Jump to content
Tuts 4 You

Beds Protector 4.5

Guest Steve

By Guest Steve
in UnPackMe (.NET)

 Share
Go to solution Solved by Cursedzx,

Recommended Posts

Guest Steve

Guest Steve

Posted
Posted

Difficulty : medium
Language : c#
Platform : Windows x32/x64
OS Version : All
Packer / Protector : BEDS 4,5

Description :

unpack and tell how fast did you unack it and the way if possible

Screenshot :

2ade31241c646da99d6c850cde6a1562.png

ConsoleApp1.rar

Link to comment
Share on other sites
  • 1 year later...
Cursedzx

Cursedzx

Posted
Posted

No, those are mostly fake attributes. It's just a modded cfex. I didn't go further to attempt to deobfuscate it because it lags so much at the cctor part of module when compiling to c#. And it has flood calls when checking via IL which makes it harder to remove all calls that needs to be removed. 

  • Like 1
Link to comment
Share on other sites
BlackHat

BlackHat

Posted
Posted

I tried to unpack it manually. anti tamper defeated but later calls and it has many invalid assemblies and after that dont work.. it seems it have multi anti tamper module.... and unable to clean the newest version of it.... 

Link to comment
Share on other sites
CodeExplorer

CodeExplorer

Posted
Posted
11 hours ago, Black Hat Anonymous said:

I tried to unpack it manually. anti tamper defeated but later calls and it has many invalid assemblies and after that dont work.. it seems it have multi anti tamper module.... and unable to clean the newest version of it.... 

Try ManagedJiterFr4 on NetBox 4.0;
Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing;
You can't do anything without removing anti-tamper; which currently I can't!

I've found this:
https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases
Is any connection with this?
 

 

  • Like 1
Link to comment
Share on other sites
cawk

cawk

Posted
Posted (edited)
1 hour ago, CodeExplorer said:

Try ManagedJiterFr4 on NetBox 4.0;
Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing;
You can't do anything without removing anti-tamper; which currently I can't!

I've found this:
https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases
Is any connection with this?
 

 

what do you mean you cant remove the confuserex anti tamper isnt it pretty standard? have i missed something? 

its normal confuserex tamper my tamper remover in confuserex unpacker removes this fine

Edited by cawk
Link to comment
Share on other sites
Cursedzx

Cursedzx

Posted
Posted
13 hours ago, CodeExplorer said:

Try ManagedJiterFr4 on NetBox 4.0;
Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing;
You can't do anything without removing anti-tamper; which currently I can't!

I've found this:
https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases
Is any connection with this?
 

 

Hey codecracker, any idea why managedjitter is not working for me even if i run it on netbox 4.0? when i checked on dnspy, error occurs on the part where it checks the pointer values.

Link to comment
Share on other sites
CodeExplorer

CodeExplorer

Posted
Posted

After using ManagedJiterFr4 on NetBox 4.0 some metadata streams got corrupted so I got to restore them;
I've just have to change first method called which is anti-tamper to 062A (a simply return).
For removing invalid streams the strategy is to first set number of streams to a smaller size like 8.
#US with a space at the end (" "); yoi don't seems to be a valid stream!

Here is a partially unpacked exe:
https://www118.zippyshare.com/v/liRTdnBO/file.html
It uses delegates!

 

  • Like 1
Link to comment
Share on other sites
  • Solution
Cursedzx

Cursedzx

Posted
  • Solution
Posted

Finally Fully unpacked!

steps i did to unpack:

1. I ran the application and i dumped it.

2. the anti dump got fixed by anti dump fixer.

3. i used my tool to remove all flood calls.

4. Converted all x86 methods to IL with my tool.

5. Decrypted all Constants with my tool.

6. Used de4dot to clean math mutations and junk Nops.

7. manually Removed Protection calls in Module .cctor.

8. Removed all delegates with @CodeExplorer's Delegate remover.

9. Cleaned junk nops with De4dot again.

10. Removed Proxy calls with TheProxy's Proxy call remover

11. Manually removed all fake/junk classes, attributes, and etc.

12. Renamed functions, methods, assembly, and etc.

13. Manually removed cflow (dont have good cflow remover xd)

if you're asking for the rest of the files that are barely unpacked to study it, just reply xd.

File:

ConsoleApp1_fixed-RemovedMethod-NoX86-StringDec-cleaned2_nodelegate-cleaned_noProxy2-Renamed2.exe

  • Thanks 1
Link to comment
Share on other sites
CodeExplorer

CodeExplorer

Posted
Posted
11 minutes ago, Cursedzx said:

ManagedJitterFr4 still doesn't work for me rip. is it because of my cpu? 

You got to start ManagedJitterFr4 (for Confuser) on NetBox 4.0;
after that just Jit button when the first assembly is logged - first assembly is the main assembly.

 

  • Like 1
Link to comment
Share on other sites
Cursedzx

Cursedzx

Posted
Posted
23 minutes ago, CodeExplorer said:

You got to start ManagedJitterFr4 (for Confuser) on NetBox 4.0;
after that just Jit button when the first assembly is logged - first assembly is the main assembly.

 

that's what i did. still not running. i can show you via screenshare on discord.

Link to comment
Share on other sites
cawk

cawk

Posted
Posted (edited)

Heres the unpacked file found an old unpacker i had which worked on this file (i wont share)

Metadata could be cleaned some more but here it is

UnpackedBed.exe

Edited by cawk
  • Like 1
Link to comment
Share on other sites
BlackHat

BlackHat

Posted
Posted
20 hours ago, CodeExplorer said:

Try ManagedJiterFr4 on NetBox 4.0;
Plus ConfuserExFixer for removing wrong metadata; some stream left even after removing;
You can't do anything without removing anti-tamper; which currently I can't!

I've found this:
https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/releases
Is any connection with this?
 

 

When I tried to run app brother, I was continuously getting an error. 

 

and the github link you shared is a confuserex unpacker for normal version by Bed.. 

 

Im using Windows 7 SP1 x86 Architecture and 32 bit Windows. 

 

is it any system incompatiblity? 

Link to comment
Share on other sites
BlackHat

BlackHat

Posted
Posted
52 minutes ago, cawk said:

Heres the unpacked file found an old unpacker i had which worked on this file (i wont share)

Metadata could be cleaned some more but here it is

UnpackedBed.exe 2.84 MB · 1 download

What is the link of your Cawk Unpacker for normal ConfuserEx one bro? the one you shared on forum, when i try to unpack even normal confuser it always throws error like system.io.exception and close down then.. 

Link to comment
Share on other sites
mohamedsalah

mohamedsalah

Posted
Posted
22 hours ago, Cursedzx said:

Finally Fully unpacked!

steps i did to unpack:

1. I ran the application and i dumped it.

2. the anti dump got fixed by anti dump fixer.

3. i used my tool to remove all flood calls.

4. Converted all x86 methods to IL with my tool.

5. Decrypted all Constants with my tool.

6. Used de4dot to clean math mutations and junk Nops.

 7. manually Removed Protection calls in Module .cctor.

8. Removed all delegates with @CodeExplorer's Delegate remover.

9. Cleaned junk nops with De4dot again.

10. Removed Proxy calls with TheProxy's Proxy call remover

11. Manually removed all fake/junk classes, attributes, and etc.

12. Renamed functions, methods, assembly, and etc.

13. Manually removed cflow (dont have good cflow remover xd)

if you're asking for the rest of the files that are barely unpacked to study it, just reply xd.

File:

ConsoleApp1_fixed-RemovedMethod-NoX86-StringDec-cleaned2_nodelegate-cleaned_noProxy2-Renamed2.exe 4.5 kB · 5 downloads

I don't know you say .Please make a video tutorial 😢

  • Like 1
Link to comment
Share on other sites
  • 5 months later...
Cricri

Cricri

Posted
Posted

hello, I apologize if it has nothing to do with this post, I'm decompressing with ManagedJiterFr4.exe but I get the following errors why? how can i solve?

  Quote

System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. 
   presso ManagedJiterFr4.Unpacker.Phase4 () 
System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. 
   presso ManagedJiterFr4.Unpacker.Phase4 () 
System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. 
   presso ManagedJiterFr4.Unpacker.Phase4 () 
System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. 
   presso ManagedJiterFr4.Unpacker.Phase4 () 
System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. 
   presso ManagedJiterFr4.Unpacker.Phase4 ()
System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. 
   presso ManagedJiterFr4.Unpacker.Phase4 () 
System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. 
   presso ManagedJiterFr4.Unpacker.Phase4 () 
System.Runtime.InteropServices.SEHException (0x80004005): il componente esterno ha generato un'eccezione. 
   su ManagedJiterFr4.Unpacker.Phase4 () 
Fatto! 13158 Metodi scaricati

 

Link to comment
Share on other sites
  • 5 months later...
  • 3 weeks later...
  • 3 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...