Guest Steve Posted February 15, 2018 Posted February 15, 2018 Difficulty : medium Language : c# Platform : Windows x32/x64 OS Version : All Packer / Protector : BEDS 4,5 Description : unpack and tell how fast did you unack it and the way if possible Screenshot : ConsoleApp1.rar
collins Posted February 17, 2018 Posted February 17, 2018 Beds Protector ? I found is Babel Protector . 1
Guest Steve Posted February 17, 2018 Posted February 17, 2018 4 hours ago, collins said: Beds Protector ? I found is Babel Protector . for me it's detecting as 4 different protectors
BlackHat Posted May 15, 2019 Posted May 15, 2019 Same in my case its Showing Babel, Dnguard and few more.
Fatulatti Posted May 16, 2019 Posted May 16, 2019 Pretty sure BEDS is like "Babel, E..., DNGuard, S....." all mixed together.
Cursedzx Posted May 16, 2019 Posted May 16, 2019 No, those are mostly fake attributes. It's just a modded cfex. I didn't go further to attempt to deobfuscate it because it lags so much at the cctor part of module when compiling to c#. And it has flood calls when checking via IL which makes it harder to remove all calls that needs to be removed. 1
BlackHat Posted May 17, 2019 Posted May 17, 2019 I tried to unpack it manually. anti tamper defeated but later calls and it has many invalid assemblies and after that dont work.. it seems it have multi anti tamper module.... and unable to clean the newest version of it....
CodeExplorer Posted May 17, 2019 Posted May 17, 2019 11 hours ago, Black Hat Anonymous said: I tried to unpack it manually. anti tamper defeated but later calls and it has many invalid assemblies and after that dont work.. it seems it have multi anti tamper module.... and unable to clean the newest version of it.... Try ManagedJiterFr4 on NetBox 4.0; Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing; You can't do anything without removing anti-tamper; which currently I can't! I've found this: https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases Is any connection with this? 1
cawk Posted May 17, 2019 Posted May 17, 2019 (edited) 1 hour ago, CodeExplorer said: Try ManagedJiterFr4 on NetBox 4.0; Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing; You can't do anything without removing anti-tamper; which currently I can't! I've found this: https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases Is any connection with this? what do you mean you cant remove the confuserex anti tamper isnt it pretty standard? have i missed something? its normal confuserex tamper my tamper remover in confuserex unpacker removes this fine Edited May 17, 2019 by cawk
Cursedzx Posted May 18, 2019 Posted May 18, 2019 13 hours ago, CodeExplorer said: Try ManagedJiterFr4 on NetBox 4.0; Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing; You can't do anything without removing anti-tamper; which currently I can't! I've found this: https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases Is any connection with this? Hey codecracker, any idea why managedjitter is not working for me even if i run it on netbox 4.0? when i checked on dnspy, error occurs on the part where it checks the pointer values.
CodeExplorer Posted May 18, 2019 Posted May 18, 2019 After using ManagedJiterFr4 on NetBox 4.0 some metadata streams got corrupted so I got to restore them; I've just have to change first method called which is anti-tamper to 062A (a simply return). For removing invalid streams the strategy is to first set number of streams to a smaller size like 8. #US with a space at the end (" "); yoi don't seems to be a valid stream! Here is a partially unpacked exe: https://www118.zippyshare.com/v/liRTdnBO/file.html It uses delegates! 1
CodeExplorer Posted May 18, 2019 Posted May 18, 2019 @Cursedzx: ManagedJiterFr4.exe for Confuser: you can get it from here: https://forum.tuts4you.com/topic/41025-confuser-exceptions-restore-anti-tamper/
Solution Cursedzx Posted May 18, 2019 Solution Posted May 18, 2019 Finally Fully unpacked! steps i did to unpack: 1. I ran the application and i dumped it. 2. the anti dump got fixed by anti dump fixer. 3. i used my tool to remove all flood calls. 4. Converted all x86 methods to IL with my tool. 5. Decrypted all Constants with my tool. 6. Used de4dot to clean math mutations and junk Nops. 7. manually Removed Protection calls in Module .cctor. 8. Removed all delegates with @CodeExplorer's Delegate remover. 9. Cleaned junk nops with De4dot again. 10. Removed Proxy calls with TheProxy's Proxy call remover 11. Manually removed all fake/junk classes, attributes, and etc. 12. Renamed functions, methods, assembly, and etc. 13. Manually removed cflow (dont have good cflow remover xd) if you're asking for the rest of the files that are barely unpacked to study it, just reply xd. File: ConsoleApp1_fixed-RemovedMethod-NoX86-StringDec-cleaned2_nodelegate-cleaned_noProxy2-Renamed2.exe 1
Cursedzx Posted May 18, 2019 Posted May 18, 2019 4 hours ago, CodeExplorer said: @Cursedzx: ManagedJiterFr4.exe for Confuser: you can get it from here: https://forum.tuts4you.com/topic/41025-confuser-exceptions-restore-anti-tamper/ ManagedJitterFr4 still doesn't work for me rip. is it because of my cpu?
CodeExplorer Posted May 18, 2019 Posted May 18, 2019 11 minutes ago, Cursedzx said: ManagedJitterFr4 still doesn't work for me rip. is it because of my cpu? You got to start ManagedJitterFr4 (for Confuser) on NetBox 4.0; after that just Jit button when the first assembly is logged - first assembly is the main assembly. 1
Cursedzx Posted May 18, 2019 Posted May 18, 2019 23 minutes ago, CodeExplorer said: You got to start ManagedJitterFr4 (for Confuser) on NetBox 4.0; after that just Jit button when the first assembly is logged - first assembly is the main assembly. that's what i did. still not running. i can show you via screenshare on discord.
cawk Posted May 18, 2019 Posted May 18, 2019 (edited) Heres the unpacked file found an old unpacker i had which worked on this file (i wont share) Metadata could be cleaned some more but here it is UnpackedBed.exe Edited May 18, 2019 by cawk 1
BlackHat Posted May 18, 2019 Posted May 18, 2019 20 hours ago, CodeExplorer said: Try ManagedJiterFr4 on NetBox 4.0; Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing; You can't do anything without removing anti-tamper; which currently I can't! I've found this: https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases Is any connection with this? When I tried to run app brother, I was continuously getting an error. and the github link you shared is a confuserex unpacker for normal version by Bed.. Im using Windows 7 SP1 x86 Architecture and 32 bit Windows. is it any system incompatiblity?
BlackHat Posted May 18, 2019 Posted May 18, 2019 52 minutes ago, cawk said: Heres the unpacked file found an old unpacker i had which worked on this file (i wont share) Metadata could be cleaned some more but here it is UnpackedBed.exe 2.84 MB · 1 download What is the link of your Cawk Unpacker for normal ConfuserEx one bro? the one you shared on forum, when i try to unpack even normal confuser it always throws error like system.io.exception and close down then..
mohamedsalah Posted May 19, 2019 Posted May 19, 2019 22 hours ago, Cursedzx said: Finally Fully unpacked! steps i did to unpack: 1. I ran the application and i dumped it. 2. the anti dump got fixed by anti dump fixer. 3. i used my tool to remove all flood calls. 4. Converted all x86 methods to IL with my tool. 5. Decrypted all Constants with my tool. 6. Used de4dot to clean math mutations and junk Nops. 7. manually Removed Protection calls in Module .cctor. 8. Removed all delegates with @CodeExplorer's Delegate remover. 9. Cleaned junk nops with De4dot again. 10. Removed Proxy calls with TheProxy's Proxy call remover 11. Manually removed all fake/junk classes, attributes, and etc. 12. Renamed functions, methods, assembly, and etc. 13. Manually removed cflow (dont have good cflow remover xd) if you're asking for the rest of the files that are barely unpacked to study it, just reply xd. File: ConsoleApp1_fixed-RemovedMethod-NoX86-StringDec-cleaned2_nodelegate-cleaned_noProxy2-Renamed2.exe 4.5 kB · 5 downloads I don't know you say .Please make a video tutorial 😢 1
Cricri Posted November 7, 2019 Posted November 7, 2019 hello, I apologize if it has nothing to do with this post, I'm decompressing with ManagedJiterFr4.exe but I get the following errors why? how can i solve? Quote System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. presso ManagedJiterFr4.Unpacker.Phase4 () System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. presso ManagedJiterFr4.Unpacker.Phase4 () System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. presso ManagedJiterFr4.Unpacker.Phase4 () System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. presso ManagedJiterFr4.Unpacker.Phase4 () System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. presso ManagedJiterFr4.Unpacker.Phase4 () System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. presso ManagedJiterFr4.Unpacker.Phase4 () System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. presso ManagedJiterFr4.Unpacker.Phase4 () System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. su ManagedJiterFr4.Unpacker.Phase4 () Fatto! 13158 Metodi scaricati
Prab Posted April 29, 2020 Posted April 29, 2020 On 5/19/2019 at 3:18 PM, mohamedsalah said: I don't know you say .Please make a video tutorial 😢 1
mohamedsalah Posted May 20, 2020 Posted May 20, 2020 On 4/29/2020 at 10:17 AM, Prab said: thank you 1
Kronos Posted September 1, 2020 Posted September 1, 2020 Hey brad its really pointless to post your video without the tools you used.
vosiyons Posted September 1, 2020 Posted September 1, 2020 5 hours ago, Kronos said: Hey brad its really pointless to post your video without the tools you used. https://github.com/NotPrab/.NET-Deobfuscator
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now