Hacktreides Posted July 29, 2016 Share Posted July 29, 2016 Hello, I have a malicious dotnet sample packer, anyone known the packer type and how to unpack it? I have try de4dot but it's failed. Thank you Dumped.zip Link to comment Share on other sites More sharing options...
0xNOP Posted July 29, 2016 Share Posted July 29, 2016 You seem to have taken the time to upload it and write all that, but didn't took the time to specify the password, Great start. Link to comment Share on other sites More sharing options...
kao Posted July 30, 2016 Share Posted July 30, 2016 it's the industry standard - "infected" 1 Link to comment Share on other sites More sharing options...
0xNOP Posted July 30, 2016 Share Posted July 30, 2016 (edited) 10 hours ago, kao said: it's the industry standard - "infected" Oh... *brain fart* :> thanks xD @Hacktreides this is the only thing I could recover from it (sample corrupted): https://mega.nz/#!agw12KzJ!upg0JNycjHRRcPqvb2r3zVjTQN1B7iohEZMHOLcSp6o (note: it's a auto-decompressing exe) Also with DotNetResolver + Strings plugin you will be able to see most of the strings and stuff, sorry couldn't give you a more cleaner sample, couldn't get past the cflow obfuscation. Protector is ConfuserEx just as ExeInfo and PEID specified it's in between the 0.3.0 and 0.4.0 version. Edited July 30, 2016 by 0xNOP Link to comment Share on other sites More sharing options...
Hacktreides Posted July 31, 2016 Author Share Posted July 31, 2016 @0xNOP nice work! Thank you Can you explain me the workaround? I have downloaded dotnet resolver form here but i'm unable to find the compiled dll plugin for strings. And after that how you get the unpacked binary? And how you indentify confuserEX? On my dumped file rdg protector say dotnet crypter and my peid says just "Microsoft Visual C# / Basic .NET [Overlay]". Link to comment Share on other sites More sharing options...
0xNOP Posted July 31, 2016 Share Posted July 31, 2016 (edited) Well, once you study ConfuserEx for a while you get used to see so many landmarks within the protected assemblies that it's not strange to see them to the naked eye afterwards, you just need to really know them for example, the CCTOR body at the entry-point is very different when you use Normal Anti-Tamper Vs. JIT Anti-Tamper, so once you identify that, you keep on going, then move onto strings decryption and lastly cflow, everything is hosted on GitHub so it's easier to see where you're stepping through if you feel kinda lost, also tools like the ones CodeCracker made and other people as well, will come in handy and don't forget about using a good decompiler / debugger like dnSpy and that's it! For better signature recognition I recommend either a PEiD with updated signatures and top-most suggestion is get PiD from GameCopyWorld or w.e. it is the website :> Good luck! Note: Attached below is my DotNetResolver with working Strings Plugin. DotNetResolver.7z Edited July 31, 2016 by 0xNOP Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now