Jump to content
Tuts 4 You

Confuser Deeply Modified by Myself

gholam.illidan

By gholam.illidan
in UnPackMe (.NET)

 Share
Go to solution Solved by SHADOW_UA,

Recommended Posts

gholam.illidan

gholam.illidan

Posted
Posted

Difficulty : 9/10
Language : C#
Platform : Windows
OS Version : All (Requires .net 4.0)
Packer / Protector : Confuser Deeply Modified by Myself

Description :

Unpack the file, get the string code, clean resources and keep the application working.

and make a Short Tut for it.

Screenshot :

UnpackMe.jpg

UnpackMe.exe

Link to comment
Share on other sites
  • Solution
SHADOW_UA

SHADOW_UA

Posted
  • Solution
Posted

9/10? Is this a joke?

Decrypt assembly in memory (anti-tamper) -> Mark "IL only" in CFF Explorer -> CodeCracker's tools.

You can dump resources by placing bp on Assembly.Load(byte[])

 

Unpacked file attached

 

unpacked.zip

  • Like 5
Link to comment
Share on other sites
cawk

cawk

Posted
Posted
1 hour ago, gholam.illidan said:

@SHADOW_UA

thanks for your quick answer to my thread.

can u please answer me more specific how to Decrypt assembly in memory (bypass AntiTamper)

I haven't looked at the file but these are just a few different ways to remove the anti tamper so one may not work but the other will 

 

There are many ways you can try unconfuserex by shadow himself 

try method decryptor or exception restorer by codecracker this is a tool specifically for anti tamper 

however going off shadows reply it is not an ILonly file meaning them tools won't actually load it you could try using cff explorer and tick il only and try the tools however on certain OS's this still doesn't work 

so another way you can do it is with dnspy to do this is to drag and drop your file into dnspy and go to the module cctor and you will see a call very near the top so put a break point on this and a breakpoint on the second call press f5 and debug now continue until you reach the second breakpoint you set then right click on the method body and click reload methods now click file and save module 

 

 the final way I will tell you is to look at 0xd4d decrypting confuser methods tutorial using windbg 

 

when I am home since I am Doing this on mobile I will update it with another way using windbg to remove anti tamper

  • Like 1
Link to comment
Share on other sites
SHADOW_UA

SHADOW_UA

Posted
Posted (edited)

@gholam.illidan

You can use WinDbg:

1) place bp on VirtualProtect;

2) check input parameters through "kb" command; 

BOOL WINAPI VirtualProtect(
  _In_  LPVOID lpAddress,
  _In_  SIZE_T dwSize,
  _In_  DWORD  flNewProtect,
  _Out_ PDWORD lpflOldProtect
);

First parameter needs to be a pointer to address with encrypted method bodies, second is the size, third must be 0x40 - PAGE_EXECUTE_READWRITE;

3) After finding correct VirtualProtect, check call stack with !clrstack and place bp on .cctor() return address;

4) Dump decrypted method bodies at address with size (use parameter values from VirtualProtect).

Edited by SHADOW_UA
  • Like 4
Link to comment
Share on other sites
  • 1 year later...
ASd

ASd

Posted
Posted
On 9/4/2016 at 8:50 AM, SHADOW_UA said:

@gholam.illidan

You can use WinDbg:

1) place bp on VirtualProtect;

2) check input parameters through "kb" command; 


BOOL WINAPI VirtualProtect(
  _In_  LPVOID lpAddress,
  _In_  SIZE_T dwSize,
  _In_  DWORD  flNewProtect,
  _Out_ PDWORD lpflOldProtect
);

First parameter needs to be a pointer to address with encrypted method bodies, second is the size, third must be 0x40 - PAGE_EXECUTE_READWRITE;

3) After finding correct VirtualProtect, check call stack with !clrstack and place bp on .cctor() return address;

4) Dump decrypted method bodies at address with size (use parameter values from VirtualProtect).

дай свои контакты пожалуйста

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...