Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

Difficulty : 6-7
Language : C#
Platform : Windows
OS Version : All
Packer / Protector : ConfuserEx Modded

Description :

Your task is to unpack the file and attach the password and the unpacked file

Screenshot :

image.png.ba338cb35257228b521a62a8e8feced2.png

 

UnpackMe.rar

  • 10 months later...

login pass:

Spoiler

dFAyT19fUBcb~ZrDiRDEdHh2dbb5}%x1pvdz{2hKF1zRB8p90~P~FWAFZGj6h*Y4bcfYut@mKu?9BG~NE7dL3TN9hPKABhWlYw@CpYVW@qvtcTser*0QsHEY48mWZ5EqjFseqoMd%}Ew

steps to unpack:

1. removed anti tamper and some junk calls

2.  cleaned cflow (Thanks to Tesla for cflow cleaning)

2. removed proxy calls

3. removed proxy calls again

4. converted x86 methods to IL

5. decrypted all constants

6. cleaned cflow again (Thanks to Tesla for cflow cleaning)

7. cleaned some small stuff with de4dot.  

image.png

UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe

Quote

4. converted x86 methods to IL

How you did this? Can you explain?
 

Yeah. I am using the same technique cawk used. But I made some modifications to it to make it more stable and work for other x86 methods used in other protectors. (If there's another existing protector that does that too) 

(Thanks to EasySurfer for the Base) 

Edited by Cursedzx

2 hours ago, bb2018 said:

Try Unpack ME ConfuserEx 1.0.0  No one can do .

https://megaup.net/26jqq/unpackme.zip

Unpacked!
pass: 

Spoiler

?Fw-AR{jMp,W-pG9

image.png.59f2b4a9e7724fb1ae1c0c2fdb6a3d1b.png

4 hours ago, bb2018 said:

Try Unpack ME ConfuserEx 1.0.0  No one can do .

https://megaup.net/26jqq/unpackme.zip

Step 1:
Few notes: is used .NET module trick; you can dump the .NET module with memcpyLogger, You just have find to the first the block which starts with MZ.
You get the module assembly entry point token with ConfuserExConstant.exe - as file input you enter original protected file, The Entry Point Token value is 600009C

Tools used:
https://www115.zippyshare.com/v/HETHPm4D/file.html

Step 1: Dumping .NET module explained before;
Step2: Confuser Exceptions Restore - anti-tamper: - this is for decrypting MSIL:
https://forum.tuts4you.com/topic/41025-confuser-exceptions-restore-anti-tamper
It works just fine you must unmark "Invoke EP" and "Patch Anti-tamper".
So after we nop first method from <Module>.ctor - this was the anti-tamper;
we also fix the entry point of koi module with 600009C

Here is the partial unpacked exe:
https://www8.zippyshare.com/v/M78VMowQ/file.html

or string decryption I've used this:
https://github.com/cawk/ConfuserEx-Static-String-Decryptor/releases
Check/Mark "Invoke".

For c-flow I've used ConfuserExSwitchKiller.
ConfuserExCallFixer.exe for inline methods.

Here is completly deobfuscated exe:
https://www119.zippyshare.com/v/YFwpUuCv/file.html

private void method_1(object sender, EventArgs e)
{
if (this.textBox_1.get_Text().Length >= 5)
{
string str = this.textBox_1.get_Text();
if (!Directory.Exists(@"Data\\License"))
{
MessageBox.Show("Password was not found!", str);
}
else
{
StreamReader reader = new StreamReader(@"Data\\License\license.dat");
reader.ReadLine();
string str3 = reader.ReadLine();
reader.Close();
if (Class7.smethod_1(str3) == this.textBox_1.get_Text())
{
MessageBox.Show("Good Job !");
}
else
{
MessageBox.Show("password is wrong!");
}
}
}
else
{
MessageBox.Show("Password is invaled or too short!");
}
}


public static string smethod_1(string string_2)
{
byte[] inputBuffer = Convert.FromBase64String(string_2);
AesCryptoServiceProvider provider = new AesCryptoServiceProvider {
BlockSize = 0x80,
KeySize = 0x100,
Key = Encoding.ASCII.GetBytes(string_1),
IV = Encoding.ASCII.GetBytes(string_0),
Padding = PaddingMode.PKCS7,
Mode = CipherMode.CBC
};
ICryptoTransform transform = provider.CreateDecryptor(provider.Key, provider.IV);
byte[] bytes = transform.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length);
transform.Dispose();
return Encoding.ASCII.GetString(bytes);
}

 

Edited by CodeExplorer

  • 5 months later...
On 5/14/2019 at 12:16 PM, Cursedzx said:

login pass:

  Reveal hidden contents

dFAyT19fUBcb~ZrDiRDEdHh2dbb5}%x1pvdz{2hKF1zRB8p90~P~FWAFZGj6h*Y4bcfYut@mKu?9BG~NE7dL3TN9hPKABhWlYw@CpYVW@qvtcTser*0QsHEY48mWZ5EqjFseqoMd%}Ew

steps to unpack:

1. removed anti tamper and some junk calls

2.  cleaned cflow (Thanks to Tesla for cflow cleaning)

2. removed proxy calls

3. removed proxy calls again

4. converted x86 methods to IL

5. decrypted all constants

6. cleaned cflow again (Thanks to Tesla for cflow cleaning)

7. cleaned some small stuff with de4dot.  

image.png

UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe 314.5 kB · 24 downloads

how u find cflow cleaner? send the link pls

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.