Jump to content
Tuts 4 You
  • 0
Cursedzx

Atipls' Obfuscator

Rate this question

Question

Cursedzx

Difficulty : Probably 7
Language : C# .NET
Platform : Windows (anyCPU)
OS Version : Windows 7 Above
Packer / Protector : Atipls' obfuscator

Description :

Upload the unpacked file and give me a detailed tutorial. Describe me the specific method or the specific tools in order used.

As I said in the previous unpack challenges XD.

Screenshot :

Capture.PNG

UnpackME.exe

Share this post


Link to post

5 answers to this question

Recommended Posts

  • 1
#Sith

Load file in dnSpy, bypass NtQueryInformationProcess, dump the module, then de4dot and SAE (string only).

UnpackME_unpk.exe

  • Thanks 1

Share this post


Link to post
  • 0
Cursedzx

Sith, do you know what NtQueryInformationProcess was used for?

Share this post


Link to post
  • 0
evlncrn8

probably anti debug.. 

Share this post


Link to post
  • 0
collins
3 hours ago, #Sith said:

Load file in dnSpy, bypass NtQueryInformationProcess, dump the module, then de4dot and SAE (string only).

UnpackME_unpk.exe

@Sith  how to bypass NtQueryInformationProcess ? Can you a little more detail ?

Share this post


Link to post
  • 0
#Sith
4 hours ago, Cursedzx said:

Sith, do you know what NtQueryInformationProcess was used for?

InheritedFromUniqueProcessId field in PROCESS_BASIC_INFORMATION structure get the ID of the parent process and programm compare it to the some names. I Just changed the InheritedFromUniqueProcessId value to the ID of explorer.exe

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×