Confuser Deeply Modified by Myself

[gholam.illidan]

Difficulty : 9/10
Language : C#
Platform : Windows
OS Version : All (Requires .net 4.0)
Packer / Protector : Confuser Deeply Modified by Myself

Description :

Unpack the file, get the string code, clean resources and keep the application working.

and make a Short Tut for it.

Screenshot :

UnpackMe.exe

[SHADOW_UA]

9/10? Is this a joke?

Decrypt assembly in memory (anti-tamper) -> Mark "IL only" in CFF Explorer -> CodeCracker's tools.

You can dump resources by placing bp on Assembly.Load(byte[])

 

Unpacked file attached

 

unpacked.zip

[gholam.illidan]

@SHADOW_UA

thanks for your quick answer to my thread.

can u please answer me more specific how to Decrypt assembly in memory (bypass AntiTamper)

[cawk]

1 hour ago, gholam.illidan said:

@SHADOW_UA

thanks for your quick answer to my thread.

can u please answer me more specific how to Decrypt assembly in memory (bypass AntiTamper)

I haven't looked at the file but these are just a few different ways to remove the anti tamper so one may not work but the other will 

 

There are many ways you can try unconfuserex by shadow himself 

try method decryptor or exception restorer by codecracker this is a tool specifically for anti tamper 

however going off shadows reply it is not an ILonly file meaning them tools won't actually load it you could try using cff explorer and tick il only and try the tools however on certain OS's this still doesn't work 

so another way you can do it is with dnspy to do this is to drag and drop your file into dnspy and go to the module cctor and you will see a call very near the top so put a break point on this and a breakpoint on the second call press f5 and debug now continue until you reach the second breakpoint you set then right click on the method body and click reload methods now click file and save module 

 

 the final way I will tell you is to look at 0xd4d decrypting confuser methods tutorial using windbg 

 

when I am home since I am Doing this on mobile I will update it with another way using windbg to remove anti tamper

[SHADOW_UA]

@gholam.illidan

You can use WinDbg:

1) place bp on VirtualProtect;

2) check input parameters through "kb" command;

BOOL WINAPI VirtualProtect(
  _In_  LPVOID lpAddress,
  _In_  SIZE_T dwSize,
  _In_  DWORD  flNewProtect,
  _Out_ PDWORD lpflOldProtect
);

First parameter needs to be a pointer to address with encrypted method bodies, second is the size, third must be 0x40 - PAGE_EXECUTE_READWRITE;

3) After finding correct VirtualProtect, check call stack with !clrstack and place bp on .cctor() return address;

4) Dump decrypted method bodies at address with size (use parameter values from VirtualProtect).

Edited September 4, 2016 by SHADOW_UA

[gholam.illidan]

@cawk

thanks for your help

 

@SHADOW_UA

Simple & Short Guidance

Thanks SHADOW_UA

[li0nsar3c00l]

kao and erjey rate their problems 5/10 and 4/10 and you dare to give yourself a 9/10 ??

[ASd]

On 9/4/2016 at 8:50 AM, SHADOW_UA said:

@gholam.illidan

You can use WinDbg:

1) place bp on VirtualProtect;

2) check input parameters through "kb" command;

BOOL WINAPI VirtualProtect(
  _In_  LPVOID lpAddress,
  _In_  SIZE_T dwSize,
  _In_  DWORD  flNewProtect,
  _Out_ PDWORD lpflOldProtect
);

First parameter needs to be a pointer to address with encrypted method bodies, second is the size, third must be 0x40 - PAGE_EXECUTE_READWRITE;

3) After finding correct VirtualProtect, check call stack with !clrstack and place bp on .cctor() return address;

4) Dump decrypted method bodies at address with size (use parameter values from VirtualProtect).

дай свои контакты пожалуйста