Project Old Rod is an automated command-line utility that attempts to disassemble any .NET application protected by the KoiVM virtualiser plugin for ConfuserEx. Additionally, it tries to recompile the VM code back to .NET CIL in an attempt to recover the original code.
Project Old Rod is released under the GPLv3 license.
-
N00b users: Just drag and drop the protected executable in
OldRod
and observe how the majestic Magikarp fixes your code all by itself. Pretty nice huh? -
Advanced users: Old Rod has a lot of features! Type the following command in a terminal to get an overview of all available options and flags:
OldRod.exe --help
Some of the niceties include:
--output-directory
, which sets the output directory (who would have thought!?).--koi-stream-name
,--koi-stream-data
,--entry-type
and--constants-type
, which help the magestic Magikarp finding the data it needs.--no-pause
if you don't like pressing a key to continue at the end of it all.
The devirtualiser is powered by the following projects:
- AsmResolver: .NET inspection library .
- Rivers: Graph analysis library .
These are submodules located in the src
directory, so be sure to clone them as well before building the project.
No. It only disassembles the code and recompiles it. It will not simplify control flow, nor will it decrypt your strings, simplify arithmetic expressions, rename all symbols, decrypt resources, or anything like that. For this, other tools exist.
- ... crashes,
- ... prints errors I don't want to read,
- ... produces corrupted files.
These are features, not bugs. You can turn them off by using:
OldRod.exe <input-file> --dont-crash --no-errors --no-output-corruption
If the above does not work, please consider going to the issue tracker and file a detailed bug report, taking the following into account:
- Be aware I do this project in my little free time.
- Because of this, when filing a report it is important to narrow down the issue as much as possible to your ability.
- Issues simply stating "it doesn't work" will be ignored.
- Respect original authors of copyrighted software. Don't upload copyrighted executables protected by KoiVM. These issues will be deleted immediately.
- Look at the troubleshooting tips in the readme.
Also, be aware this is a work in progress. Sometimes the Magikarp has a tendency to randomly splash around and reach havoc in the file for unknown reasons. Little can be done here other than waiting for the beast to finally mature.
Old Rod has quite a few diagnostics built-in that might help you out:
--verbose
will print all (!) debug and full error messages to the standard output.--log-file
will produce areport.log
in the output directory containing a log that is similar to enabling--verbose
. You don't need to include--verbose
to get a verbose output in the log file.--dump-il
,--dump-cil
,--dump-cfg
and/or--dump-cfg-all
will create all kinds of dumps of intermediate steps of the devirtualisation process in the output directory.--rename-symbols
will rename most (but not all) symbols in the KoiVM runtime library to something more meaningful.--only-export 1,2,3
or--ignore-export 1,2,3
will only include or exclude exports 1, 2 and 3 respectively.--salvage
will let the devirtualiser try to recover from errors as much as possible. Note that this is a very mysterious feature, and enabling this feature might have cool side-effects and result in incorrect binaries being produced.
I thought it would be a cool project.
I noticed quite a few people using KoiVM illegitimately (e.g. for protecting malware). Also KoiVM is now open source for anyone to grab, so I thought it wouldn't hurt the original author.
Because the project is complicated.
Because KoiVM is more complicated than the average VM that is out there for .NET. Check out the docs to find out how the recompiler works.
Also I am probably not the best coder or reverse engineer.
Yes, but I am stubborn, I don't like to write countless of patterns, and I like writing compilers.
Not all instructions are always perfectly translated to CIL, and still require some of the original features of KoiVM (most notably, the flags register as the CLR does not have one). For this, the code generator might inject some code to emulate the behaviour of these features. This is put into this namespace.
In the original release of KoiVM, the plugin description mentions a Magikarp virtualising your code. In the original Pokémon games, the best way to catch a Magikarp is using an old rod.
...
Honestly, I don't know, I am probably weird...