Leaderboard

It's that time of the year again. It seems we're starting September 26 8PM EST again with a return to Web3 and YARA as well. Four weeks instead of six this year... I wonder what the reason for this is. 🤔 https://flare-on.com/

just DO it :) © any action

The tool was designed for obfuscated code, not for handling standard code with external calls (iat, etc.). So, when splitting blocks, an address will likely be invalid. There's nothing stopping you from implementing and adding new features to the code. procedure TCFG_Analysis.SplitBlock( split_addr: UInt64); (* Split basic block @ split_addr and create a new basic_blocks[] entry. *) var bb_head,orig_head : UInt64; instr : TCfGIns; tmpIns : TIns; begin OutDbg( Format('>Function:SplitBlock - Entry splitting @ [%08x] ',[split_addr])); if Fbasic_blocks.ContainsKey(split_addr) then Exit; bb_head := split_addr; orig_head := DFSBBSearchHead(split_addr); if orig_head = 0 then begin OutDbg(Format('>Function:SplitBlock - Failed @ [%08x]: orig_head=None ',[split_addr])); // raise Exception.Create('SplitBlock: orig_head not found'); end; OutDbg(Format('>Function:SplitBlock - Got orig_head [%08x] ',[orig_head])); // Create new BBlock Fbasic_blocks.Add(bb_head,[]) ; if Length(Fbasic_blocks[orig_head]) > 0 then begin tmpIns:= Fbasic_blocks[orig_head]; instr := tmpIns[ High(Fbasic_blocks[orig_head]) ]; SetLength(tmpIns, Length(Fbasic_blocks[orig_head])-1); Fbasic_blocks[orig_head] := tmpIns; end else Exit; while True do begin tmpIns:= Fbasic_blocks[orig_head]; Insert(instr,tmpIns,0 ); Fbasic_blocks[orig_head] := tmpIns; if instr.OriginEA = bb_head then break ; tmpIns:= Fbasic_blocks[orig_head]; instr := tmpIns[ High(Fbasic_blocks[orig_head]) ]; SetLength(tmpIns, Length(Fbasic_blocks[orig_head])-1); Fbasic_blocks[orig_head] := tmpIns; end; OutDbg(Format('>>Function:SplitBlock - Split @ [%08x]; original @ [%08x]',[split_addr,orig_head])); end;

@jackyjask I was meant to post this a few days ago, if you have not already noticed, IPS moved the "Code Block", to menu... Ted.

1.dump 2.fix dump 3.ConfuserEx-Unpacker-v2.0 &Constants Decrypter 4.de4dot ConfuserEx-Unpacker-v2.0 prompts an error [$] Loading Module... [$] Loading References... [$] Detected: Confuser.Core 1.6.0+447341964f [$] Anti Tamper Detected [$] Anti Tamper Removed Successfully [$] Cleaned Control Flow on 272 Methods [$] Fixed proxy calls: 6749 [$] Removed proxy methods: 944 [$] Cleaned Control Flow on 2 Methods [$] Cleaned Control Flow on 2 Methods [$] Patched 5 Anti Invokes [$] Cleaned Control Flow on 2 Methods Error: Could not load file or assembly 'DEMO123456, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'. This assembly was compiled for a different processor. at System.Reflection.RuntimeAssembly.nLoadImage(Byte[] rawAssembly, Byte[] rawSymbolStore, Evidence evidence, StackCrawlMark& stackMark, Boolean fIntrospection, Boolean fSkipIntegrityCheck, SecurityContextSource securityContextSource) at System.Reflection.Assembly.Load(Byte[] rawAssembly) at Unpacker.Core.Deobfuscators.Resource.ResourceDeobfuscator.Deobfuscate(UnpackerContext context) in D:\Documents\Visual Studio 2017\Projects\GitHub\ConfuserEx-Unpacker\Unpacker.Core\Deobfuscators\Resource\ResourceDeobfuscator.cs:line 40 at Unpacker.Core.UnpackerEngine.Run(UnpackerParameters parameters) in D:\Documents\Visual Studio 2017\Projects\GitHub\ConfuserEx-Unpacker\Unpacker.Core\UnpackerEngine.cs:line 38 Error: Object reference not set to an instance of an object. at Unpacker.Core.Utils.FindInstructionsNumber(MethodDef method, OpCode opCode, Object operand) in D:\Documents\Visual Studio 2017\Projects\GitHub\ConfuserEx-Unpacker\Unpacker.Core\Helpers\Utils.cs:line 33 at Unpacker.Core.Deobfuscators.AntiDebugDeobfuscator.Deobfuscate(UnpackerContext context) in D:\Documents\Visual Studio 2017\Projects\GitHub\ConfuserEx-Unpacker\Unpacker.Core\Deobfuscators\AntiDebugDeobfuscator.cs:line 18 at Unpacker.Core.UnpackerEngine.Run(UnpackerParameters parameters) in D:\Documents\Visual Studio 2017\Projects\GitHub\ConfuserEx-Unpacker\Unpacker.Core\UnpackerEngine.cs:line 38 [$] Removed 1 Attributes [$] Cleaning unused methods... [$] Writing Module... [$] Saving Module...

if anyone has access to the courses, please upload!!

.

just DO it :) © any action @Nooboy my methode = noob methode😅 unpackin-fujifuscater_VGNDlJbp.mp4

just dump it & fix dump.

@root you have lots of sample *.asm files inside the "\D_CodeGen\Test file" are those the sample obfuscated pieces that noe has to compile/build into PE binary so that the tool/lib could gracefully "eat" it or there is another way to feed .asm files directly into the lib?

There is no gchandle.free in the Confuser.Core 1.6.0+447341964f module. How to deal with it?

I fully agree but the question was about this - why? >EListError: Item not found

there is nothing to deobfuscate in that code, the list remains empty text:0000000000400250 .text:0000000000400250 ; =============== S U B R O U T I N E ======================================= .text:0000000000400250 .text:0000000000400250 ; Attributes: bp-based frame .text:0000000000400250 .text:0000000000400250 public start .text:0000000000400250 start proc near ; DATA XREF: HEADER:00000000004000B0↑o .text:0000000000400250 .text:0000000000400250 var_20 = qword ptr -20h .text:0000000000400250 .text:0000000000400250 enter 40h, 0 .text:0000000000400254 and [rsp+40h+var_20], 0 .text:000000000040025A mov ecx, offset __ImageBase ; hInstance .text:000000000040025F mov edx, 64h ; 'd' ; lpTemplateName .text:0000000000400264 xor r8d, r8d ; hWndParent .text:0000000000400267 lea r9, DialogFunc ; lpDialogFunc .text:000000000040026E call cs:DialogBoxParamA .text:0000000000400274 xor ecx, ecx .text:0000000000400276 call cs:RtlExitUserProcess .text:0000000000400276 start endp ; sp-analysis failed .text:0000000000400276 .text:000000000040027C .text:000000000040027C ; =============== S U B R O U T I N E ======================================= .text:000000000040027C .text:000000000040027C ; Attributes: bp-based frame .text:000000000040027C .text:000000000040027C ; INT_PTR __stdcall DialogFunc(HWND, UINT, WPARAM, LPARAM) .text:000000000040027C DialogFunc proc near ; DATA XREF: start+17↑o .text:000000000040027C .text:000000000040027C format = dword ptr -80h .text:000000000040027C h = qword ptr -5Ch .text:000000000040027C ho = qword ptr -54h .text:000000000040027C Paint = tagPAINTSTRUCT ptr -48h .text:000000000040027C hWnd = qword ptr 10h .text:000000000040027C .text:000000000040027C enter 0A0h, 0 .text:0000000000400280 mov [rbp+hWnd], rcx .text:0000000000400284 cmp edx, 110h .text:000000000040028A jz short loc_4002E5 .text:000000000040028C cmp edx, 111h .text:0000000000400292 jz loc_400654 .text:0000000000400298 cmp edx, 10h .text:000000000040029B jz loc_40065A .text:00000000004002A1 cmp edx, 113h .text:00000000004002A7 jz loc_4003C2 .text:00000000004002AD cmp edx, 0Fh .text:00000000004002B0 jz loc_4004BC .text:00000000004002B6 cmp edx, 201h .text:00000000004002BC jnz loc_40067C .text:00000000004002C2 call cs:ReleaseCapture .text:00000000004002C8 mov rcx, [rbp+hWnd] ; hWnd .text:00000000004002CC mov edx, 112h ; Msg .text:00000000004002D1 mov r8d, 0F012h ; wParam .text:00000000004002D7 xor r9d, r9d ; lParam .text:00000000004002DA call cs:SendMessageA .text:00000000004002E0 jmp loc_40067C .text:00000000004002E5 ; --------------------------------------------------------------------------- .text:00000000004002E5 .text:00000000004002E5 loc_4002E5: ; CODE XREF: DialogFunc+E↑j .text:00000000004002E5 call cs:GetTickCount .text:00000000004002EB mov cs:dword_400800, eax .text:00000000004002F1 push offset pszFaceName ; pszFaceName .text:00000000004002F6 push 1 ; iPitchAndFamily .text:00000000004002F8 push 2 ; iQuality .text:00000000004002FA push 0 ; iClipPrecision .text:00000000004002FC push 6 ; iOutPrecision .text:00000000004002FE push 0 ; iCharSet .text:0000000000400300 push 0 ; bStrikeOut .text:0000000000400302 push 0 ; bUnderline .text:0000000000400304 push 0 ; bItalic .text:0000000000400306 push 2BCh ; cWeight .text:000000000040030B sub esp, 20h .text:000000000040030E mov ecx, 50h ; 'P' ; cHeight .text:0000000000400313 mov edx, 19h ; cWidth .text:0000000000400318 xor r8d, r8d ; cEscapement .text:000000000040031B xor r9d, r9d ; cOrientation .text:000000000040031E call cs:CreateFontA .text:0000000000400324 mov cs:h, rax .text:000000000040032B mov ecx, 40h ; '@' ; uFlags .text:0000000000400330 mov edx, 400h ; dwBytes .text:0000000000400335 call cs:GlobalAlloc .text:000000000040033B mov cs:qword_4007F8, rax .text:0000000000400342 mov edi, eax .text:0000000000400344 mov ecx, 40h ; '@'

1st issue on sample masm binary - (400250 = EP VA) c:\CodeDeob-main\Win32\Debug\123>Deob1.exe fire.exe $400250 CodeDeob cli demo util v0.1 (c) 2025 by jj EListError: Item not found fire.zip

btw any documentation for the lib ?

The course is free until end of July 4, 2024. https://www.udemy.com/course/reversing-software-protection/?couponCode=JULY2_FREE Personally, I think Paul Chin courses are total crap, but apparently some people still want to watch them. So...

For this package, I did it. Winlicense 3.1.3 Test x64.zip However, @boot I couldn't do it for this package. give me your hand please. Many thanks in advance. Regards. sean.

Dunno, check your system - works well here in a freshly installed Windows 10.

Best days of programming before all this Java and Android chaos