wabafit Posted March 31, 2019 Posted March 31, 2019 (edited) Language : .NET Platform : Windows x64 OS Version : All Packer / Protector : Modified ConfuserEx Description : This is a heavily modified version of ConfuserEx, mostly custom, some copied from other obfuscators seen in the wild. I believe this to be difficult to reverse to some extent, but definitely not even close to impossible. (Also ignore old Discord ID added I changed accounts a while ago.) Also, please document how you were able to reverse it, and post the serial key. Thank you! Screenshot : Download: CrackMeO.exe Edited March 31, 2019 by wabafit
XenocodeRCE Posted April 1, 2019 Posted April 1, 2019 I am not able to debug it, however I found a flag. I do not understand it, its not proper english. Spoiler Hint: It is the same high ryukyu Also, your anti debug by process name / window tittle does not work : 0x34e3748 (11): Fiddler.exe 0x34e3758 (13): Wireshark.exe 0x34e376c (14): MegaDumper.exe 0x34e3780 (11): OllyDBG.exe 0x34e3790 (10): de4dot.exe 0x34e37a0 (17): de4dotmodded.exe 0x34e37b4 (13): exeinfope.exe 0x34e37c8 (31): Improve .NET - Deobfuscator.exe 0x34e37ec (26): SimpleAssemblyExplorer.exe 0x34e380c (19): StringDecryptor.exe 0x34e3824 (19): Universal_Fixer.exe 0x34e383c (29): .NET Tookit Rebirth v 0.1.exe 0x34e3860 (7): SAE.exe 0x34e386c (15): CFFExplorer.exe 0x34e3880 (19): Process Monitor.exe 0x34e3898 (18): Process Hacker.exe 0x34e38b0 (9): DNSpy.exe 0x34e38c0 (9): ILSpy.exe 0x34e38d0 (10): x64dbg.exe 0x34e38e0 (11): dotPeek.exe 0x34e38f0 (30): RDG Packer Detector v0.7.6.exe I think you use RSA / AES
xmen Posted April 1, 2019 Posted April 1, 2019 detect it easy result : Babel .NET(1.0-2.X)[-] CliSecure(4.0-5.X)[-] DNGuard(-)[-] Dotfuscator(-)[-] Goliath(-)[-] Smart Assembly(-)[-] Spices.Net(-)[-] Xenocode Postbuild(2.X-3.X)[-] Yano(1.X)[-] .NET(v4.0.30319)[-] VB.NET(-)[-] Microsoft Linker(80.0*)[EXE32]
XenocodeRCE Posted April 1, 2019 Posted April 1, 2019 1 hour ago, xmen said: detect it easy result : Babel .NET(1.0-2.X)[-] CliSecure(4.0-5.X)[-] DNGuard(-)[-] Dotfuscator(-)[-] Goliath(-)[-] Smart Assembly(-)[-] Spices.Net(-)[-] Xenocode Postbuild(2.X-3.X)[-] Yano(1.X)[-] .NET(v4.0.30319)[-] VB.NET(-)[-] Microsoft Linker(80.0*)[EXE32] Those are fake attributes
wabafit Posted April 10, 2019 Author Posted April 10, 2019 On 4/1/2019 at 10:55 AM, xmen said: detect it easy result : Babel .NET(1.0-2.X)[-] CliSecure(4.0-5.X)[-] DNGuard(-)[-] Dotfuscator(-)[-] Goliath(-)[-] Smart Assembly(-)[-] Spices.Net(-)[-] Xenocode Postbuild(2.X-3.X)[-] Yano(1.X)[-] .NET(v4.0.30319)[-] VB.NET(-)[-] Microsoft Linker(80.0*)[EXE32] These are fake attributes
wabafit Posted April 10, 2019 Author Posted April 10, 2019 (edited) On 4/1/2019 at 2:56 AM, XenocodeRCE said: I am not able to debug it, however I found a flag. I do not understand it, its not proper english. Reveal hidden contents Hint: It is the same high ryukyu Also, your anti debug by process name / window tittle does not work : 0x34e3748 (11): Fiddler.exe 0x34e3758 (13): Wireshark.exe 0x34e376c (14): MegaDumper.exe 0x34e3780 (11): OllyDBG.exe 0x34e3790 (10): de4dot.exe 0x34e37a0 (17): de4dotmodded.exe 0x34e37b4 (13): exeinfope.exe 0x34e37c8 (31): Improve .NET - Deobfuscator.exe 0x34e37ec (26): SimpleAssemblyExplorer.exe 0x34e380c (19): StringDecryptor.exe 0x34e3824 (19): Universal_Fixer.exe 0x34e383c (29): .NET Tookit Rebirth v 0.1.exe 0x34e3860 (7): SAE.exe 0x34e386c (15): CFFExplorer.exe 0x34e3880 (19): Process Monitor.exe 0x34e3898 (18): Process Hacker.exe 0x34e38b0 (9): DNSpy.exe 0x34e38c0 (9): ILSpy.exe 0x34e38d0 (10): x64dbg.exe 0x34e38e0 (11): dotPeek.exe 0x34e38f0 (30): RDG Packer Detector v0.7.6.exe I think you use RSA / AES Yes, I know this code is non-working. I developed the crackme quite a while ago and the purpose of me publishing this was purely to check how impermeable my obfuscation is to the individuals visiting this site. Also, that flag serves no purpose. You may ignore it. Also, I do not use RSA/AES. Edited April 10, 2019 by wabafit
Wadu Posted April 13, 2019 Posted April 13, 2019 Spoiler い港口ゅじ泉ドキマなリ高同周い泉口なドキ周港同じ高リゅマ Key ^ List of blacklisted programs: blacklisted.Add("Fiddler.exe"); blacklisted.Add("Wireshark.exe"); blacklisted.Add("MegaDumper.exe"); blacklisted.Add("OllyDBG.exe"); blacklisted.Add("de4dot.exe"); blacklisted.Add("de4dotmodded.exe"); blacklisted.Add("exeinfope.exe"); blacklisted.Add("Improve .NET - Deobfuscator.exe"); blacklisted.Add("SimpleAssemblyExplorer.exe"); blacklisted.Add("StringDecryptor.exe"); blacklisted.Add("Universal_Fixer.exe"); blacklisted.Add(".NET Tookit Rebirth v 0.1.exe"); blacklisted.Add("SAE.exe"); blacklisted.Add("CFFExplorer.exe"); blacklisted.Add("Process Monitor.exe"); blacklisted.Add("Process Hacker.exe"); blacklisted.Add("DNSpy.exe"); blacklisted.Add("ILSpy.exe"); blacklisted.Add("x64dbg.exe"); blacklisted.Add("dotPeek.exe"); blacklisted.Add("RDG Packer Detector v0.7.6.exe");
wabafit Posted April 21, 2019 Author Posted April 21, 2019 On 4/13/2019 at 5:38 AM, Wadu said: Reveal hidden contents い港口ゅじ泉ドキマなリ高同周い泉口なドキ周港同じ高リゅマ Key ^ List of blacklisted programs: blacklisted.Add("Fiddler.exe"); blacklisted.Add("Wireshark.exe"); blacklisted.Add("MegaDumper.exe"); blacklisted.Add("OllyDBG.exe"); blacklisted.Add("de4dot.exe"); blacklisted.Add("de4dotmodded.exe"); blacklisted.Add("exeinfope.exe"); blacklisted.Add("Improve .NET - Deobfuscator.exe"); blacklisted.Add("SimpleAssemblyExplorer.exe"); blacklisted.Add("StringDecryptor.exe"); blacklisted.Add("Universal_Fixer.exe"); blacklisted.Add(".NET Tookit Rebirth v 0.1.exe"); blacklisted.Add("SAE.exe"); blacklisted.Add("CFFExplorer.exe"); blacklisted.Add("Process Monitor.exe"); blacklisted.Add("Process Hacker.exe"); blacklisted.Add("DNSpy.exe"); blacklisted.Add("ILSpy.exe"); blacklisted.Add("x64dbg.exe"); blacklisted.Add("dotPeek.exe"); blacklisted.Add("RDG Packer Detector v0.7.6.exe"); Please post the executable and, if possible steps you took to manage to reverse it. Thank you!
Solution Cursedzx Posted May 14, 2019 Solution Posted May 14, 2019 well, your post is in the crackme section. it means unpacking doesn't really matter. but since you want the file unpacked. here you go. serial key: Spoiler い港口ゅじ泉ドキマなリ高同周い泉口なドキ周港同じ高リゅマ steps: 1. removed anti tamper 2. converted x86 methods to IL 3. decrypted strings 4. removed delegates 5. attempted to clean cflow (but its not very clean.) 6. cleaned with de4dot CrackMe_fixed-NoX862.exe_unpacked-StringDec_nodelegate-cleaned-cleaned.exe 4
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now