jemmg Posted June 30, 2018 Posted June 30, 2018 Difficulty : 6-7 Language : C# Platform : Windows OS Version : All Packer / Protector : ConfuserEx Modded Description : Your task is to unpack the file and attach the password and the unpacked file Screenshot : UnpackMe.rar
Cursedzx Posted May 14, 2019 Posted May 14, 2019 login pass: Spoiler dFAyT19fUBcb~ZrDiRDEdHh2dbb5}%x1pvdz{2hKF1zRB8p90~P~FWAFZGj6h*Y4bcfYut@mKu?9BG~NE7dL3TN9hPKABhWlYw@CpYVW@qvtcTser*0QsHEY48mWZ5EqjFseqoMd%}Ew steps to unpack: 1. removed anti tamper and some junk calls 2. cleaned cflow (Thanks to Tesla for cflow cleaning) 2. removed proxy calls 3. removed proxy calls again 4. converted x86 methods to IL 5. decrypted all constants 6. cleaned cflow again (Thanks to Tesla for cflow cleaning) 7. cleaned some small stuff with de4dot. UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe 2
CodeExplorer Posted May 14, 2019 Posted May 14, 2019 Quote 4. converted x86 methods to IL How you did this? Can you explain?
cawk Posted May 14, 2019 Posted May 14, 2019 38 minutes ago, CodeExplorer said: How you did this? Can you explain? https://github.com/cawk/ConfuserEx-Unpacker-2/blob/master/cawk-Emulator/.NET-Instruction-Emulator-master/CawkEmulatorV4/Instructions/Native/X86MethodToILConverter.cs take a look at this
bb2018 Posted May 15, 2019 Posted May 15, 2019 17 hours ago, Cursedzx said: Try Unpack ME ConfuserEx 1.0.0 No one can do . https://megaup.net/26jqq/unpackme.zip
Cursedzx Posted May 15, 2019 Posted May 15, 2019 (edited) Yeah. I am using the same technique cawk used. But I made some modifications to it to make it more stable and work for other x86 methods used in other protectors. (If there's another existing protector that does that too) (Thanks to EasySurfer for the Base) Edited May 15, 2019 by Cursedzx
Cursedzx Posted May 15, 2019 Posted May 15, 2019 2 hours ago, bb2018 said: Try Unpack ME ConfuserEx 1.0.0 No one can do . https://megaup.net/26jqq/unpackme.zip Unpacked! pass: Spoiler ?Fw-AR{jMp,W-pG9 1
CodeExplorer Posted May 15, 2019 Posted May 15, 2019 (edited) 4 hours ago, bb2018 said: Try Unpack ME ConfuserEx 1.0.0 No one can do . https://megaup.net/26jqq/unpackme.zip Step 1: Few notes: is used .NET module trick; you can dump the .NET module with memcpyLogger, You just have find to the first the block which starts with MZ. You get the module assembly entry point token with ConfuserExConstant.exe - as file input you enter original protected file, The Entry Point Token value is 600009C Tools used: https://www115.zippyshare.com/v/HETHPm4D/file.html Step 1: Dumping .NET module explained before; Step2: Confuser Exceptions Restore - anti-tamper: - this is for decrypting MSIL: https://forum.tuts4you.com/topic/41025-confuser-exceptions-restore-anti-tamper It works just fine you must unmark "Invoke EP" and "Patch Anti-tamper". So after we nop first method from <Module>.ctor - this was the anti-tamper; we also fix the entry point of koi module with 600009C Here is the partial unpacked exe: https://www8.zippyshare.com/v/M78VMowQ/file.html or string decryption I've used this: https://github.com/cawk/ConfuserEx-Static-String-Decryptor/releases Check/Mark "Invoke". For c-flow I've used ConfuserExSwitchKiller. ConfuserExCallFixer.exe for inline methods. Here is completly deobfuscated exe: https://www119.zippyshare.com/v/YFwpUuCv/file.html private void method_1(object sender, EventArgs e) { if (this.textBox_1.get_Text().Length >= 5) { string str = this.textBox_1.get_Text(); if (!Directory.Exists(@"Data\\License")) { MessageBox.Show("Password was not found!", str); } else { StreamReader reader = new StreamReader(@"Data\\License\license.dat"); reader.ReadLine(); string str3 = reader.ReadLine(); reader.Close(); if (Class7.smethod_1(str3) == this.textBox_1.get_Text()) { MessageBox.Show("Good Job !"); } else { MessageBox.Show("password is wrong!"); } } } else { MessageBox.Show("Password is invaled or too short!"); } } public static string smethod_1(string string_2) { byte[] inputBuffer = Convert.FromBase64String(string_2); AesCryptoServiceProvider provider = new AesCryptoServiceProvider { BlockSize = 0x80, KeySize = 0x100, Key = Encoding.ASCII.GetBytes(string_1), IV = Encoding.ASCII.GetBytes(string_0), Padding = PaddingMode.PKCS7, Mode = CipherMode.CBC }; ICryptoTransform transform = provider.CreateDecryptor(provider.Key, provider.IV); byte[] bytes = transform.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length); transform.Dispose(); return Encoding.ASCII.GetString(bytes); } Edited May 15, 2019 by CodeExplorer 2
xerotype Posted November 3, 2019 Posted November 3, 2019 On 5/14/2019 at 12:16 PM, Cursedzx said: login pass: Reveal hidden contents dFAyT19fUBcb~ZrDiRDEdHh2dbb5}%x1pvdz{2hKF1zRB8p90~P~FWAFZGj6h*Y4bcfYut@mKu?9BG~NE7dL3TN9hPKABhWlYw@CpYVW@qvtcTser*0QsHEY48mWZ5EqjFseqoMd%}Ew steps to unpack: 1. removed anti tamper and some junk calls 2. cleaned cflow (Thanks to Tesla for cflow cleaning) 2. removed proxy calls 3. removed proxy calls again 4. converted x86 methods to IL 5. decrypted all constants 6. cleaned cflow again (Thanks to Tesla for cflow cleaning) 7. cleaned some small stuff with de4dot. UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe 314.5 kB · 24 downloads how u find cflow cleaner? send the link pls
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now