Jump to content
Tuts 4 You

ConfuserEX Mod (Bed's Protector)


Nebula

Recommended Posts

Difficulty: 6/10 (Has max/all settings enabled)
Language: .Net/C#
Platform: Windows
OS Version: All
Packer/Protector: ConfuserEX Mod (Bed's Protector)

Description:

Unpack the tool and enter the correct string to display the messagebox.

If you are successful I would like to know how you did it exactly, if you don't mind.

Screenshot: 

UnpackMe.jpeg.1049edad62e9cb522226d252afa73600.jpeg

UnpackMe.exe

Link to post
5 hours ago, metar said:

Took me 2 minutes.

image.png.498d7d55c36d45a2aa4047862387eb73.png

How ? strings aren't protected in the memory.

No need to unpack or patch anything...

So you just simply debug it?

Link to post
XenocodeRCE
On 21/11/2017 at 12:05 AM, Nebula said:

So you just simply debug it?

Run the program, put any fake password, click on "Check password"

wrong msg will be prompted, open up process hacker, right click on the file process -> properties -> net module -> strings -> scan/dump

and then you have a .txt file with all strings extracted from memory. Seek for the wrong msg prompt text and nearby is the password.

  • Like 4
  • Haha 3
Link to post
On 11/23/2017 at 10:48 AM, XenocodeRCE said:

Run the program, put any fake password, click on "Check password"

wrong msg will be prompted, open up process hacker, right click on the file process -> properties -> net module -> strings -> scan/dump

and then you have a .txt file with all strings extracted from memory. Seek for the wrong msg prompt text and nearby is the password.

Thank you, but now fully unpacking it is the issue I have now.

Link to post
  • 2 years later...
  • 1 month later...
Ninjego1
On 4/28/2020 at 4:21 PM, Prab said:

dnSpy-x86_B9j7lbP404.png.d0f6e2a7e9fd38372e0ae7ed9007e06f.png

Steps :

1.) Dump

2.) Fix Dump

3.) Translate to x86 ( IL Only )

4.) Constant Decrypter ( Thanks to CursedSheep )

5.) Delegate Killer

6.) ProxyCall Fixer 1.2

7.) TheProxy CFlow Remover

8.) Bed 4.5 CFlow Remover

9.) De4dot

File Unpacked : UnpackMe-Dump_fixed_noX86-ConstantDec_nodelegate_noProxy_CFlow-NoFlow-cleaned.exe

Where can I get the Tools? (Been looking for Dump Fixer everywhere

Link to post
little3388
On 4/28/2020 at 10:21 PM, Prab said:

dnSpy-x86_B9j7lbP404.png.d0f6e2a7e9fd38372e0ae7ed9007e06f.png

Steps :

1.) Dump

2.) Fix Dump

3.) Translate to x86 ( IL Only )

4.) Constant Decrypter ( Thanks to CursedSheep )

5.) Delegate Killer

6.) ProxyCall Fixer 1.2

7.) TheProxy CFlow Remover

8.) Bed 4.5 CFlow Remover

9.) De4dot

File Unpacked : UnpackMe-Dump_fixed_noX86-ConstantDec_nodelegate_noProxy_CFlow-NoFlow-cleaned.exe


Where can I get these tools?

3.) Translate to x86 ( IL Only )

4.) Constant Decrypter ( Thanks to CursedSheep )

7.) TheProxy CFlow Remover

8.) Bed 4.5 CFlow Remover

Link to post
collins

ūüėĬ† ¬†¬†Prab will¬† say that are private tools.

Link to post
8 hours ago, little3388 said:


Where can I get these tools?

3.) Translate to x86 ( IL Only )

4.) Constant Decrypter ( Thanks to CursedSheep )

7.) TheProxy CFlow Remover

8.) Bed 4.5 CFlow Remover

Bed_ControlFlow_Remover.rar

x86_Retranslater.rar

I can't give you the rest of em ( i don't have permission to share them, hope you understand me).

  • Like 2
Link to post
illuZion
On 4/28/2020 at 4:21 PM, Prab said:

dnSpy-x86_B9j7lbP404.png.d0f6e2a7e9fd38372e0ae7ed9007e06f.png

Steps :

1.) Dump

2.) Fix Dump

3.) Translate to x86 ( IL Only )

4.) Constant Decrypter ( Thanks to CursedSheep )

5.) Delegate Killer

6.) ProxyCall Fixer 1.2

7.) TheProxy CFlow Remover

8.) Bed 4.5 CFlow Remover

9.) De4dot

File Unpacked : UnpackMe-Dump_fixed_noX86-ConstantDec_nodelegate_noProxy_CFlow-NoFlow-cleaned.exe

Your post doesn't explain how to do any of the steps, and doesn't even provide the tools you probably used. What you've done should be reproducible from your message, but it is not! I don't understand how such answers can still be accepted. This is not a look-at-me-i-did-it forum!

Link to post
15 hours ago, illuZion said:

Your post doesn't explain how to do any of the steps, and doesn't even provide the tools you probably used. What you've done should be reproducible from your message, but it is not! I don't understand how such answers can still be accepted. This is not a look-at-me-i-did-it forum!

Yes, this was acutally my bad that i hadn't explained all details at the first place.

If i'm not lazy, i would explain specific details and provide these tools.

Link to post
shadow.Walker
On 11/20/2017 at 7:33 PM, metar said:

Took me 2 minutes.

image.png.498d7d55c36d45a2aa4047862387eb73.png

How ? strings aren't protected in the memory.

No need to unpack or patch anything...

after 3 years i had to ask

you think there's a way to protect strings in memory!!?

Link to post
  • 2 months later...
popkoko818
On 6/22/2020 at 5:45 PM, little3388 said:

Can you share these tools?
Constant Decrypter
ProxyCall Fixer 1.2
TheProxy CFlow Remover

 

Link to post
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...