Jump to content
Tuts 4 You
Sign in to follow this  
Cursedzx

Atipls' Obfuscator

Recommended Posts

Cursedzx

Difficulty : Probably 7
Language : C# .NET
Platform : Windows (anyCPU)
OS Version : Windows 7 Above
Packer / Protector : Atipls' obfuscator

Description :

Upload the unpacked file and give me a detailed tutorial. Describe me the specific method or the specific tools in order used.

As I said in the previous unpack challenges XD.

Screenshot :

Capture.PNG

UnpackME.exe

Share this post


Link to post
#Sith

Load file in dnSpy, bypass NtQueryInformationProcess, dump the module, then de4dot and SAE (string only).

UnpackME_unpk.exe

  • Thanks 1

Share this post


Link to post
Cursedzx

Sith, do you know what NtQueryInformationProcess was used for?

Share this post


Link to post
evlncrn8

probably anti debug.. 

Share this post


Link to post
collins
3 hours ago, #Sith said:

Load file in dnSpy, bypass NtQueryInformationProcess, dump the module, then de4dot and SAE (string only).

UnpackME_unpk.exe

@Sith  how to bypass NtQueryInformationProcess ? Can you a little more detail ?

Share this post


Link to post
#Sith
4 hours ago, Cursedzx said:

Sith, do you know what NtQueryInformationProcess was used for?

InheritedFromUniqueProcessId field in PROCESS_BASIC_INFORMATION structure get the ID of the parent process and programm compare it to the some names. I Just changed the InheritedFromUniqueProcessId value to the ID of explorer.exe

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...