[CrackMe] ConfuserEX

[CodeNatif]

 

Only obfuscated with ConfuserEX.

 

The objective is to unpack and crack the file.

CrackMe - ConfuserEX.rar

Edited May 4, 2015 by CodeNatif

[Smoke]

Cracked

Crack Me_cracked.zip

[XenocodeRCE]

Can't managed to deob string only because your file is using FW 4.5/4.5.1 and CC tools is compiled under 3.5/4.0

 

Only have to patch the simple if statement

 

 

 

Nothing has been modded, you added fake watermark but it's useless since we can use de4dot argument to force unknown

[CodeNatif]

Can't managed to deob string only because your file is using FW 4.5/4.5.1 and CC tools is compiled under 3.5/4.0

 

Only have to patch the simple if statement

 

 

 

Nothing has been modded, you added fake watermark but it's useless since we can use de4dot argument to force unknown

Can you post your cracked file ?

[CodeExplorer]

System.IO.FileLoadException: Could not load file or assembly 'Crack Me, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. Operation is not supported. (Exception from HRESULT: 0x80131515)

File name: 'Crack Me, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' ---> System.NotSupportedException: An attempt was made to load an assembly from a network location which would have caused the assembly to be sandboxed in previous versions of the .NET Framework. This release of the .NET Framework does not enable CAS policy by default, so this load may be dangerous. If this load is not intended to sandbox the assembly, please enable the loadFromRemoteSources switch. See http://go.microsoft.com/fwlink/?LinkId=155569for more information.

   at System.Reflection.RuntimeAssembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, RuntimeAssembly locationHint, StackCrawlMark& stackMark, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)

   at System.Reflection.RuntimeAssembly.nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, RuntimeAssembly locationHint, StackCrawlMark& stackMark, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)

   at System.Reflection.RuntimeAssembly.InternalLoadAssemblyName(AssemblyName assemblyRef, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection, Boolean suppressSecurityChecks)

   at System.Reflection.Assembly.Load(AssemblyName assemblyRef)

   at Confuser_Methods_Decryptor.MainForm.Button2Click(Object sender, EventArgs e) in d:\ConvertedTo45\ConfuserExMethodsDecryptor\ConfuserExMethodsDecryptor\MainForm.cs:line 173

Here is how to fix the error:

http://blogs.msdn.com/b/drew/archive/2009/12/24/xunit-and-td-net-fixing-the-attempt-was-made-to-load-an-assembly-from-a-network-location-problem.aspx

 

But it comes the second error:

System.IO.FileLoadException: Could not load file or assembly 'Crack Me, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. Attempt to load an unverifiable executable with fixups (IAT with more than 2 sections or a TLS section.) (Exception from HRESULT: 0x80131019)

If I mark "IL only" from ".NET Directory" it will crush.

[CodeExplorer]

It uses native code (x32 native predicates) so it is a little bit tricky to change the assembly,

only works with dnlib.

You must also dump the assembly with resources and attach resources.

Unpacked file here:

http://www45.zippyshare.com/v/tIfLjsda/file.html

[XenocodeRCE]

It uses native code (x32 native predicates) so it is a little bit tricky to change the assembly,

only works with dnlib.

You must also dump the assembly with resources and attach resources.

Unpacked file here:

http://www45.zippyshare.com/v/tIfLjsda/file.html

 

You can get ride of x86 predicates easily (more or less) thanks to UbbeLoL and its paper. He also gave a nice snippet about how you could emulate the methods using BeaEngine and dnlib : https://github.com/UbbeLoL/ConfuserDeobfuscator/tree/x86emu/ConfuserDeobfuscator/ConfuserDeobfuscator/Engine/Routines/Ex/x86

 

But as proven / stated before, removing cflow is not really necessary if the purpose is only cracking this file

[Hadits follower]

cflow can't decrypt of new confuser . pass : -115661398

 

here is my unpack

Crack Me_Unpacked.zip

Crack Me_Cracked.zip

Edited May 7, 2015 by Death

[CodeExplorer]

For x86 ctrl flow predicate use the new tool ConfuserExPredicateKiller:

http://www36.zippyshare.com/v/JUESkgCD/file.html

Cflow deobfuscated here:

http://www20.zippyshare.com/v/1mA7P4N3/file.html

Strings and constants still left to be decrypted.

[CodeExplorer]

Strings decrypted:

http://www78.zippyshare.com/v/BjhnIMe8/file.html

Finally completed now!

[cipsi]

On 5/5/2015 at 9:28 PM, CodeExplorer said:

Here is how to fix the error:

http://blogs.msdn.com/b/drew/archive/2009/12/24/xunit-and-td-net-fixing-the-attempt-was-made-to-load-an-assembly-from-a-network-location-problem.aspx

 

But it comes the second error:

System.IO.FileLoadException: Could not load file or assembly 'Crack Me, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. Attempt to load an unverifiable executable with fixups (IAT with more than 2 sections or a TLS section.) (Exception from HRESULT: 0x80131019)

If I mark "IL only" from ".NET Directory" it will crush.

What causes "Attempt to load an unverifiable executable with fixups" exception when try to Assembly.LoadFile?

[CodeExplorer]

2 hours ago, cipsi said:

What causes "Attempt to load an unverifiable executable with fixups" exception when try to Assembly.LoadFile?

Mixed mode assembly, assembly which contains native code,
check this:
https://forum.tuts4you.com/topic/39332-hooking-clr-jit-before-cctor/?do=findComment&comment=188978