Jump to content
Tuts 4 You

Modified ConfuserEx


Go to solution Solved by Cursedzx,

Recommended Posts

Posted (edited)

Language : .NET
Platform : Windows x64
OS Version : All
Packer / Protector : Modified ConfuserEx

Description :

This is a heavily modified version of ConfuserEx, mostly custom, some copied from other obfuscators seen in the wild. I believe this to be difficult to reverse to some extent, but definitely not even close to impossible. (Also ignore old Discord ID added I changed accounts a while ago.) Also, please document how you were able to reverse it, and post the serial key. Thank you!

Screenshot :

 

image.png

 

Download: 

CrackMeO.exeFetching info...

 

 

Edited by wabafit
XenocodeRCE
Posted

I am not able to debug it, however I found a flag. I do not understand it, its not proper english.

  Reveal hidden contents

Also, your anti debug by process name / window tittle does not work :

0x34e3748 (11): Fiddler.exe
0x34e3758 (13): Wireshark.exe
0x34e376c (14): MegaDumper.exe
0x34e3780 (11): OllyDBG.exe
0x34e3790 (10): de4dot.exe
0x34e37a0 (17): de4dotmodded.exe
0x34e37b4 (13): exeinfope.exe
0x34e37c8 (31): Improve .NET - Deobfuscator.exe
0x34e37ec (26): SimpleAssemblyExplorer.exe
0x34e380c (19): StringDecryptor.exe
0x34e3824 (19): Universal_Fixer.exe
0x34e383c (29): .NET Tookit Rebirth v 0.1.exe
0x34e3860 (7): SAE.exe
0x34e386c (15): CFFExplorer.exe
0x34e3880 (19): Process Monitor.exe
0x34e3898 (18): Process Hacker.exe
0x34e38b0 (9): DNSpy.exe
0x34e38c0 (9): ILSpy.exe
0x34e38d0 (10): x64dbg.exe
0x34e38e0 (11): dotPeek.exe
0x34e38f0 (30): RDG Packer Detector v0.7.6.exe

I think you use RSA / AES

Posted

detect it easy result :

 Babel .NET(1.0-2.X)[-]

 CliSecure(4.0-5.X)[-]

 DNGuard(-)[-]

 Dotfuscator(-)[-]

 Goliath(-)[-]

 Smart Assembly(-)[-]

 Spices.Net(-)[-]

 Xenocode Postbuild(2.X-3.X)[-]

 Yano(1.X)[-]

 

 .NET(v4.0.30319)[-]

 VB.NET(-)[-]

 Microsoft Linker(80.0*)[EXE32]

XenocodeRCE
Posted
  On 4/1/2019 at 8:55 AM, xmen said:

detect it easy result :

 Babel .NET(1.0-2.X)[-]

 CliSecure(4.0-5.X)[-]

 DNGuard(-)[-]

 Dotfuscator(-)[-]

 Goliath(-)[-]

 Smart Assembly(-)[-]

 Spices.Net(-)[-]

 Xenocode Postbuild(2.X-3.X)[-]

 Yano(1.X)[-]

 

 .NET(v4.0.30319)[-]

 VB.NET(-)[-]

 Microsoft Linker(80.0*)[EXE32]

Expand  

Those are fake attributes

  • 2 weeks later...
Posted
  On 4/1/2019 at 8:55 AM, xmen said:

detect it easy result :

 Babel .NET(1.0-2.X)[-]

 CliSecure(4.0-5.X)[-]

 DNGuard(-)[-]

 Dotfuscator(-)[-]

 Goliath(-)[-]

 Smart Assembly(-)[-]

 Spices.Net(-)[-]

 Xenocode Postbuild(2.X-3.X)[-]

 Yano(1.X)[-]

 

 .NET(v4.0.30319)[-]

 VB.NET(-)[-]

 Microsoft Linker(80.0*)[EXE32]

Expand  

These are fake attributes

Posted (edited)
  On 4/1/2019 at 12:56 AM, XenocodeRCE said:

I am not able to debug it, however I found a flag. I do not understand it, its not proper english.

  Reveal hidden contents

Also, your anti debug by process name / window tittle does not work :

0x34e3748 (11): Fiddler.exe
0x34e3758 (13): Wireshark.exe
0x34e376c (14): MegaDumper.exe
0x34e3780 (11): OllyDBG.exe
0x34e3790 (10): de4dot.exe
0x34e37a0 (17): de4dotmodded.exe
0x34e37b4 (13): exeinfope.exe
0x34e37c8 (31): Improve .NET - Deobfuscator.exe
0x34e37ec (26): SimpleAssemblyExplorer.exe
0x34e380c (19): StringDecryptor.exe
0x34e3824 (19): Universal_Fixer.exe
0x34e383c (29): .NET Tookit Rebirth v 0.1.exe
0x34e3860 (7): SAE.exe
0x34e386c (15): CFFExplorer.exe
0x34e3880 (19): Process Monitor.exe
0x34e3898 (18): Process Hacker.exe
0x34e38b0 (9): DNSpy.exe
0x34e38c0 (9): ILSpy.exe
0x34e38d0 (10): x64dbg.exe
0x34e38e0 (11): dotPeek.exe
0x34e38f0 (30): RDG Packer Detector v0.7.6.exe

I think you use RSA / AES

Expand  

Yes, I know this code is non-working. I developed the crackme quite a while ago and the purpose of me publishing this was purely to check how impermeable my obfuscation is to the individuals visiting this site. Also, that flag serves no purpose. You may ignore it. Also, I do not use RSA/AES.

Edited by wabafit
Posted
  Reveal hidden contents

Key ^

 

List of blacklisted programs:
blacklisted.Add("Fiddler.exe");
blacklisted.Add("Wireshark.exe");
blacklisted.Add("MegaDumper.exe");
blacklisted.Add("OllyDBG.exe");
blacklisted.Add("de4dot.exe");
blacklisted.Add("de4dotmodded.exe");
blacklisted.Add("exeinfope.exe");
blacklisted.Add("Improve .NET - Deobfuscator.exe");
blacklisted.Add("SimpleAssemblyExplorer.exe");
blacklisted.Add("StringDecryptor.exe");
blacklisted.Add("Universal_Fixer.exe");
blacklisted.Add(".NET Tookit Rebirth v 0.1.exe");
blacklisted.Add("SAE.exe");
blacklisted.Add("CFFExplorer.exe");
blacklisted.Add("Process Monitor.exe");
blacklisted.Add("Process Hacker.exe");
blacklisted.Add("DNSpy.exe");
blacklisted.Add("ILSpy.exe");
blacklisted.Add("x64dbg.exe");
blacklisted.Add("dotPeek.exe");
blacklisted.Add("RDG Packer Detector v0.7.6.exe");

Posted
  On 4/13/2019 at 3:38 AM, Wadu said:
  Reveal hidden contents

Key ^

 

List of blacklisted programs:
blacklisted.Add("Fiddler.exe");
blacklisted.Add("Wireshark.exe");
blacklisted.Add("MegaDumper.exe");
blacklisted.Add("OllyDBG.exe");
blacklisted.Add("de4dot.exe");
blacklisted.Add("de4dotmodded.exe");
blacklisted.Add("exeinfope.exe");
blacklisted.Add("Improve .NET - Deobfuscator.exe");
blacklisted.Add("SimpleAssemblyExplorer.exe");
blacklisted.Add("StringDecryptor.exe");
blacklisted.Add("Universal_Fixer.exe");
blacklisted.Add(".NET Tookit Rebirth v 0.1.exe");
blacklisted.Add("SAE.exe");
blacklisted.Add("CFFExplorer.exe");
blacklisted.Add("Process Monitor.exe");
blacklisted.Add("Process Hacker.exe");
blacklisted.Add("DNSpy.exe");
blacklisted.Add("ILSpy.exe");
blacklisted.Add("x64dbg.exe");
blacklisted.Add("dotPeek.exe");
blacklisted.Add("RDG Packer Detector v0.7.6.exe");

Expand  

Please post the executable and, if possible steps you took to manage to reverse it. Thank you!

  • 4 weeks later...
  • Solution
Posted

well, your post is in the crackme section. it means unpacking doesn't really matter. but since you want the file unpacked. here you go.

serial key:

  Reveal hidden contents

steps:

1. removed anti tamper

2. converted x86 methods to IL

3. decrypted strings

4. removed delegates

5. attempted to clean cflow (but its not very clean.)

6. cleaned with de4dot

 

CrackMe_fixed-NoX862.exe_unpacked-StringDec_nodelegate-cleaned-cleaned.exeFetching info...

  • Like 4

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...