Jump to content
Tuts 4 You

How do disassemble/decompile ConfuserEx 0.5 DLL


myli

Recommended Posts

Hello,


 


i've a question. Ive a DLL (yes, i know the source) which is confused using ConfuserEx 0.5 with .NET Framework 4.52.


 


 


Now i've tried to to open the DLL using several disassembler but no result. I found several tutorials how to unconfuse the DLL in this forum but all of them are not successfully in this case.


 


 


Ive tried ConfuserExFixer, MethodsDecrypter, ... and so on.


 


could anyone tell me HOW it's possible and a decrypted result?


 


Attached is the DLL. Its nothing special. Thanks.


 


 


CGBfunctions.zip

Edited by myli
Link to comment
Share on other sites


-=[ ProtectionID v0.6.6.7 DECEMBER]=-

© 2003-2015 CDKiLLER & TippeX

Build 24/12/14-22:48:13

Ready...

Scanning -> C:\Users\_______\Desktop\CGBfunctions\CGBfunctions.dll

File Type : 32-Bit Dll (Subsystem : Win CUI / 3), Size : 2208256 (021B200h) Byte(s)

Compilation TimeStamp : 0x559AFB51 -> Mon 06th Jul 2015 22:04:01 (GMT)

[TimeStamp] 0x559AFB51 -> Mon 06th Jul 2015 22:04:01 (GMT) | PE Header | - | Offset: 0x00000088 | VA: 0x10000088 | -

[TimeStamp] 0x559AFB51 -> Mon 06th Jul 2015 22:04:01 (GMT) | Export | - | Offset: 0x0010B058 | VA: 0x1010E058 | -

[File Heuristics] -> Flag #1 : 00000000000001001101000100110000 (0x0004D130)

[Entrypoint Section Entropy] : 3.41 (section #0) "        " | Size : 0x10AAE4 (1092324) byte(s)

[DllCharacteristics] -> Flag : (0x8540) -> ASLR | DEP | NOSEH | TSA

[sectionCount] 7 (0x7) | ImageSize 0x228000 (2260992) byte(s)

[Export] 100% of function(s) (21 of 21) are in file | 0 are forwarded | 21 code | 0 data | 0 uninit data | 0 unknown | 

[VersionInfo] Product Name : CGBfunction

[VersionInfo] Product Version : 2.0.0.0

[VersionInfo] File Description : CGBfunction

[VersionInfo] File Version : 2.0.0.0

[VersionInfo] Original FileName : CGBfunctions.dll

[VersionInfo] Internal Name : CGBfunctions.dll

[VersionInfo] Version Comments : Gamebot.org

[VersionInfo] Legal Copyrights : Copyright ©  2015

[!] [.net scan core] ConfuserEx v0.5.0-custom detected!

[CompilerDetect] -> .NET

[.] .Net Info -> v 2.5 (struct version) | x86 mixed | Flags : 0x00000002 -> COMIMAGE_FLAGS_32BITREQUIRED | 

[.] Entrypoint (Token) : 0x00000000

[.] MetaData RVA : 0x001B3350 | Size : 0x0007194C (465228)

[.] MetaData->Version 1.1 (struct ver) -> v4.0.30319 (required framework)

[.] Flags : 0x0 | Streams : 0x8 (8) unusual (its usually 5) -> #~ | #Strings | #US | #GUID | #Blob | #Strings | #Blob | #Schema

- Scan Took : 1.312 Second(s) [000000698h (1688) tick(s)] [244 of 573 scan(s) done]


 

Is a modded version of ConfuserEx. If you cant do nothing is for it.

Edited by CodeShark
  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...

thank you, ive tried several tutorials from the forum but they didnt work. IVe also the PDB files (which contains the method names, correct?) Do you have a Tutorial?


Link to comment
Share on other sites

ive tried de4dot but it seems to corrupt the dll anyway. I cant open it using a disassembler. (Just Decompile, etc) 


Link to comment
Share on other sites

  • 2 weeks later...

Bump for this, also interested in a DLL packed with Confuser, tools like switch killer and predicate killer do not seem to run at all.


Link to comment
Share on other sites

  • 4 weeks later...

Besides breaking the DLL, maybe it's restored enough information for you to go through the DLL to see where the interesting stuff happens. Then using the Token of the method of interest, you can get to work in the original DLL's method.


 


You probably can open the DLL just find in dnSpy, it seems to be quite tolerant to bad metadata. 

Link to comment
Share on other sites

  • 11 months later...
On 9/3/2015 at 3:11 PM, GamerAndDev said:

Besides breaking the DLL, maybe it's restored enough information for you to go through the DLL to see where the interesting stuff happens. Then using the Token of the method of interest, you can get to work in the original DLL's method.

 

 

 

 

You probably can open the DLL just find in dnSpy, it seems to be quite tolerant to bad metadata. 

 

Can you give a tutorial for unpack the DLL packed with confuser 0.5 custom? Thanks

Link to comment
Share on other sites

  • 4 months later...

:wacko:

:blink:

[ModuleReport] [IAT] Modules -> mscoree.dll
[.] .net @ FileOffset 0x4AC7D0 | MetaData->Version 1.1 (struct version) -> v4.0.30319 (net version required)
[.] Flags : 0x0 | Streams : 0x5 (5)  -> #~ | #Strings | #US | #GUID | #Blob
[!] [.net scan core] ConfuserEx v1.0.0-custom detected!
[COR20] MajorRuntimeVersion 0x2 (2) | MinorRuntimeVersion 0x2 (2) -> 0x2.2 (2.2)
[COR20] Flags 0x3
[COR20 Flags] [x] IL_ONLY [x] 32BITREQUIRED [ ] IL_LIBRARY
[COR20 Flags] [ ] STRONGNAME [ ] NATIVE_EP [ ] TRACKDEBUGDATA
[COR20 Flags] [ ] 32BITPREFERRED | 0x0 UNKNOWN
[COR20 Flags] Assembly is NOT strong name signed
- Scan Took : 1.641 Second(s) [00000054Fh (1359) tick(s)] [504 of 577 scan(s) done]

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...