Jump to content
Tuts 4 You
  • 0
Sign in to follow this  
Guest Steve

Beds Protector 4.5

Question

Guest Steve

Difficulty : medium
Language : c#
Platform : Windows x32/x64
OS Version : All
Packer / Protector : BEDS 4,5

Description :

unpack and tell how fast did you unack it and the way if possible

Screenshot :

2ade31241c646da99d6c850cde6a1562.png

ConsoleApp1.rar

Share this post


Link to post

19 answers to this question

Recommended Posts

  • 1
Cursedzx

Finally Fully unpacked!

steps i did to unpack:

1. I ran the application and i dumped it.

2. the anti dump got fixed by anti dump fixer.

3. i used my tool to remove all flood calls.

4. Converted all x86 methods to IL with my tool.

5. Decrypted all Constants with my tool.

6. Used de4dot to clean math mutations and junk Nops.

7. manually Removed Protection calls in Module .cctor.

8. Removed all delegates with @CodeExplorer's Delegate remover.

9. Cleaned junk nops with De4dot again.

10. Removed Proxy calls with TheProxy's Proxy call remover

11. Manually removed all fake/junk classes, attributes, and etc.

12. Renamed functions, methods, assembly, and etc.

13. Manually removed cflow (dont have good cflow remover xd)

if you're asking for the rest of the files that are barely unpacked to study it, just reply xd.

File:

ConsoleApp1_fixed-RemovedMethod-NoX86-StringDec-cleaned2_nodelegate-cleaned_noProxy2-Renamed2.exe

Share this post


Link to post
  • 1
CodeExplorer
11 hours ago, Black Hat Anonymous said:

I tried to unpack it manually. anti tamper defeated but later calls and it has many invalid assemblies and after that dont work.. it seems it have multi anti tamper module.... and unable to clean the newest version of it.... 

Try ManagedJiterFr4 on NetBox 4.0;
Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing;
You can't do anything without removing anti-tamper; which currently I can't!

I've found this:
https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases
Is any connection with this?
 

 

Share this post


Link to post
  • 1
cawk
Posted (edited)

Heres the unpacked file found an old unpacker i had which worked on this file (i wont share)

Metadata could be cleaned some more but here it is

UnpackedBed.exe

Edited by cawk (see edit history)
  • Like 1

Share this post


Link to post
  • 0
collins

Beds Protector ?  I found is Babel  Protector  :lol:.

Share this post


Link to post
  • 0
Guest Steve
4 hours ago, collins said:

Beds Protector ?  I found is Babel  Protector  :lol:.

for me it's detecting as 4 different protectors :D 

Share this post


Link to post
  • 0
BlackHat

Same in my case its Showing Babel, Dnguard and few more. 

Share this post


Link to post
  • 0
Fatulatti

Pretty sure BEDS is like "Babel, E..., DNGuard, S....." all mixed together.

Share this post


Link to post
  • 0
Cursedzx

No, those are mostly fake attributes. It's just a modded cfex. I didn't go further to attempt to deobfuscate it because it lags so much at the cctor part of module when compiling to c#. And it has flood calls when checking via IL which makes it harder to remove all calls that needs to be removed. 

  • Like 1

Share this post


Link to post
  • 0
BlackHat

I tried to unpack it manually. anti tamper defeated but later calls and it has many invalid assemblies and after that dont work.. it seems it have multi anti tamper module.... and unable to clean the newest version of it.... 

Share this post


Link to post
  • 0
cawk
Posted (edited)
1 hour ago, CodeExplorer said:

Try ManagedJiterFr4 on NetBox 4.0;
Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing;
You can't do anything without removing anti-tamper; which currently I can't!

I've found this:
https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases
Is any connection with this?
 

 

what do you mean you cant remove the confuserex anti tamper isnt it pretty standard? have i missed something? 

its normal confuserex tamper my tamper remover in confuserex unpacker removes this fine

Edited by cawk (see edit history)

Share this post


Link to post
  • 0
Cursedzx
13 hours ago, CodeExplorer said:

Try ManagedJiterFr4 on NetBox 4.0;
Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing;
You can't do anything without removing anti-tamper; which currently I can't!

I've found this:
https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases
Is any connection with this?
 

 

Hey codecracker, any idea why managedjitter is not working for me even if i run it on netbox 4.0? when i checked on dnspy, error occurs on the part where it checks the pointer values.

Share this post


Link to post
  • 0
CodeExplorer

After using ManagedJiterFr4 on NetBox 4.0 some metadata streams got corrupted so I got to restore them;
I've just have to change first method called which is anti-tamper to 062A (a simply return).
For removing invalid streams the strategy is to first set number of streams to a smaller size like 8.
#US with a space at the end (" "); yoi don't seems to be a valid stream!

Here is a partially unpacked exe:
https://www118.zippyshare.com/v/liRTdnBO/file.html
It uses delegates!

 

  • Like 1

Share this post


Link to post
  • 0
CodeExplorer
11 minutes ago, Cursedzx said:

ManagedJitterFr4 still doesn't work for me rip. is it because of my cpu? 

You got to start ManagedJitterFr4 (for Confuser) on NetBox 4.0;
after that just Jit button when the first assembly is logged - first assembly is the main assembly.

 

  • Like 1

Share this post


Link to post
  • 0
Cursedzx
23 minutes ago, CodeExplorer said:

You got to start ManagedJitterFr4 (for Confuser) on NetBox 4.0;
after that just Jit button when the first assembly is logged - first assembly is the main assembly.

 

that's what i did. still not running. i can show you via screenshare on discord.

Share this post


Link to post
  • 0
BlackHat
20 hours ago, CodeExplorer said:

Try ManagedJiterFr4 on NetBox 4.0;
Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing;
You can't do anything without removing anti-tamper; which currently I can't!

I've found this:
https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases
Is any connection with this?
 

 

When I tried to run app brother, I was continuously getting an error. 

 

and the github link you shared is a confuserex unpacker for normal version by Bed.. 

 

Im using Windows 7 SP1 x86 Architecture and 32 bit Windows. 

 

is it any system incompatiblity? 

Share this post


Link to post
  • 0
BlackHat
52 minutes ago, cawk said:

Heres the unpacked file found an old unpacker i had which worked on this file (i wont share)

Metadata could be cleaned some more but here it is

UnpackedBed.exe 2.84 MB · 1 download

What is the link of your Cawk Unpacker for normal ConfuserEx one bro? the one you shared on forum, when i try to unpack even normal confuser it always throws error like system.io.exception and close down then.. 

Share this post


Link to post
  • 0
mohamedsalah
22 hours ago, Cursedzx said:

Finally Fully unpacked!

steps i did to unpack:

1. I ran the application and i dumped it.

2. the anti dump got fixed by anti dump fixer.

3. i used my tool to remove all flood calls.

4. Converted all x86 methods to IL with my tool.

5. Decrypted all Constants with my tool.

6. Used de4dot to clean math mutations and junk Nops.

 7. manually Removed Protection calls in Module .cctor.

8. Removed all delegates with @CodeExplorer's Delegate remover.

9. Cleaned junk nops with De4dot again.

10. Removed Proxy calls with TheProxy's Proxy call remover

11. Manually removed all fake/junk classes, attributes, and etc.

12. Renamed functions, methods, assembly, and etc.

13. Manually removed cflow (dont have good cflow remover xd)

if you're asking for the rest of the files that are barely unpacked to study it, just reply xd.

File:

ConsoleApp1_fixed-RemovedMethod-NoX86-StringDec-cleaned2_nodelegate-cleaned_noProxy2-Renamed2.exe 4.5 kB · 5 downloads

I don't know you say .Please make a video tutorial 😢

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...