Posted June 30, 20187 yr Difficulty : 6-7 Language : C# Platform : Windows OS Version : All Packer / Protector : ConfuserEx Modded Description : Your task is to unpack the file and attach the password and the unpacked file Screenshot : UnpackMe.rar
May 14, 20196 yr login pass: Spoiler dFAyT19fUBcb~ZrDiRDEdHh2dbb5}%x1pvdz{2hKF1zRB8p90~P~FWAFZGj6h*Y4bcfYut@mKu?9BG~NE7dL3TN9hPKABhWlYw@CpYVW@qvtcTser*0QsHEY48mWZ5EqjFseqoMd%}Ew steps to unpack: 1. removed anti tamper and some junk calls 2. cleaned cflow (Thanks to Tesla for cflow cleaning) 2. removed proxy calls 3. removed proxy calls again 4. converted x86 methods to IL 5. decrypted all constants 6. cleaned cflow again (Thanks to Tesla for cflow cleaning) 7. cleaned some small stuff with de4dot. UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe
May 14, 20196 yr 38 minutes ago, CodeExplorer said: How you did this? Can you explain? https://github.com/cawk/ConfuserEx-Unpacker-2/blob/master/cawk-Emulator/.NET-Instruction-Emulator-master/CawkEmulatorV4/Instructions/Native/X86MethodToILConverter.cs take a look at this
May 15, 20196 yr 17 hours ago, Cursedzx said: Try Unpack ME ConfuserEx 1.0.0 No one can do . https://megaup.net/26jqq/unpackme.zip
May 15, 20196 yr Yeah. I am using the same technique cawk used. But I made some modifications to it to make it more stable and work for other x86 methods used in other protectors. (If there's another existing protector that does that too) (Thanks to EasySurfer for the Base) Edited May 15, 20196 yr by Cursedzx
May 15, 20196 yr 2 hours ago, bb2018 said: Try Unpack ME ConfuserEx 1.0.0 No one can do . https://megaup.net/26jqq/unpackme.zip Unpacked! pass: Spoiler ?Fw-AR{jMp,W-pG9
May 15, 20196 yr 4 hours ago, bb2018 said: Try Unpack ME ConfuserEx 1.0.0 No one can do . https://megaup.net/26jqq/unpackme.zip Step 1: Few notes: is used .NET module trick; you can dump the .NET module with memcpyLogger, You just have find to the first the block which starts with MZ. You get the module assembly entry point token with ConfuserExConstant.exe - as file input you enter original protected file, The Entry Point Token value is 600009C Tools used: https://www115.zippyshare.com/v/HETHPm4D/file.html Step 1: Dumping .NET module explained before; Step2: Confuser Exceptions Restore - anti-tamper: - this is for decrypting MSIL: https://forum.tuts4you.com/topic/41025-confuser-exceptions-restore-anti-tamper It works just fine you must unmark "Invoke EP" and "Patch Anti-tamper". So after we nop first method from <Module>.ctor - this was the anti-tamper; we also fix the entry point of koi module with 600009C Here is the partial unpacked exe: https://www8.zippyshare.com/v/M78VMowQ/file.html or string decryption I've used this: https://github.com/cawk/ConfuserEx-Static-String-Decryptor/releases Check/Mark "Invoke". For c-flow I've used ConfuserExSwitchKiller. ConfuserExCallFixer.exe for inline methods. Here is completly deobfuscated exe: https://www119.zippyshare.com/v/YFwpUuCv/file.html private void method_1(object sender, EventArgs e) { if (this.textBox_1.get_Text().Length >= 5) { string str = this.textBox_1.get_Text(); if (!Directory.Exists(@"Data\\License")) { MessageBox.Show("Password was not found!", str); } else { StreamReader reader = new StreamReader(@"Data\\License\license.dat"); reader.ReadLine(); string str3 = reader.ReadLine(); reader.Close(); if (Class7.smethod_1(str3) == this.textBox_1.get_Text()) { MessageBox.Show("Good Job !"); } else { MessageBox.Show("password is wrong!"); } } } else { MessageBox.Show("Password is invaled or too short!"); } } public static string smethod_1(string string_2) { byte[] inputBuffer = Convert.FromBase64String(string_2); AesCryptoServiceProvider provider = new AesCryptoServiceProvider { BlockSize = 0x80, KeySize = 0x100, Key = Encoding.ASCII.GetBytes(string_1), IV = Encoding.ASCII.GetBytes(string_0), Padding = PaddingMode.PKCS7, Mode = CipherMode.CBC }; ICryptoTransform transform = provider.CreateDecryptor(provider.Key, provider.IV); byte[] bytes = transform.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length); transform.Dispose(); return Encoding.ASCII.GetString(bytes); } Edited May 15, 20196 yr by CodeExplorer
November 3, 20195 yr On 5/14/2019 at 12:16 PM, Cursedzx said: login pass: Reveal hidden contents dFAyT19fUBcb~ZrDiRDEdHh2dbb5}%x1pvdz{2hKF1zRB8p90~P~FWAFZGj6h*Y4bcfYut@mKu?9BG~NE7dL3TN9hPKABhWlYw@CpYVW@qvtcTser*0QsHEY48mWZ5EqjFseqoMd%}Ew steps to unpack: 1. removed anti tamper and some junk calls 2. cleaned cflow (Thanks to Tesla for cflow cleaning) 2. removed proxy calls 3. removed proxy calls again 4. converted x86 methods to IL 5. decrypted all constants 6. cleaned cflow again (Thanks to Tesla for cflow cleaning) 7. cleaned some small stuff with de4dot. UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe 314.5 kB · 24 downloads how u find cflow cleaner? send the link pls
Create an account or sign in to comment