Jump to content
Tuts 4 You

Atipls' Obfuscator

Cursedzx

By Cursedzx
in UnPackMe (.NET)

 Share
Go to solution Solved by #Sith,

Recommended Posts

Cursedzx

Cursedzx

Posted
Posted

Difficulty : Probably 7
Language : C# .NET
Platform : Windows (anyCPU)
OS Version : Windows 7 Above
Packer / Protector : Atipls' obfuscator

Description :

Upload the unpacked file and give me a detailed tutorial. Describe me the specific method or the specific tools in order used.

As I said in the previous unpack challenges XD.

Screenshot :

Capture.PNG

UnpackME.exe

  • Solution
#Sith

#Sith

Posted
  • Solution
Posted

Load file in dnSpy, bypass NtQueryInformationProcess, dump the module, then de4dot and SAE (string only).

UnpackME_unpk.exe

  • Thanks 1
Cursedzx

Cursedzx

Posted
  • Author
Posted

Sith, do you know what NtQueryInformationProcess was used for?

evlncrn8

evlncrn8

Posted
Posted

probably anti debug.. 

collins

collins

Posted
Posted
3 hours ago, #Sith said:

Load file in dnSpy, bypass NtQueryInformationProcess, dump the module, then de4dot and SAE (string only).

UnpackME_unpk.exe

@Sith  how to bypass NtQueryInformationProcess ? Can you a little more detail ?

#Sith

#Sith

Posted
Posted
4 hours ago, Cursedzx said:

Sith, do you know what NtQueryInformationProcess was used for?

InheritedFromUniqueProcessId field in PROCESS_BASIC_INFORMATION structure get the ID of the parent process and programm compare it to the some names. I Just changed the InheritedFromUniqueProcessId value to the ID of explorer.exe

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...