Jump to content
Tuts 4 You
  • 0
Sign in to follow this  
jemmg

ConfuserEx Mod

Question

jemmg

Difficulty : 6-7
Language : C#
Platform : Windows
OS Version : All
Packer / Protector : ConfuserEx Modded

Description :

Your task is to unpack the file and attach the password and the unpacked file

Screenshot :

image.png.ba338cb35257228b521a62a8e8feced2.png

 

UnpackMe.rar

Share this post


Link to post

7 answers to this question

Recommended Posts

  • 1
Cursedzx

login pass:

Spoiler

dFAyT19fUBcb~ZrDiRDEdHh2dbb5}%x1pvdz{2hKF1zRB8p90~P~FWAFZGj6h*Y4bcfYut@mKu?9BG~NE7dL3TN9hPKABhWlYw@CpYVW@qvtcTser*0QsHEY48mWZ5EqjFseqoMd%}Ew

steps to unpack:

1. removed anti tamper and some junk calls

2.  cleaned cflow (Thanks to Tesla for cflow cleaning)

2. removed proxy calls

3. removed proxy calls again

4. converted x86 methods to IL

5. decrypted all constants

6. cleaned cflow again (Thanks to Tesla for cflow cleaning)

7. cleaned some small stuff with de4dot.  

image.png

UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe

  • Like 2

Share this post


Link to post
  • 0
CodeExplorer
Quote

4. converted x86 methods to IL

How you did this? Can you explain?
 

Share this post


Link to post
  • 0
Cursedzx
Posted (edited)

Yeah. I am using the same technique cawk used. But I made some modifications to it to make it more stable and work for other x86 methods used in other protectors. (If there's another existing protector that does that too) 

(Thanks to EasySurfer for the Base) 

Edited by Cursedzx (see edit history)

Share this post


Link to post
  • 0
Cursedzx
2 hours ago, bb2018 said:

Try Unpack ME ConfuserEx 1.0.0  No one can do .

https://megaup.net/26jqq/unpackme.zip

Unpacked!
pass: 

Spoiler

?Fw-AR{jMp,W-pG9

image.png.59f2b4a9e7724fb1ae1c0c2fdb6a3d1b.png

  • Like 1

Share this post


Link to post
  • 0
CodeExplorer
Posted (edited)
4 hours ago, bb2018 said:

Try Unpack ME ConfuserEx 1.0.0  No one can do .

https://megaup.net/26jqq/unpackme.zip

Step 1:
Few notes: is used .NET module trick; you can dump the .NET module with memcpyLogger, You just have find to the first the block which starts with MZ.
You get the module assembly entry point token with ConfuserExConstant.exe - as file input you enter original protected file, The Entry Point Token value is 600009C

Tools used:
https://www115.zippyshare.com/v/HETHPm4D/file.html

Step 1: Dumping .NET module explained before;
Step2: Confuser Exceptions Restore - anti-tamper: - this is for decrypting MSIL:
https://forum.tuts4you.com/topic/41025-confuser-exceptions-restore-anti-tamper
It works just fine you must unmark "Invoke EP" and "Patch Anti-tamper".
So after we nop first method from <Module>.ctor - this was the anti-tamper;
we also fix the entry point of koi module with 600009C

Here is the partial unpacked exe:
https://www8.zippyshare.com/v/M78VMowQ/file.html

or string decryption I've used this:
https://github.com/cawk/ConfuserEx-Static-String-Decryptor/releases
Check/Mark "Invoke".

For c-flow I've used ConfuserExSwitchKiller.
ConfuserExCallFixer.exe for inline methods.

Here is completly deobfuscated exe:
https://www119.zippyshare.com/v/YFwpUuCv/file.html

private void method_1(object sender, EventArgs e)
{
if (this.textBox_1.get_Text().Length >= 5)
{
string str = this.textBox_1.get_Text();
if (!Directory.Exists(@"Data\\License"))
{
MessageBox.Show("Password was not found!", str);
}
else
{
StreamReader reader = new StreamReader(@"Data\\License\license.dat");
reader.ReadLine();
string str3 = reader.ReadLine();
reader.Close();
if (Class7.smethod_1(str3) == this.textBox_1.get_Text())
{
MessageBox.Show("Good Job !");
}
else
{
MessageBox.Show("password is wrong!");
}
}
}
else
{
MessageBox.Show("Password is invaled or too short!");
}
}


public static string smethod_1(string string_2)
{
byte[] inputBuffer = Convert.FromBase64String(string_2);
AesCryptoServiceProvider provider = new AesCryptoServiceProvider {
BlockSize = 0x80,
KeySize = 0x100,
Key = Encoding.ASCII.GetBytes(string_1),
IV = Encoding.ASCII.GetBytes(string_0),
Padding = PaddingMode.PKCS7,
Mode = CipherMode.CBC
};
ICryptoTransform transform = provider.CreateDecryptor(provider.Key, provider.IV);
byte[] bytes = transform.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length);
transform.Dispose();
return Encoding.ASCII.GetString(bytes);
}

 

Edited by CodeExplorer (see edit history)
  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...