board like tuts4you, RTN are the best place to learn !

Finally, here’s a list of obfuscator and deobfuscator. A lot of them are open source so take a look at them !

Deobfuscators : https://github.com/NotPrab/.NET-Deobfuscator

Obfuscators : https://github.com/NotPrab/.NET-Obfuscator

Learning RE today is much more easier than before. There’re lots of papers, videos, articles so take times to read them to improve your skills !