Hello everyone,

I try to reverse engineer the demo version of a English/French survey software called S*phinx iQ (http://www.s*phinxsurvey.com/) [remove stars]. This software costs EUR 2,000...

The software is developed with .NET and I successfully opened the main executable in .NET Reflector. Most of the content (namespaces, classes, methods) is readable but an important part is also obfuscated. Indeed, all the functions/methods calls from inside these readable functions/methods refer to "internal delegates" in a namespace labeled "A". All these delegates have random 32-characters name (ex: c62c2a6bc720de02e0a392a51102c40b9) and always contains a "friend function/method" only containing a function/method call to a "friend field/variable" in the same delegate.

Example:

In the readable part of the code, you can find something like this:



which refers to "A.c62c2a6bc720de02e0a392a51102c40b9.ce656513e27ae33feda0f91f8761bcc94()".

In "A", we can find:



which contains:



which calls:



I am looking for a clue on how to deobfuscate this mess. I tried SAE and a lot of different dissasembler but they all see the same mess.

Full demo version can be downloaded here (remove stars):
http://info.les*phinx.eu/telechargement/SetupS*phinxIQ.exe
Main executable here [remove stars]:
http://www.mediafire*.com/?kpx9ygigqqed565

Thanks a lot,

BinaryReporter

| Сообщение посчитали полезным:

binaryreporter

Try this - --> Link <--

Copy all files on to the work folder and run exe...

I am looking for a clue on how to deobfuscate this mess.

https://github.com/0xd4d/de4dot

| Сообщение посчитали полезным:

Thanks a lot, uncleua. I managed to get most of the assemblies out of the main executable by myself then I saw your post. So, I switched to de4dot and I got what I was searching for.

| Сообщение посчитали полезным: