Jump to content
Tuts 4 You

Modded ConfuserEx (Find the Password)

BillsTheGod

By BillsTheGod
in CrackMe

 Share
Go to solution Solved by XenocodeRCE,

Recommended Posts

BillsTheGod

BillsTheGod

Posted
Posted

Platform: Windows
Language: C#/.NET
OS Version: Windows 10 (I only tested on it so)
Protector: Modded ConfuserEx

Objective:

Modification to ConfuserEx; constants, math protection, variablesmelter, antide4dot (broked rn), three antidebugs (one inside antitamper), sizeof, antivm, antiemulator, antidnspy, antijustdecompiler, intergritychecking, typescrambler etc 

Unpack the file and find the password. Document how you deobfuscated it.

https://www.virustotal.com/#/file/3cd889f4be35cb440f4a4a1c3ececc62a7075ccddeb76553e06ad12e96d94fe4/detection (false positive because of the obfuscation)

If there are any errors in this thread or in my english, I am sorry, it is my first time at this forum and I am brazillian :P

Screenshot:

0c8ef07abe03f71a2898c921b8abeb7f.png

Download: 

CrackMee.exeFetching info...

  • 1 month later...
  • Solution
XenocodeRCE

XenocodeRCE

Posted
  • Solution
Posted

Hello

 

Password is

 

  Reveal hidden contents

 

It's relatively easy to get the corretc flag. All your obfuscation routines is not usefull against memory scanning. Enter a wrong pass, click on button, get wrong pass flag, search for it in memory, and the good password is in clear in the file.

 

Also you should consider something as far as dnlib is concerned to shrunk the old strings from the binary file, because the good password is in clear not only in memory (thats to be expected somehow) but also in raw bytes at offset 00001b790

  • 2 weeks later...
BillsTheGod

BillsTheGod

Posted
  • Author
Posted
  On 3/11/2019 at 11:54 AM, XenocodeRCE said:

Hello

 

Password is

 

  Reveal hidden contents

 

It's relatively easy to get the corretc flag. All your obfuscation routines is not usefull against memory scanning. Enter a wrong pass, click on button, get wrong pass flag, search for it in memory, and the good password is in clear in the file.

 

Also you should consider something as far as dnlib is concerned to shrunk the old strings from the binary file, because the good password is in clear not only in memory (thats to be expected somehow) but also in raw bytes at offset 00001b790

Expand  

Nice work, I re-added Ref Proxy and fixed some issue at it, changed a little bit of MathProtection, fixed sizeof's issues, stopped normal x86 converter and more, I will post another CrackMe soon, Thanks for your reply.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...