Jump to content
Tuts 4 You

Recommended Posts

Posted (edited)

Hello,


 


i've a question. Ive a DLL (yes, i know the source) which is confused using ConfuserEx 0.5 with .NET Framework 4.52.


 


 


Now i've tried to to open the DLL using several disassembler but no result. I found several tutorials how to unconfuse the DLL in this forum but all of them are not successfully in this case.


 


 


Ive tried ConfuserExFixer, MethodsDecrypter, ... and so on.


 


could anyone tell me HOW it's possible and a decrypted result?


 


Attached is the DLL. Its nothing special. Thanks.


 


 


CGBfunctions.zip

Edited by myli
Posted (edited)

-=[ ProtectionID v0.6.6.7 DECEMBER]=-

© 2003-2015 CDKiLLER & TippeX

Build 24/12/14-22:48:13

Ready...

Scanning -> C:\Users\_______\Desktop\CGBfunctions\CGBfunctions.dll

File Type : 32-Bit Dll (Subsystem : Win CUI / 3), Size : 2208256 (021B200h) Byte(s)

Compilation TimeStamp : 0x559AFB51 -> Mon 06th Jul 2015 22:04:01 (GMT)

[TimeStamp] 0x559AFB51 -> Mon 06th Jul 2015 22:04:01 (GMT) | PE Header | - | Offset: 0x00000088 | VA: 0x10000088 | -

[TimeStamp] 0x559AFB51 -> Mon 06th Jul 2015 22:04:01 (GMT) | Export | - | Offset: 0x0010B058 | VA: 0x1010E058 | -

[File Heuristics] -> Flag #1 : 00000000000001001101000100110000 (0x0004D130)

[Entrypoint Section Entropy] : 3.41 (section #0) "        " | Size : 0x10AAE4 (1092324) byte(s)

[DllCharacteristics] -> Flag : (0x8540) -> ASLR | DEP | NOSEH | TSA

[sectionCount] 7 (0x7) | ImageSize 0x228000 (2260992) byte(s)

[Export] 100% of function(s) (21 of 21) are in file | 0 are forwarded | 21 code | 0 data | 0 uninit data | 0 unknown | 

[VersionInfo] Product Name : CGBfunction

[VersionInfo] Product Version : 2.0.0.0

[VersionInfo] File Description : CGBfunction

[VersionInfo] File Version : 2.0.0.0

[VersionInfo] Original FileName : CGBfunctions.dll

[VersionInfo] Internal Name : CGBfunctions.dll

[VersionInfo] Version Comments : Gamebot.org

[VersionInfo] Legal Copyrights : Copyright ©  2015

[!] [.net scan core] ConfuserEx v0.5.0-custom detected!

[CompilerDetect] -> .NET

[.] .Net Info -> v 2.5 (struct version) | x86 mixed | Flags : 0x00000002 -> COMIMAGE_FLAGS_32BITREQUIRED | 

[.] Entrypoint (Token) : 0x00000000

[.] MetaData RVA : 0x001B3350 | Size : 0x0007194C (465228)

[.] MetaData->Version 1.1 (struct ver) -> v4.0.30319 (required framework)

[.] Flags : 0x0 | Streams : 0x8 (8) unusual (its usually 5) -> #~ | #Strings | #US | #GUID | #Blob | #Strings | #Blob | #Schema

- Scan Took : 1.312 Second(s) [000000698h (1688) tick(s)] [244 of 573 scan(s) done]


 

Is a modded version of ConfuserEx. If you cant do nothing is for it.

Edited by CodeShark
  • Like 1
  • 2 weeks later...
Posted

Does this mean its not possible to unpack a modded version of ConfuserEx? ;) 


li0nsar3c00l
Posted

it is, not much difference to the original version from the mods i saw so far


  • Like 1
Posted

thank you, ive tried several tutorials from the forum but they didnt work. IVe also the PDB files (which contains the method names, correct?) Do you have a Tutorial?


Posted

You can use de4dot. Its not cleanly done. but its something


Posted

ive tried de4dot but it seems to corrupt the dll anyway. I cant open it using a disassembler. (Just Decompile, etc) 


  • 2 weeks later...
Posted

Bump for this, also interested in a DLL packed with Confuser, tools like switch killer and predicate killer do not seem to run at all.


  • 4 weeks later...
Posted

Besides breaking the DLL, maybe it's restored enough information for you to go through the DLL to see where the interesting stuff happens. Then using the Token of the method of interest, you can get to work in the original DLL's method.


 


You probably can open the DLL just find in dnSpy, it seems to be quite tolerant to bad metadata. 

  • 11 months later...
Posted
On 9/3/2015 at 3:11 PM, GamerAndDev said:

Besides breaking the DLL, maybe it's restored enough information for you to go through the DLL to see where the interesting stuff happens. Then using the Token of the method of interest, you can get to work in the original DLL's method.

 

 

 

 

You probably can open the DLL just find in dnSpy, it seems to be quite tolerant to bad metadata. 

 

Can you give a tutorial for unpack the DLL packed with confuser 0.5 custom? Thanks

  • 4 months later...
Posted

:wacko:

:blink:

[ModuleReport] [IAT] Modules -> mscoree.dll
[.] .net @ FileOffset 0x4AC7D0 | MetaData->Version 1.1 (struct version) -> v4.0.30319 (net version required)
[.] Flags : 0x0 | Streams : 0x5 (5)  -> #~ | #Strings | #US | #GUID | #Blob
[!] [.net scan core] ConfuserEx v1.0.0-custom detected!
[COR20] MajorRuntimeVersion 0x2 (2) | MinorRuntimeVersion 0x2 (2) -> 0x2.2 (2.2)
[COR20] Flags 0x3
[COR20 Flags] [x] IL_ONLY [x] 32BITREQUIRED [ ] IL_LIBRARY
[COR20 Flags] [ ] STRONGNAME [ ] NATIVE_EP [ ] TRACKDEBUGDATA
[COR20 Flags] [ ] 32BITPREFERRED | 0x0 UNKNOWN
[COR20 Flags] Assembly is NOT strong name signed
- Scan Took : 1.641 Second(s) [00000054Fh (1359) tick(s)] [504 of 577 scan(s) done]

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...