Jump to content
Tuts 4 You
  • 0
Sign in to follow this  
gholam.illidan

Confuser Deeply Modified by Myself

Question

gholam.illidan

Difficulty : 9/10
Language : C#
Platform : Windows
OS Version : All (Requires .net 4.0)
Packer / Protector : Confuser Deeply Modified by Myself

Description :

Unpack the file, get the string code, clean resources and keep the application working.

and make a Short Tut for it.

Screenshot :

UnpackMe.jpg

UnpackMe.exe

Share this post


Link to post

7 answers to this question

Recommended Posts

  • 2
SHADOW_UA

9/10? Is this a joke?

Decrypt assembly in memory (anti-tamper) -> Mark "IL only" in CFF Explorer -> CodeCracker's tools.

You can dump resources by placing bp on Assembly.Load(byte[])

 

Unpacked file attached

 

unpacked.zip

  • Like 5

Share this post


Link to post
  • 0
gholam.illidan

@SHADOW_UA

thanks for your quick answer to my thread.

can u please answer me more specific how to Decrypt assembly in memory (bypass AntiTamper)

Share this post


Link to post
  • 0
cawk
1 hour ago, gholam.illidan said:

@SHADOW_UA

thanks for your quick answer to my thread.

can u please answer me more specific how to Decrypt assembly in memory (bypass AntiTamper)

I haven't looked at the file but these are just a few different ways to remove the anti tamper so one may not work but the other will 

 

There are many ways you can try unconfuserex by shadow himself 

try method decryptor or exception restorer by codecracker this is a tool specifically for anti tamper 

however going off shadows reply it is not an ILonly file meaning them tools won't actually load it you could try using cff explorer and tick il only and try the tools however on certain OS's this still doesn't work 

so another way you can do it is with dnspy to do this is to drag and drop your file into dnspy and go to the module cctor and you will see a call very near the top so put a break point on this and a breakpoint on the second call press f5 and debug now continue until you reach the second breakpoint you set then right click on the method body and click reload methods now click file and save module 

 

 the final way I will tell you is to look at 0xd4d decrypting confuser methods tutorial using windbg 

 

when I am home since I am Doing this on mobile I will update it with another way using windbg to remove anti tamper

  • Like 1

Share this post


Link to post
  • 0
SHADOW_UA

@gholam.illidan

You can use WinDbg:

1) place bp on VirtualProtect;

2) check input parameters through "kb" command;

BOOL WINAPI VirtualProtect(
  _In_  LPVOID lpAddress,
  _In_  SIZE_T dwSize,
  _In_  DWORD  flNewProtect,
  _Out_ PDWORD lpflOldProtect
);

First parameter needs to be a pointer to address with encrypted method bodies, second is the size, third must be 0x40 - PAGE_EXECUTE_READWRITE;

3) After finding correct VirtualProtect, check call stack with !clrstack and place bp on .cctor() return address;

4) Dump decrypted method bodies at address with size (use parameter values from VirtualProtect).

Edited by SHADOW_UA (see edit history)
  • Like 4

Share this post


Link to post
  • 0
gholam.illidan

@cawk

thanks for your help

 

@SHADOW_UA

Simple & Short Guidance

Thanks SHADOW_UA

Share this post


Link to post
  • 0
li0nsar3c00l

kao and erjey rate their problems 5/10 and 4/10 and you dare to give yourself a 9/10 ??

  • Like 4

Share this post


Link to post
  • 0
ASd
On 9/4/2016 at 8:50 AM, SHADOW_UA said:

@gholam.illidan

You can use WinDbg:

1) place bp on VirtualProtect;

2) check input parameters through "kb" command;


BOOL WINAPI VirtualProtect(
  _In_  LPVOID lpAddress,
  _In_  SIZE_T dwSize,
  _In_  DWORD  flNewProtect,
  _Out_ PDWORD lpflOldProtect
);

First parameter needs to be a pointer to address with encrypted method bodies, second is the size, third must be 0x40 - PAGE_EXECUTE_READWRITE;

3) After finding correct VirtualProtect, check call stack with !clrstack and place bp on .cctor() return address;

4) Dump decrypted method bodies at address with size (use parameter values from VirtualProtect).

дай свои контакты пожалуйста

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...