Jump to content
Tuts 4 You

I have a malicious dotnet sample


Hacktreides

Recommended Posts

You seem to have taken the time to upload it and write all that, but didn't took the time to specify the password, Great start.

Link to comment
10 hours ago, kao said:

it's the industry standard - "infected" :)

 

Oh... *brain fart* :> thanks xD

 

@Hacktreides this is the only thing I could recover from it (sample corrupted):

https://mega.nz/#!agw12KzJ!upg0JNycjHRRcPqvb2r3zVjTQN1B7iohEZMHOLcSp6o

(note: it's a auto-decompressing exe)

 

Also with DotNetResolver + Strings plugin you will be able to see most of the strings and stuff, sorry couldn't give you a more cleaner sample, couldn't get past the cflow obfuscation.

Protector is ConfuserEx just as ExeInfo and PEID specified it's in between the 0.3.0 and 0.4.0 version.

Edited by 0xNOP
Link to comment
Hacktreides

@0xNOP nice work! Thank you :)

Can you explain me the workaround? I have downloaded dotnet resolver form here but i'm unable to find the compiled dll plugin for strings. And after that how you get the unpacked binary?

And how you indentify confuserEX? On my dumped file rdg protector say dotnet crypter and my peid says just "Microsoft Visual C# / Basic .NET [Overlay]".

Link to comment

Well, once you study ConfuserEx for a while you get used to see so many landmarks within the protected assemblies that it's not strange to see them to the naked eye afterwards, you just need to really know them for example, the CCTOR body at the entry-point is very different when you use Normal Anti-Tamper Vs. JIT Anti-Tamper, so once you identify that, you keep on going, then move onto strings decryption and lastly cflow, everything is hosted on GitHub so it's easier to see where you're stepping through if you feel kinda lost, also tools like the ones CodeCracker made and other people as well, will come in handy and don't forget about using a good decompiler / debugger like dnSpy and that's it!

 

For better signature recognition I recommend either a PEiD with updated signatures and top-most suggestion is get PiD from GameCopyWorld or w.e. it is the website :>

 

Good luck!

 

Note: Attached below is my DotNetResolver with working Strings Plugin.

DotNetResolver.7z

Edited by 0xNOP
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...