Skip to main content

Deobfuscate Stack Trace

After obfuscation, the function stack in logs output from code uses obfuscated names, which creates significant obstacles for tracking issues. Manually restoring the original stack by comparing the symbol mapping file (see Symbol Obfuscation documentation) that records the mapping relationship between original functions and obfuscated functions is very tedious. Obfuz provides the DeobfuscateStackTrace tool to automate the restoration of obfuscated stacks.

DeobfuscateStackTrace Tool

DeobfuscateStackTrace is a command-line tool developed based on .NET 8 that can run on all .NET supported platforms including Windows, MacOS, Linux.

The source code is in DeobfuscateStackTrace-github or DeobfuscateStackTrace-gitee in the repository root directory. You can compile it yourself or download directly from github release.

Command Line Parameters

Command line parameters are described as follows:

  -m, --mappingFile                     Required. mapping xml file

  -i, --input                           Required. input obfuscated log file

  -o, --output                          Required. output deobfuscated log file

  -r, --removeMethodGeneratedByObfuz    Remove methods generated by obfuscator (e.g.
                                        '$Obfuz$ProxyCall:$Obfuz$ProxyCall$Dispatch')

  --help                                Display this help screen.

  --version                             Display version information.

Usage

  • DeobfuscateStackTrace --help to view help.
  • DeobfuscateStackTrace -m {symbol mapping file} -i {obfuscated log} -o {deobfuscate log} command restores obfuscated stack logs to original logs. The -m parameter is the symbol mapping file pointed to by ObfuzSettings.SymbolObfusSettings.SymbolMappingFile, -i parameter is the obfuscated log file, -o is the output deobfuscated log file.

Example:

  • Windows

DeobfuscateStackTrace -m path/of/symbol-mapping.xml -i obfuscated.log -o deobfuscated.log

  • MacOS or Linux
dotnet DeobfuscateStackTrace.dll -m path/of/symbol-mapping.xml -i obfuscated.log -o deobfuscated.log

Remove Functions Generated by Obfuz

By default, the restored stack will include functions generated by Obfuz like $Obfuz$ProxyCall:$Obfuz$ProxyCall$Dispatch$35(Object, Object, Int32). If there are too many such function logs, they can sometimes affect readability. You can specify -r or --removeMethodGeneratedByObfuz to remove stack information of such functions from the output stack log.

Using Windows command line as an example:


DeobfuscateStackTrace -m path/of/symbol-mapping.xml -i obfuscated.log -o deobfuscated.log -r

This will restore the obfuscated stack log and remove all functions generated by Obfuz.