Jump to content
Tuts 4 You

ConfuserEx Fork

Zyhes

By Zyhes
in UnPackMe (.NET)

 Share
Go to solution Solved by Cursedzx,

Recommended Posts

Zyhes

Zyhes

Posted
Posted

Difficulty: 3-5
Language : .NET
Platform: Windows 
OS Version: All
Packer / Protector : ConfuserEx Fork

Description :

Pretty heavily forked ConfuserEx and I'm not sure if it's good or not. If you get it cracked please post how you did it and don't just say "I used public tools", tell what tools and how. Thank you!

Screenshot :

ME2nWbW.png

Download :

CrackMe.exe

Link to comment
Share on other sites
  • 3 months later...
  • Solution
Cursedzx

Cursedzx

Posted
  • Solution
Posted (edited)

Unpacked!

1. Used dnspy to remove antitamper and the calls

2. converted all integer values that has something to do with strings ex: "epic".Length (my tool)

3. Resolved all SizeOf values with my tool

4. Calculated all math calls like Math.Truncate or Math.log10 with my tool
5. used de4dot to calculated the remaining stuff to get the field values.

6. grabbed the field values and removed the fields(marked as empty Types) with my tool

7. removed the cos and junk call that will always return 0 with any uint value you use in the parameter also marked as(marked as empty Types) (my tool)

8. cleaned the rest of math calculations with de4dot

9. TheProxy used his cflow killer to kill all the cflow

Credits:

TheProxy - Helping to remove the Cflow
Mighty - helped me to get the types from operand (for sizeOf resolver)

Autori and Blank - for tips
 

pass: 1830

Screenshot:

File:

0Pic.PNG

CrackMe3-StrToIntResolved-SizeOfRemoved-SysMathCallFixed-cleaned-EmptyTypesRemoved-EmptyTypesRemoved-cleaned_unpacked-StringDec-Cleaned.exe

Edited by Cursedzx
  • Like 3
Link to comment
Share on other sites
Zyhes

Zyhes

Posted
  • Author
Posted
On 5/3/2019 at 7:30 PM, Cursedzx said:

Unpacked!

1. Used dnspy to remove antitamper and the calls

2. converted all integer values that has something to do with strings ex: "epic".Length (my tool)

3. Resolved all SizeOf values with my tool

4. Calculated all math calls like Math.Truncate or Math.log10 with my tool
5. used de4dot to calculated the remaining stuff to get the field values.

6. grabbed the field values and removed the fields(marked as empty Types) with my tool

7. removed the cos and junk call that will always return 0 with any uint value you use in the parameter also marked as(marked as empty Types) (my tool)

8. cleaned the rest of math calculations with de4dot

9. TheProxy used his cflow killer to kill all the cflow

Credits:

TheProxy - Helping to remove the Cflow
Mighty - helped me to get the types from operand (for sizeOf resolver)

Autori and Blank - for tips
 

pass: 1830

Screenshot:

File:

0Pic.PNG

CrackMe3-StrToIntResolved-SizeOfRemoved-SysMathCallFixed-cleaned-EmptyTypesRemoved-EmptyTypesRemoved-cleaned_unpacked-StringDec-Cleaned.exe 916 kB · 4 downloads

Good work! 👍

Link to comment
Share on other sites
  • 2 months later...
ewwink

ewwink

Posted
Posted

Finally I can also unpack this, My method:

- remove anti tamper with dnspy

- clean cflow and sizeOf, string.Length, Math's using modified confuser unpacker

- replace or inlining local variable like <Module>.a69ad3ae-21ea-4884-9794-dd4fb7db216a and proxy call to Math.cos using ILReplacer

- codeExplorer predicate killer and done.

 

CrackMe-cleaned.rar

  • Like 2
Link to comment
Share on other sites
  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...