Hello,

 

i've a question. Ive a DLL (yes, i know the source) which is confused using ConfuserEx 0.5 with .NET Framework 4.52.

 

 

Now i've tried to to open the DLL using several disassembler but no result. I found several tutorials how to unconfuse the DLL in this forum but all of them are not successfully in this case.

 

 

Ive tried ConfuserExFixer, MethodsDecrypter, ... and so on.

 

could anyone tell me HOW it's possible and a decrypted result?

 

Attached is the DLL. Its nothing special. Thanks.

 

 

CGBfunctions.zip

Edited July 13, 201510 yr by myli

-=[ ProtectionID v0.6.6.7 DECEMBER]=-

© 2003-2015 CDKiLLER & TippeX

Build 24/12/14-22:48:13

Ready...

Scanning -> C:\Users\_______\Desktop\CGBfunctions\CGBfunctions.dll

File Type : 32-Bit Dll (Subsystem : Win CUI / 3), Size : 2208256 (021B200h) Byte(s)

Compilation TimeStamp : 0x559AFB51 -> Mon 06th Jul 2015 22:04:01 (GMT)

[TimeStamp] 0x559AFB51 -> Mon 06th Jul 2015 22:04:01 (GMT) | PE Header | - | Offset: 0x00000088 | VA: 0x10000088 | -

[TimeStamp] 0x559AFB51 -> Mon 06th Jul 2015 22:04:01 (GMT) | Export | - | Offset: 0x0010B058 | VA: 0x1010E058 | -

[File Heuristics] -> Flag #1 : 00000000000001001101000100110000 (0x0004D130)

[Entrypoint Section Entropy] : 3.41 (section #0) "        " | Size : 0x10AAE4 (1092324) byte(s)

[DllCharacteristics] -> Flag : (0x8540) -> ASLR | DEP | NOSEH | TSA

[sectionCount] 7 (0x7) | ImageSize 0x228000 (2260992) byte(s)

[Export] 100% of function(s) (21 of 21) are in file | 0 are forwarded | 21 code | 0 data | 0 uninit data | 0 unknown | 

[VersionInfo] Product Name : CGBfunction

[VersionInfo] Product Version : 2.0.0.0

[VersionInfo] File Description : CGBfunction

[VersionInfo] File Version : 2.0.0.0

[VersionInfo] Original FileName : CGBfunctions.dll

[VersionInfo] Internal Name : CGBfunctions.dll

[VersionInfo] Version Comments : Gamebot.org

[VersionInfo] Legal Copyrights : Copyright ©  2015

[!] [.net scan core] ConfuserEx v0.5.0-custom detected!

[CompilerDetect] -> .NET

[.] .Net Info -> v 2.5 (struct version) | x86 mixed | Flags : 0x00000002 -> COMIMAGE_FLAGS_32BITREQUIRED | 

[.] Entrypoint (Token) : 0x00000000

[.] MetaData RVA : 0x001B3350 | Size : 0x0007194C (465228)

[.] MetaData->Version 1.1 (struct ver) -> v4.0.30319 (required framework)

[.] Flags : 0x0 | Streams : 0x8 (8) unusual (its usually 5) -> #~ | #Strings | #US | #GUID | #Blob | #Strings | #Blob | #Schema

- Scan Took : 1.312 Second(s) [000000698h (1688) tick(s)] [244 of 573 scan(s) done]

 

Is a modded version of ConfuserEx. If you cant do nothing is for it.

Edited July 13, 201510 yr by CodeShark

Does this mean its not possible to unpack a modded version of ConfuserEx?  

it is, not much difference to the original version from the mods i saw so far

thank you, ive tried several tutorials from the forum but they didnt work. IVe also the PDB files (which contains the method names, correct?) Do you have a Tutorial?

You can use de4dot. Its not cleanly done. but its something

ive tried de4dot but it seems to corrupt the dll anyway. I cant open it using a disassembler. (Just Decompile, etc) 

Bump for this, also interested in a DLL packed with Confuser, tools like switch killer and predicate killer do not seem to run at all.

Besides breaking the DLL, maybe it's restored enough information for you to go through the DLL to see where the interesting stuff happens. Then using the Token of the method of interest, you can get to work in the original DLL's method.

 

You probably can open the DLL just find in dnSpy, it seems to be quite tolerant to bad metadata. 

On 9/3/2015 at 3:11 PM, GamerAndDev said:

Besides breaking the DLL, maybe it's restored enough information for you to go through the DLL to see where the interesting stuff happens. Then using the Token of the method of interest, you can get to work in the original DLL's method.

 

 

 

 

You probably can open the DLL just find in dnSpy, it seems to be quite tolerant to bad metadata. 

 

Can you give a tutorial for unpack the DLL packed with confuser 0.5 custom? Thanks

[ModuleReport] [IAT] Modules -> mscoree.dll
[.] .net @ FileOffset 0x4AC7D0 | MetaData->Version 1.1 (struct version) -> v4.0.30319 (net version required)
[.] Flags : 0x0 | Streams : 0x5 (5)  -> #~ | #Strings | #US | #GUID | #Blob
[!] [.net scan core] ConfuserEx v1.0.0-custom detected!
[COR20] MajorRuntimeVersion 0x2 (2) | MinorRuntimeVersion 0x2 (2) -> 0x2.2 (2.2)
[COR20] Flags 0x3
[COR20 Flags] [x] IL_ONLY [x] 32BITREQUIRED [ ] IL_LIBRARY
[COR20 Flags] [ ] STRONGNAME [ ] NATIVE_EP [ ] TRACKDEBUGDATA
[COR20 Flags] [ ] 32BITPREFERRED | 0x0 UNKNOWN
[COR20 Flags] Assembly is NOT strong name signed
- Scan Took : 1.641 Second(s) [00000054Fh (1359) tick(s)] [504 of 577 scan(s) done]