Custom ConfuserEx

[Annie]

Difficulty : 2-4
Language : .NET/C#
Platform : Windows
OS Version : All
Packer / Protector : Custom ConfuserEx

 

Description:

Should Be A Very Simple Unpack/Crack Me. Pretty Easy To Remove Anti Tamper.

 

Objective:

Unpack And Attach Unobfuscated File And Or Post The Message Box Saying Success!

 

Screenshot(s):

 

 

Download

https://mega.nz/#!wToG3QRD!8XuTTHHbO7zcJiuiBaPxah9kyHIXy4IhIEOCmMM-RvE

Virus Total

https://www.virustotal.com/#/file/fb2eecda047c4c55d23d598de4b342a48baf4697192fa76c90e1e3c1d50f06c0/detection

(False Postives Due To It Being Obfuscated!)

Unpack Me - Chinx.exe

[BackBox]

Spoiler

４４５４４Ｆ３５４６Ｆ５５４４５３４３４Ｆ３４Ｃ５３４Ｆ４２４２３４３２３４３５６５ＵＨ５５ＴＦＧ６７８７６８７６Ｈ７６７６８４２４３３２４３４ う果ば

 

unpacked.exe

[Annie]

43 minutes ago, BackBox said:

  Hide contents

４４５４４Ｆ３５４６Ｆ５５４４５３４３４Ｆ３４Ｃ５３４Ｆ４２４２３４３２３４３５６５ＵＨ５５ＴＦＧ６７８７６８７６Ｈ７６７６８４２４３３２４３４ う果ば

 

unpacked.exe

Tutorial?

[MindSystem]

Confuserex "Mod" become worse and worse... A lot of memory is use for shit. Is that useful to add so much attributes? Junk class, ... are useless, they can be removed with publics tools. 
 

Tutorial : 

https://mindlocksite.wordpress.com/2017/02/11/easy-way-to-unpack-confuserex-1-0-max-settings/

 

The only thing to do is to modify a constant decryptor to patch the anti-invoke : https://mindlocksite.wordpress.com/2017/08/31/mod-confuserex-to-counter-public-tools/

 

 

Unpack Me - Unpacked.exe

[HoLLy]

Since this one is already solved, I decided to go about it another way. Your protection kills off a bunch of tools, including dnSpy (so rude!) which killed part of my motivation and I didn't have a tool to fix the strings after the methods were decrypted (though I did find the check).

Spoiler

 

I just opened the program, entered something random to trigger the check against the key and looked for the error message with good old Cheat Engine. I initially looked for UTF-16 strings since I remember reading that it is what .NET uses internally, but I didn't find anything useful. Using UTF-8 I found one result and when looking in the memory region I noticed a big blob of semi-random bytes inside a region otherwise filled with strings. Changed text-encoding to UTF-8 and the result is what you see in the screenshot below.

Then I copied that entire string, pasted it in, and voila! This is a pretty lame method that should only work in rare cases, but I didn't have any tools for ConfuserEx and didn't want to code any up myself.

Proof:
 

 

 

[Xen]

I was able to unpack it, and get the key, and it continues to fail. Maybe its just a bad crackme. Still was a fun challenge, but the dnspy kill really annoyed me