[UnpackMe]UnpackMe - Multi Packer

[CodeNatif]

The objective is to unpack the program completely !

 

 

List of people who have managed this challenge:

 

-

-

-

-

 

 

UnpackMe.rar

[ghostfish]

boxed app...

PE: protector: Confuser(1.X)[-]

PE: protector: DNGuard(-)[-]

PE: protector: Dotfuscator(-)[-]

PE: protector: Goliath(-)[-]

PE: library: .NET(v4.0.30319)[-]

PE: linker: Microsoft Linker(8.0)[EXE32]

 

[GIV]

Yep.

BoxedApp packer

DNGuard
ConfuserEx v0.4.0
ConfuserEx v0.3.0-custom
ObfuscatedByGoliath
Protected By Ben Mhenni.dll

 

That what i have extracted from the exe.

Since is a Framework 4.5 i can't do much on XP just remove first layer.

IMHO is just a silly way to protect a exe.

[Hadits follower]

Packed : Boxed + dng + confuser ex + crypto + AppFuscator

 

Can't do AppFuscator string for the cflow 

WindowsFormsApplication11_Unpacked.zip

Edited March 20, 2015 by Death

[GIV]

We are in the role of rats who speed on the wheel again.

The user test on us varoius ways of protecting his tools or maybe worse....

[Hadits follower]

anyway user and pass :

  if (!(Class38.WindowsFormsApplication11.exe(-1636090519, "UnpackMeChallenge") & Class38.WindowsFormsApplication11.exe(this.WindowsFormsApplication11.exe.Text, "ProtectedLogin")) || true)

   {

       goto Label_0127;

   }

Label_010C:

   MessageBox.Show("Good Job !");

Label_0117:

   MessageBox.Show("Fail");

Label_0127:

   switch ((0x28cef1b2 ^ 0x28cef1b3))

   {

       case 0:

       case 2:

       case 3:

       case 4:

           goto Label_0117;

 

       case 5:

           goto Label_0127;

 

       case 6:

           goto Label_010C;

   }

}

Username : ProtectedLogin

Password : UnpackMeChallenge

Edited March 20, 2015 by Death

[Hadits follower]

Edited fixed

 

br.s for else

 

Just drink and feel alone and bored just do this by hand 

100% completed Unpacked [2 hours] passed from borred .

 

Just enjoy your challange #10000 

cause i see you everyday make challange with lot useless obfucator .

Your main exe size may be under kb . but click pack + obfucate + native make your littile exe size 2 mb .

20 byte to 2 mb [ By useless obc and packer ]

 

 

well here it is 1 line code 

 

 

 

 

 

T H I S     I S   M A Y    B E   M Y  L A S T    P E R O R M A N C E  in your unpackme

 

attached 

WindowsFormsApplication11-cleaned_UnpackeD2_Fixed.zip

Edited March 26, 2015 by Death

[GIV]

The user want to do some bad things and to implement a fool proof protection.

That is why it put here to make us rats speening the wheel.

I think that kind of challenges are just trash.

[ghostfish]

"Just drink and feel alone and bored just do this by hand"

   

[Hadits follower]

anyway we can learn something from here 

 

cflow encrypted by junk non reference with int null + [Lot junk non ref]  .

 

So i see reflector is a deobfucator for it [Not ilspy]

 

cause we see obfucated

 

decompile Ilspy 2

private void method_1()

{

   ComponentResourceManager componentResourceManager = new ComponentResourceManager(typeof(GForm0));

   this.button_0 = new Button();

   this.textBox_0 = new TextBox();

   this.textBox_1 = new TextBox();

   this.pictureBox_0 = new PictureBox();

   ISupportInitialize BeginInit() = this.pictureBox_0;

   base.SuspendLayout();

   Control arg_A9_0 = this.button_0;

   //GForm0.int_0 = 2136656571;

   arg_A9_0.Location = new Point(135, 48);

   <Module>.object_3 = null;

   <Module>.int_7 = -1852116043;

   this.button_0.Name = "button1";

   Control arg_103_0 = this.button_0;

   <Module>.object_6 = componentResourceManager;

   int arg_FE_0 = 133;

   int arg_FE_1 = 23;

   <Module>.int_3 = -1410905245;

   object arg_F9_0 = componentResourceManager;

   <Module>.int_2 = 1845842485;

   <Module>.object_2 = arg_F9_0;

   arg_103_0.Size = new Size(arg_FE_0, arg_FE_1);

   this.button_0.TabIndex = 0;

   this.button_0.Text = "Login";

   <Module>.object_1 = null;

   ButtonBase arg_149_0 = this.button_0;

   bool arg_149_1 = true;

   GForm0.object_0 = componentResourceManager;

   <Module>.int_0 = 1057425350;

   arg_149_0.UseVisualStyleBackColor = arg_149_1;

   <Module>.object_6 = null;

   Control arg_176_0 = this.button_0;

   GForm0.object_0 = "502a9eda-92ad-40ce-a4ca-8422897be2bb981bff38-7df7-4cf6-ba23-c6d38d807d6ecf7fd485-35af-";

   <Module>.object_3 = null;

   arg_176_0.Click += new EventHandler(this.method_0);

   Control arg_1A4_0 = this.textBox_0;

   int arg_19F_0 = 204;

   <Module>.int_0 = -1411494653;

   int arg_19F_1 = 22;

   <Module>.int_0 = 1308380089;

   arg_1A4_0.Location = new Point(arg_19F_0, arg_19F_1);

   this.textBox_0.Name = "textBox1";

   Control arg_1F6_0 = this.textBox_0;

   <Module>.int_2 = 1657774894;

   int arg_1DD_0 = 100;

   int arg_1DD_1 = 20;

   <Module>.int_4 = -1557401652;

   Size arg_1F6_1 = new Size(arg_1DD_0, arg_1DD_1);

   <Module>.int_7 = 744302617;

   <Module>.int_6 = 1203310366;

   arg_1F6_0.Size = arg_1F6_1;

   GClass0.object_1 = componentResourceManager;

   this.textBox_0.TabIndex = 1;

   this.textBox_1.Location = new Point(98, 22);

   this.textBox_1.Name = "textBox2";

   GForm0.int_0 = -2051646939;

   this.textBox_1.Size = new Size(100, 20);

   Control arg_274_0 = this.textBox_1;

   int arg_274_1 = 1;

   GForm0.object_0 = "a3fe5bec-6707-4087-8a36-3cf33fad326bfd";

   arg_274_0.TabIndex = arg_274_1;

   PictureBox arg_295_0 = this.pictureBox_0;

   ResourceManager arg_28B_0 = componentResourceManager;

   <Module>.object_0 = componentResourceManager;

   arg_295_0.Image = (Image)arg_28B_0.GetObject("pictureBox1.Image");

   object arg_2AE_0 = 1876936332;

   <Module>.int_5 = -1040838703;

   GClass0.object_1 = arg_2AE_0;

   this.pictureBox_0.Location = new Point(32, 77);

   Control arg_2DE_0 = this.pictureBox_0;

   string arg_2DE_1 = "pictureBox1";

   GForm0.object_0 = componentResourceManager;

   arg_2DE_0.Name = arg_2DE_1;

   this.pictureBox_0.Size = new Size(374, 66);

   <Module>.object_3 = null;

   GForm0.int_0 = -1978466511;

   this.pictureBox_0.TabIndex = 2;

   <Module>.object_4 = 1957620381;

   this.pictureBox_0.TabStop = false;

   <Module>.int_5 = -1932913121;

   <Module>.int_8 = 2097519326;

   float arg_36B_0 = 6f;

   <Module>.object_0 = null;

   GForm0.object_0 = "821c82af-1da0-44a7-8898-f9f35ba00f15fca2528e-bf73-4";

   base.AutoScaleDimensions = new SizeF(arg_36B_0, 13f);

   base.AutoScaleMode = AutoScaleMode.Font;

   object arg_38B_0 = componentResourceManager;

   <Module>.int_7 = -1950879357;

   <Module>.object_2 = arg_38B_0;

   <Module>.object_0 = componentResourceManager;

   base.ClientSize = new Size(440, 159);

   <Module>.int_0 = 1503776956;

   <Module>.object_6 = componentResourceManager;

   GClass0.object_1 = null;

   base.Controls.Add(this.pictureBox_0);

   <Module>.object_6 = null;

   Control.ControlCollection arg_403_0 = base.Controls;

   object arg_3E9_0 = componentResourceManager;

   <Module>.int_8 = 1809257038;

   GClass0.object_0 = arg_3E9_0;

   Control arg_403_1 = this.textBox_1;

   GClass0.object_1 = 1952428595;

   arg_403_0.Add(arg_403_1);

   <Module>.int_0 = -563903361;

   Control.ControlCollection arg_428_0 = base.Controls;

   <Module>.int_2 = -1529522494;

   arg_428_0.Add(this.textBox_0);

   <Module>.object_4 = 1818084011;

   base.Controls.Add(this.button_0);

   base.Name = "Form1";

   <Module>.int_2 = 1987339265;

   this.Text = "UnpackMe Challenge !! ~";

   <Module>.object_0 = null;

   ((ISupportInitialize)this.pictureBox_0).EndInit();

   base.ResumeLayout(false);

   int arg_4A2_0 = 796469985;

   <Module>.int_6 = 1335196033;

   <Module>.int_8 = -1051365525;

   <Module>.int_4 = arg_4A2_0;

   GForm0.int_0 = -1980982856;

   base.PerformLayout();

   <Module>.object_5 = componentResourceManager;

   GClass0.object_0 = componentResourceManager;

}

 

Deobucated decompile By Reflector

 

its not calculated code its non ref junk code

 

which reflector can deobfucate it .

 

Our codecracker can create static junk resolver for it for people i think need who want rip code

WindowsFormsApplication11_Rebuild.zip

Edited March 27, 2015 by Death

[Hadits follower]

@

ghostfish

today may be i am ok 

 

@

GIV

yes i see But i still post because i see appfucator all people like to use because it never make crash exe and dng and crypto is also same they wont make crash after multi obfucation  .

GForm0.object_0 = "Foolish";

Edited March 27, 2015 by Death