Jump to content
Tuts 4 You

[Deobme] ConfuserEX 0.5 custom

XenocodeRCE

By XenocodeRCE
in UnPackMe (.NET)

 Share
Go to solution Solved by CodeExplorer,

Recommended Posts

XenocodeRCE

XenocodeRCE

Posted
Posted

jd6kUKq.png


 


Just a custom version of ConfuserEX 0.5


 


Nothing that special, very  humble modifications


 


I post it here in order to know what shall I improve


 


https://www.sendspace.com/file/p1fsts


 


 


  • Like 1
RDGMax

RDGMax

Posted
Posted

Nice pe header + structure .net modification


  • Like 1
XenocodeRCE

XenocodeRCE

Posted
  • Author
Posted

Alcatrazz successfully deobed this and give me hints about how I shall improve this !


 


It's time to do some research about the MSIL and clr structure ...


RDGMax

RDGMax

Posted
Posted
I already made a net obfuscator

 

But now I will make a .NET Scrambler anti decompiler, Will be called cachi chien obfuscator

  • Like 2
XenocodeRCE

XenocodeRCE

Posted
  • Author
Posted (edited)

ConfuserExFixer does the job for metadata problems!

Deobfuscated file:

https://www.sendspace.com/file/il8370

 

Constants still remains encrypted ;)

Edited by SpoonStudio
n0th!ng

n0th!ng

Posted
Posted (edited)

to fix metadata just use Universal fixer (without .NET options) next change number of streams to 9 


then pass it to de4dot


use ConfuserExSwitchKiller to deobfuscate cflow obfuscation 


then code some tool to fix constants 


 


 


looking forward to see your modded ConfuserEx 


CrackTest2_fix-cleaned.rar

Edited by n0th!ng
  • Like 4
XenocodeRCE

XenocodeRCE

Posted
  • Author
Posted

to fix metadata just use Universal fixer (without .NET options) next change number of streams to 9 

then pass it to de4dot

use ConfuserExSwitchKiller to deobfuscate cflow obfuscation 

then code some tool to fix constants 

 

 

looking forward to see your modded ConfuserEx 

 

Nicely done ! With Antitamper de4dot would have messed up the assembly so beware

 

I'm constantly improving ConfuserEX, it takes me about 4h a day, reading ECMA and so on.

 

I may post another chall at the very end of the week (Hint : clr emulation || PE32+)

  • 1 year later...
Sh4DoVV

Sh4DoVV

Posted
Posted (edited)

hi CodeCracker

how to unpack this dll ?

this file obfuscated by confuserex custom

please help me

thanks

 

Edited by Teddy Rogers
SkyProud

SkyProud

Posted
Posted (edited)

Check: ConfuserEx v1.0.0

The version number is v1.0.0

In CFF Explorer, open MetaData Streams - #Blob, and you will see that in the Ascii section.

 

CFF_Explorer1.PNG

Edited by SkyProud
Further details provided.
XenocodeRCE

XenocodeRCE

Posted
  • Author
Posted
2 hours ago, SkyProud said:

Check: ConfuserEx v1.0.0

The version number is v1.0.0

In CFF Explorer, open MetaData Streams - #Blob, and you will see that in the Ascii section.

 

CFF_Explorer1.PNG

 

wrong its v0.5, i faked the version info. Don't rely on this kind of things, go and deep-analysis the file

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...