Beds Protector 4.5

Posted February 15, 20187 yr

Difficulty : medium
Language : c#
Platform : Windows x32/x64
OS Version : All
Packer / Protector : BEDS 4,5

Description :

unpack and tell how fast did you unack it and the way if possible

Screenshot :

ConsoleApp1.rar

February 17, 20187 yr

Beds Protector ？ I found is Babel Protector .

1

February 17, 20187 yr

4 hours ago, collins said:

Beds Protector ？ I found is Babel Protector .

for me it's detecting as 4 different protectors

May 15, 20196 yr

Same in my case its Showing Babel, Dnguard and few more.

May 16, 20196 yr

Pretty sure BEDS is like "Babel, E..., DNGuard, S....." all mixed together.

May 16, 20196 yr

No, those are mostly fake attributes. It's just a modded cfex. I didn't go further to attempt to deobfuscate it because it lags so much at the cctor part of module when compiling to c#. And it has flood calls when checking via IL which makes it harder to remove all calls that needs to be removed.

1

May 17, 20196 yr

I tried to unpack it manually. anti tamper defeated but later calls and it has many invalid assemblies and after that dont work.. it seems it have multi anti tamper module.... and unable to clean the newest version of it....

May 17, 20196 yr

11 hours ago, Black Hat Anonymous said:

I tried to unpack it manually. anti tamper defeated but later calls and it has many invalid assemblies and after that dont work.. it seems it have multi anti tamper module.... and unable to clean the newest version of it....

Try ManagedJiterFr4 on NetBox 4.0;
Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing;
You can't do anything without removing anti-tamper; which currently I can't!

I've found this:
https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases
Is any connection with this?

1

May 17, 20196 yr

1 hour ago, CodeExplorer said:

Try ManagedJiterFr4 on NetBox 4.0;
Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing;
You can't do anything without removing anti-tamper; which currently I can't!

I've found this:
https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases
Is any connection with this?

what do you mean you cant remove the confuserex anti tamper isnt it pretty standard? have i missed something?

its normal confuserex tamper my tamper remover in confuserex unpacker removes this fine

Edited May 17, 20196 yr by cawk

May 18, 20196 yr

13 hours ago, CodeExplorer said:

Try ManagedJiterFr4 on NetBox 4.0;
Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing;
You can't do anything without removing anti-tamper; which currently I can't!

I've found this:
https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases
Is any connection with this?

Hey codecracker, any idea why managedjitter is not working for me even if i run it on netbox 4.0? when i checked on dnspy, error occurs on the part where it checks the pointer values.

May 18, 20196 yr

After using ManagedJiterFr4 on NetBox 4.0 some metadata streams got corrupted so I got to restore them;
I've just have to change first method called which is anti-tamper to 062A (a simply return).
For removing invalid streams the strategy is to first set number of streams to a smaller size like 8.
#US with a space at the end (" "); yoi don't seems to be a valid stream!

Here is a partially unpacked exe:
https://www118.zippyshare.com/v/liRTdnBO/file.html
It uses delegates!

1

May 18, 20196 yr

@Cursedzx: ManagedJiterFr4.exe for Confuser:
you can get it from here:
https://forum.tuts4you.com/topic/41025-confuser-exceptions-restore-anti-tamper/

May 18, 20196 yr

Solution

Finally Fully unpacked!

steps i did to unpack:

1. I ran the application and i dumped it.

2. the anti dump got fixed by anti dump fixer.

3. i used my tool to remove all flood calls.

4. Converted all x86 methods to IL with my tool.

5. Decrypted all Constants with my tool.

6. Used de4dot to clean math mutations and junk Nops.

7. manually Removed Protection calls in Module .cctor.

8. Removed all delegates with @CodeExplorer's Delegate remover.

9. Cleaned junk nops with De4dot again.

10. Removed Proxy calls with TheProxy's Proxy call remover

11. Manually removed all fake/junk classes, attributes, and etc.

12. Renamed functions, methods, assembly, and etc.

13. Manually removed cflow (dont have good cflow remover xd)

if you're asking for the rest of the files that are barely unpacked to study it, just reply xd.

File:

ConsoleApp1_fixed-RemovedMethod-NoX86-StringDec-cleaned2_nodelegate-cleaned_noProxy2-Renamed2.exe

1

May 18, 20196 yr

4 hours ago, CodeExplorer said:

@Cursedzx: ManagedJiterFr4.exe for Confuser:
you can get it from here:
https://forum.tuts4you.com/topic/41025-confuser-exceptions-restore-anti-tamper/

ManagedJitterFr4 still doesn't work for me rip. is it because of my cpu?

May 18, 20196 yr

11 minutes ago, Cursedzx said:

ManagedJitterFr4 still doesn't work for me rip. is it because of my cpu?

You got to start ManagedJitterFr4 (for Confuser) on NetBox 4.0;
after that just Jit button when the first assembly is logged - first assembly is the main assembly.

1

May 18, 20196 yr

23 minutes ago, CodeExplorer said:

You got to start ManagedJitterFr4 (for Confuser) on NetBox 4.0;
after that just Jit button when the first assembly is logged - first assembly is the main assembly.

that's what i did. still not running. i can show you via screenshare on discord.

May 18, 20196 yr

Heres the unpacked file found an old unpacker i had which worked on this file (i wont share)

Metadata could be cleaned some more but here it is

UnpackedBed.exe

Edited May 18, 20196 yr by cawk

1

May 18, 20196 yr

20 hours ago, CodeExplorer said:

Try ManagedJiterFr4 on NetBox 4.0;
Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing;
You can't do anything without removing anti-tamper; which currently I can't!

I've found this:
https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases
Is any connection with this?

When I tried to run app brother, I was continuously getting an error.

and the github link you shared is a confuserex unpacker for normal version by Bed..

Im using Windows 7 SP1 x86 Architecture and 32 bit Windows.

is it any system incompatiblity?

May 18, 20196 yr

52 minutes ago, cawk said:

Heres the unpacked file found an old unpacker i had which worked on this file (i wont share)

Metadata could be cleaned some more but here it is

UnpackedBed.exe 2.84 MB · 1 download

What is the link of your Cawk Unpacker for normal ConfuserEx one bro? the one you shared on forum, when i try to unpack even normal confuser it always throws error like system.io.exception and close down then..

May 19, 20196 yr

22 hours ago, Cursedzx said:

Finally Fully unpacked!

steps i did to unpack:

1. I ran the application and i dumped it.

2. the anti dump got fixed by anti dump fixer.

3. i used my tool to remove all flood calls.

4. Converted all x86 methods to IL with my tool.

5. Decrypted all Constants with my tool.

6. Used de4dot to clean math mutations and junk Nops.

7. manually Removed Protection calls in Module .cctor.

8. Removed all delegates with @CodeExplorer's Delegate remover.

9. Cleaned junk nops with De4dot again.

10. Removed Proxy calls with TheProxy's Proxy call remover

11. Manually removed all fake/junk classes, attributes, and etc.

12. Renamed functions, methods, assembly, and etc.

13. Manually removed cflow (dont have good cflow remover xd)

if you're asking for the rest of the files that are barely unpacked to study it, just reply xd.

File:

ConsoleApp1_fixed-RemovedMethod-NoX86-StringDec-cleaned2_nodelegate-cleaned_noProxy2-Renamed2.exe 4.5 kB · 5 downloads

I don't know you say .Please make a video tutorial 😢

1

November 7, 20195 yr

hello, I apologize if it has nothing to do with this post, I'm decompressing with ManagedJiterFr4.exe but I get the following errors why? how can i solve?

  Quote

System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione.
   presso ManagedJiterFr4.Unpacker.Phase4 ()
System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione.
   presso ManagedJiterFr4.Unpacker.Phase4 ()
System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione.
   presso ManagedJiterFr4.Unpacker.Phase4 ()
System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione.
   presso ManagedJiterFr4.Unpacker.Phase4 ()
System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione.
   presso ManagedJiterFr4.Unpacker.Phase4 ()
System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione.
   presso ManagedJiterFr4.Unpacker.Phase4 ()
System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione.
   presso ManagedJiterFr4.Unpacker.Phase4 ()
System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione.
   su ManagedJiterFr4.Unpacker.Phase4 ()
Fatto! 13158 Metodi scaricati

April 29, 20205 yr

On 5/19/2019 at 3:18 PM, mohamedsalah said:

I don't know you say .Please make a video tutorial 😢

1

May 20, 20205 yr

On 4/29/2020 at 10:17 AM, Prab said:

thank you

1

September 1, 20204 yr

Hey brad its really pointless to post your video without the tools you used.

September 1, 20204 yr

5 hours ago, Kronos said:

Hey brad its really pointless to post your video without the tools you used.

https://github.com/NotPrab/.NET-Deobfuscator

Sign In

Beds Protector 4.5

Featured Replies

Solved by Cursedzx

Create an account or sign in to comment

Account

Navigation

Search

Configure browser push notifications

Chrome (Android)

Chrome (Desktop)

Safari (iOS 16.4+)

Safari (macOS)

Edge (Android)

Edge (Desktop)

Firefox (Android)

Firefox (Desktop)