Jump to content
Tuts 4 You

ConfuserEX Mod (Bed's Protector)


Nebula
Go to solution Solved by metar,

Recommended Posts

Difficulty: 6/10 (Has max/all settings enabled)
Language: .Net/C#
Platform: Windows
OS Version: All
Packer/Protector: ConfuserEX Mod (Bed's Protector)

Description:

Unpack the tool and enter the correct string to display the messagebox.

If you are successful I would like to know how you did it exactly, if you don't mind.

Screenshot: 

UnpackMe.jpeg.1049edad62e9cb522226d252afa73600.jpeg

UnpackMe.exe

Link to comment
  • Solution

Took me 2 minutes.

image.png.498d7d55c36d45a2aa4047862387eb73.png

How ? strings aren't protected in the memory.

No need to unpack or patch anything...

Edited by metar
more details
Link to comment
5 hours ago, metar said:

Took me 2 minutes.

image.png.498d7d55c36d45a2aa4047862387eb73.png

How ? strings aren't protected in the memory.

No need to unpack or patch anything...

So you just simply debug it?

Link to comment
On 21/11/2017 at 12:05 AM, Nebula said:

So you just simply debug it?

Run the program, put any fake password, click on "Check password"

wrong msg will be prompted, open up process hacker, right click on the file process -> properties -> net module -> strings -> scan/dump

and then you have a .txt file with all strings extracted from memory. Seek for the wrong msg prompt text and nearby is the password.

  • Like 4
  • Haha 4
Link to comment
On 11/23/2017 at 10:48 AM, XenocodeRCE said:

Run the program, put any fake password, click on "Check password"

wrong msg will be prompted, open up process hacker, right click on the file process -> properties -> net module -> strings -> scan/dump

and then you have a .txt file with all strings extracted from memory. Seek for the wrong msg prompt text and nearby is the password.

Thank you, but now fully unpacking it is the issue I have now.

Link to comment
  • 2 years later...
  • 1 month later...
On 4/28/2020 at 4:21 PM, Prab said:

dnSpy-x86_B9j7lbP404.png.d0f6e2a7e9fd38372e0ae7ed9007e06f.png

Steps :

1.) Dump

2.) Fix Dump

3.) Translate to x86 ( IL Only )

4.) Constant Decrypter ( Thanks to CursedSheep )

5.) Delegate Killer

6.) ProxyCall Fixer 1.2

7.) TheProxy CFlow Remover

8.) Bed 4.5 CFlow Remover

9.) De4dot

File Unpacked : UnpackMe-Dump_fixed_noX86-ConstantDec_nodelegate_noProxy_CFlow-NoFlow-cleaned.exe

Where can I get the Tools? (Been looking for Dump Fixer everywhere

Link to comment
On 4/28/2020 at 10:21 PM, Prab said:

dnSpy-x86_B9j7lbP404.png.d0f6e2a7e9fd38372e0ae7ed9007e06f.png

Steps :

1.) Dump

2.) Fix Dump

3.) Translate to x86 ( IL Only )

4.) Constant Decrypter ( Thanks to CursedSheep )

5.) Delegate Killer

6.) ProxyCall Fixer 1.2

7.) TheProxy CFlow Remover

8.) Bed 4.5 CFlow Remover

9.) De4dot

File Unpacked : UnpackMe-Dump_fixed_noX86-ConstantDec_nodelegate_noProxy_CFlow-NoFlow-cleaned.exe


Where can I get these tools?

3.) Translate to x86 ( IL Only )

4.) Constant Decrypter ( Thanks to CursedSheep )

7.) TheProxy CFlow Remover

8.) Bed 4.5 CFlow Remover

Link to comment
On 4/28/2020 at 4:21 PM, Prab said:

dnSpy-x86_B9j7lbP404.png.d0f6e2a7e9fd38372e0ae7ed9007e06f.png

Steps :

1.) Dump

2.) Fix Dump

3.) Translate to x86 ( IL Only )

4.) Constant Decrypter ( Thanks to CursedSheep )

5.) Delegate Killer

6.) ProxyCall Fixer 1.2

7.) TheProxy CFlow Remover

8.) Bed 4.5 CFlow Remover

9.) De4dot

File Unpacked : UnpackMe-Dump_fixed_noX86-ConstantDec_nodelegate_noProxy_CFlow-NoFlow-cleaned.exe

Your post doesn't explain how to do any of the steps, and doesn't even provide the tools you probably used. What you've done should be reproducible from your message, but it is not! I don't understand how such answers can still be accepted. This is not a look-at-me-i-did-it forum!

Link to comment
15 hours ago, illuZion said:

Your post doesn't explain how to do any of the steps, and doesn't even provide the tools you probably used. What you've done should be reproducible from your message, but it is not! I don't understand how such answers can still be accepted. This is not a look-at-me-i-did-it forum!

Yes, this was acutally my bad that i hadn't explained all details at the first place.

If i'm not lazy, i would explain specific details and provide these tools.

Link to comment
shadow.Walker
On 11/20/2017 at 7:33 PM, metar said:

Took me 2 minutes.

image.png.498d7d55c36d45a2aa4047862387eb73.png

How ? strings aren't protected in the memory.

No need to unpack or patch anything...

after 3 years i had to ask

you think there's a way to protect strings in memory!!?

Link to comment
  • 2 months later...
On 6/22/2020 at 5:45 PM, little3388 said:

Can you share these tools?
Constant Decrypter
ProxyCall Fixer 1.2
TheProxy CFlow Remover

 

Link to comment
  • 1 month later...
  • 8 months later...
  • 1 month later...
goro1988

@Prab I would be so kind to upload the bedsConstantDec tool that you show in the video tutorial, since I couldn't find it ... thanks in advance

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...