Jump to content
Tuts 4 You
Nebula

ConfuserEX Mod (Bed's Protector)

Recommended Posts

Nebula

Difficulty: 6/10 (Has max/all settings enabled)
Language: .Net/C#
Platform: Windows
OS Version: All
Packer/Protector: ConfuserEX Mod (Bed's Protector)

Description:

Unpack the tool and enter the correct string to display the messagebox.

If you are successful I would like to know how you did it exactly, if you don't mind.

Screenshot: 

UnpackMe.jpeg.1049edad62e9cb522226d252afa73600.jpeg

UnpackMe.exe

Share this post


Link to post
metar

Took me 2 minutes.

image.png.498d7d55c36d45a2aa4047862387eb73.png

How ? strings aren't protected in the memory.

No need to unpack or patch anything...

Edited by metar
more details (see edit history)

Share this post


Link to post
Nebula
5 hours ago, metar said:

Took me 2 minutes.

image.png.498d7d55c36d45a2aa4047862387eb73.png

How ? strings aren't protected in the memory.

No need to unpack or patch anything...

So you just simply debug it?

Share this post


Link to post
metar
9 hours ago, Nebula said:

So you just simply debug it?

Somehow, feel free to PM for details.

Share this post


Link to post
XenocodeRCE
On 21/11/2017 at 12:05 AM, Nebula said:

So you just simply debug it?

Run the program, put any fake password, click on "Check password"

wrong msg will be prompted, open up process hacker, right click on the file process -> properties -> net module -> strings -> scan/dump

and then you have a .txt file with all strings extracted from memory. Seek for the wrong msg prompt text and nearby is the password.

  • Like 4
  • Haha 3

Share this post


Link to post
Nebula
On 11/23/2017 at 10:48 AM, XenocodeRCE said:

Run the program, put any fake password, click on "Check password"

wrong msg will be prompted, open up process hacker, right click on the file process -> properties -> net module -> strings -> scan/dump

and then you have a .txt file with all strings extracted from memory. Seek for the wrong msg prompt text and nearby is the password.

Thank you, but now fully unpacking it is the issue I have now.

Share this post


Link to post
Ninjego1
On 4/28/2020 at 4:21 PM, Prab said:

dnSpy-x86_B9j7lbP404.png.d0f6e2a7e9fd38372e0ae7ed9007e06f.png

Steps :

1.) Dump

2.) Fix Dump

3.) Translate to x86 ( IL Only )

4.) Constant Decrypter ( Thanks to CursedSheep )

5.) Delegate Killer

6.) ProxyCall Fixer 1.2

7.) TheProxy CFlow Remover

8.) Bed 4.5 CFlow Remover

9.) De4dot

File Unpacked : UnpackMe-Dump_fixed_noX86-ConstantDec_nodelegate_noProxy_CFlow-NoFlow-cleaned.exe

Where can I get the Tools? (Been looking for Dump Fixer everywhere

Share this post


Link to post
Prab
18 hours ago, Ninjego1 said:

Where can I get the Tools? (Been looking for Dump Fixer everywhere

Anti Dump Fixer.rar

Share this post


Link to post
little3388
On 4/28/2020 at 10:21 PM, Prab said:

dnSpy-x86_B9j7lbP404.png.d0f6e2a7e9fd38372e0ae7ed9007e06f.png

Steps :

1.) Dump

2.) Fix Dump

3.) Translate to x86 ( IL Only )

4.) Constant Decrypter ( Thanks to CursedSheep )

5.) Delegate Killer

6.) ProxyCall Fixer 1.2

7.) TheProxy CFlow Remover

8.) Bed 4.5 CFlow Remover

9.) De4dot

File Unpacked : UnpackMe-Dump_fixed_noX86-ConstantDec_nodelegate_noProxy_CFlow-NoFlow-cleaned.exe


Where can I get these tools?

3.) Translate to x86 ( IL Only )

4.) Constant Decrypter ( Thanks to CursedSheep )

7.) TheProxy CFlow Remover

8.) Bed 4.5 CFlow Remover

Share this post


Link to post
collins

ūüėĬ† ¬†¬†Prab will¬† say that are private tools.

Share this post


Link to post
Prab
8 hours ago, little3388 said:


Where can I get these tools?

3.) Translate to x86 ( IL Only )

4.) Constant Decrypter ( Thanks to CursedSheep )

7.) TheProxy CFlow Remover

8.) Bed 4.5 CFlow Remover

Bed_ControlFlow_Remover.rar

x86_Retranslater.rar

I can't give you the rest of em ( i don't have permission to share them, hope you understand me).

  • Like 1

Share this post


Link to post
illuZion
On 4/28/2020 at 4:21 PM, Prab said:

dnSpy-x86_B9j7lbP404.png.d0f6e2a7e9fd38372e0ae7ed9007e06f.png

Steps :

1.) Dump

2.) Fix Dump

3.) Translate to x86 ( IL Only )

4.) Constant Decrypter ( Thanks to CursedSheep )

5.) Delegate Killer

6.) ProxyCall Fixer 1.2

7.) TheProxy CFlow Remover

8.) Bed 4.5 CFlow Remover

9.) De4dot

File Unpacked : UnpackMe-Dump_fixed_noX86-ConstantDec_nodelegate_noProxy_CFlow-NoFlow-cleaned.exe

Your post doesn't explain how to do any of the steps, and doesn't even provide the tools you probably used. What you've done should be reproducible from your message, but it is not! I don't understand how such answers can still be accepted. This is not a look-at-me-i-did-it forum!

Share this post


Link to post
collins

@illuZion   you can see Prab tutorial on youtube: 

 

Share this post


Link to post
Prab
15 hours ago, illuZion said:

Your post doesn't explain how to do any of the steps, and doesn't even provide the tools you probably used. What you've done should be reproducible from your message, but it is not! I don't understand how such answers can still be accepted. This is not a look-at-me-i-did-it forum!

Yes, this was acutally my bad that i hadn't explained all details at the first place.

If i'm not lazy, i would explain specific details and provide these tools.

Share this post


Link to post
shadow.Walker
On 11/20/2017 at 7:33 PM, metar said:

Took me 2 minutes.

image.png.498d7d55c36d45a2aa4047862387eb73.png

How ? strings aren't protected in the memory.

No need to unpack or patch anything...

after 3 years i had to ask

you think there's a way to protect strings in memory!!?

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...