Posted September 2, 20168 yr Difficulty : 9/10Language : C#Platform : WindowsOS Version : All (Requires .net 4.0)Packer / Protector : Confuser Deeply Modified by Myself Description : Unpack the file, get the string code, clean resources and keep the application working. and make a Short Tut for it. Screenshot : UnpackMe.exe
September 3, 20168 yr Solution 9/10? Is this a joke? Decrypt assembly in memory (anti-tamper) -> Mark "IL only" in CFF Explorer -> CodeCracker's tools. You can dump resources by placing bp on Assembly.Load(byte[]) Unpacked file attached unpacked.zip
September 3, 20168 yr Author @SHADOW_UA thanks for your quick answer to my thread. can u please answer me more specific how to Decrypt assembly in memory (bypass AntiTamper)
September 3, 20168 yr 1 hour ago, gholam.illidan said: @SHADOW_UA thanks for your quick answer to my thread. can u please answer me more specific how to Decrypt assembly in memory (bypass AntiTamper) I haven't looked at the file but these are just a few different ways to remove the anti tamper so one may not work but the other will There are many ways you can try unconfuserex by shadow himself try method decryptor or exception restorer by codecracker this is a tool specifically for anti tamper however going off shadows reply it is not an ILonly file meaning them tools won't actually load it you could try using cff explorer and tick il only and try the tools however on certain OS's this still doesn't work so another way you can do it is with dnspy to do this is to drag and drop your file into dnspy and go to the module cctor and you will see a call very near the top so put a break point on this and a breakpoint on the second call press f5 and debug now continue until you reach the second breakpoint you set then right click on the method body and click reload methods now click file and save module the final way I will tell you is to look at 0xd4d decrypting confuser methods tutorial using windbg when I am home since I am Doing this on mobile I will update it with another way using windbg to remove anti tamper
September 4, 20168 yr @gholam.illidan You can use WinDbg: 1) place bp on VirtualProtect; 2) check input parameters through "kb" command; BOOL WINAPI VirtualProtect( _In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect ); First parameter needs to be a pointer to address with encrypted method bodies, second is the size, third must be 0x40 - PAGE_EXECUTE_READWRITE; 3) After finding correct VirtualProtect, check call stack with !clrstack and place bp on .cctor() return address; 4) Dump decrypted method bodies at address with size (use parameter values from VirtualProtect). Edited September 4, 20168 yr by SHADOW_UA
September 4, 20168 yr Author @cawk thanks for your help @SHADOW_UA Simple & Short Guidance Thanks SHADOW_UA
September 4, 20168 yr kao and erjey rate their problems 5/10 and 4/10 and you dare to give yourself a 9/10 ??
May 20, 20187 yr On 9/4/2016 at 8:50 AM, SHADOW_UA said: @gholam.illidan You can use WinDbg: 1) place bp on VirtualProtect; 2) check input parameters through "kb" command; BOOL WINAPI VirtualProtect( _In_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flNewProtect, _Out_ PDWORD lpflOldProtect ); First parameter needs to be a pointer to address with encrypted method bodies, second is the size, third must be 0x40 - PAGE_EXECUTE_READWRITE; 3) After finding correct VirtualProtect, check call stack with !clrstack and place bp on .cctor() return address; 4) Dump decrypted method bodies at address with size (use parameter values from VirtualProtect). дай свои контакты пожалуйста
Create an account or sign in to comment