ConfuserEx Mod

[jemmg]

Difficulty : 6-7
Language : C#
Platform : Windows
OS Version : All
Packer / Protector : ConfuserEx Modded

Description :

Your task is to unpack the file and attach the password and the unpacked file

Screenshot :

 

UnpackMe.rar

[Cursedzx]

login pass:

Spoiler

dFAyT19fUBcb~ZrDiRDEdHh2dbb5}%x1pvdz{2hKF1zRB8p90~P~FWAFZGj6h*Y4bcfYut@mKu?9BG~NE7dL3TN9hPKABhWlYw@CpYVW@qvtcTser*0QsHEY48mWZ5EqjFseqoMd%}Ew

steps to unpack:

1. removed anti tamper and some junk calls

2.  cleaned cflow (Thanks to Tesla for cflow cleaning)

2. removed proxy calls

3. removed proxy calls again

4. converted x86 methods to IL

5. decrypted all constants

6. cleaned cflow again (Thanks to Tesla for cflow cleaning)

7. cleaned some small stuff with de4dot.  

UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe

[CodeExplorer]

Quote

4. converted x86 methods to IL

How you did this? Can you explain?
 

[cawk]

38 minutes ago, CodeExplorer said:

How you did this? Can you explain?
 

https://github.com/cawk/ConfuserEx-Unpacker-2/blob/master/cawk-Emulator/.NET-Instruction-Emulator-master/CawkEmulatorV4/Instructions/Native/X86MethodToILConverter.cs

 

take a look at this

[bb2018]

17 hours ago, Cursedzx said:

 

Try Unpack ME ConfuserEx 1.0.0  No one can do .

https://megaup.net/26jqq/unpackme.zip

[Cursedzx]

Yeah. I am using the same technique cawk used. But I made some modifications to it to make it more stable and work for other x86 methods used in other protectors. (If there's another existing protector that does that too) 

(Thanks to EasySurfer for the Base) 

Edited May 15, 2019 by Cursedzx

[Cursedzx]

2 hours ago, bb2018 said:

Try Unpack ME ConfuserEx 1.0.0  No one can do .

https://megaup.net/26jqq/unpackme.zip

Unpacked!
pass: 

Spoiler

?Fw-AR{jMp,W-pG9

[CodeExplorer]

4 hours ago, bb2018 said:

Try Unpack ME ConfuserEx 1.0.0  No one can do .

https://megaup.net/26jqq/unpackme.zip

Step 1:
Few notes: is used .NET module trick; you can dump the .NET module with memcpyLogger, You just have find to the first the block which starts with MZ.
You get the module assembly entry point token with ConfuserExConstant.exe - as file input you enter original protected file, The Entry Point Token value is 600009C

Tools used:
https://www115.zippyshare.com/v/HETHPm4D/file.html

Step 1: Dumping .NET module explained before;
Step2: Confuser Exceptions Restore - anti-tamper: - this is for decrypting MSIL:
https://forum.tuts4you.com/topic/41025-confuser-exceptions-restore-anti-tamper
It works just fine you must unmark "Invoke EP" and "Patch Anti-tamper".
So after we nop first method from <Module>.ctor - this was the anti-tamper;
we also fix the entry point of koi module with 600009C

Here is the partial unpacked exe:
https://www8.zippyshare.com/v/M78VMowQ/file.html

or string decryption I've used this:
https://github.com/cawk/ConfuserEx-Static-String-Decryptor/releases
Check/Mark "Invoke".

For c-flow I've used ConfuserExSwitchKiller.
ConfuserExCallFixer.exe for inline methods.

Here is completly deobfuscated exe:
https://www119.zippyshare.com/v/YFwpUuCv/file.html

private void method_1(object sender, EventArgs e)
{
if (this.textBox_1.get_Text().Length >= 5)
{
string str = this.textBox_1.get_Text();
if (!Directory.Exists(@"Data\\License"))
{
MessageBox.Show("Password was not found!", str);
}
else
{
StreamReader reader = new StreamReader(@"Data\\License\license.dat");
reader.ReadLine();
string str3 = reader.ReadLine();
reader.Close();
if (Class7.smethod_1(str3) == this.textBox_1.get_Text())
{
MessageBox.Show("Good Job !");
}
else
{
MessageBox.Show("password is wrong!");
}
}
}
else
{
MessageBox.Show("Password is invaled or too short!");
}
}


public static string smethod_1(string string_2)
{
byte[] inputBuffer = Convert.FromBase64String(string_2);
AesCryptoServiceProvider provider = new AesCryptoServiceProvider {
BlockSize = 0x80,
KeySize = 0x100,
Key = Encoding.ASCII.GetBytes(string_1),
IV = Encoding.ASCII.GetBytes(string_0),
Padding = PaddingMode.PKCS7,
Mode = CipherMode.CBC
};
ICryptoTransform transform = provider.CreateDecryptor(provider.Key, provider.IV);
byte[] bytes = transform.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length);
transform.Dispose();
return Encoding.ASCII.GetString(bytes);
}

 

Edited May 15, 2019 by CodeExplorer

[xerotype]

On 5/14/2019 at 12:16 PM, Cursedzx said:

login pass:

  Reveal hidden contents

dFAyT19fUBcb~ZrDiRDEdHh2dbb5}%x1pvdz{2hKF1zRB8p90~P~FWAFZGj6h*Y4bcfYut@mKu?9BG~NE7dL3TN9hPKABhWlYw@CpYVW@qvtcTser*0QsHEY48mWZ5EqjFseqoMd%}Ew

steps to unpack:

1. removed anti tamper and some junk calls

2.  cleaned cflow (Thanks to Tesla for cflow cleaning)

2. removed proxy calls

3. removed proxy calls again

4. converted x86 methods to IL

5. decrypted all constants

6. cleaned cflow again (Thanks to Tesla for cflow cleaning)

7. cleaned some small stuff with de4dot.  

UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe 314.5 kB · 24 downloads

how u find cflow cleaner? send the link pls