Jump to content
Tuts 4 You
  • 0
wabafit

Modified ConfuserEx

Question

wabafit
Posted (edited)

Language : .NET
Platform : Windows x64
OS Version : All
Packer / Protector : Modified ConfuserEx

Description :

This is a heavily modified version of ConfuserEx, mostly custom, some copied from other obfuscators seen in the wild. I believe this to be difficult to reverse to some extent, but definitely not even close to impossible. (Also ignore old Discord ID added I changed accounts a while ago.) Also, please document how you were able to reverse it, and post the serial key. Thank you!

Screenshot :

 

image.png

 

Download: 

CrackMeO.exe

 

 

Edited by wabafit (see edit history)

Share this post


Link to post

8 answers to this question

Recommended Posts

  • 1
Cursedzx

well, your post is in the crackme section. it means unpacking doesn't really matter. but since you want the file unpacked. here you go.

serial key:

Spoiler

い港口ゅじ泉ドキマなリ高同周い泉口なドキ周港同じ高リゅマ

steps:

1. removed anti tamper

2. converted x86 methods to IL

3. decrypted strings

4. removed delegates

5. attempted to clean cflow (but its not very clean.)

6. cleaned with de4dot

 

CrackMe_fixed-NoX862.exe_unpacked-StringDec_nodelegate-cleaned-cleaned.exe

  • Like 2

Share this post


Link to post
  • 0
XenocodeRCE

I am not able to debug it, however I found a flag. I do not understand it, its not proper english.

Spoiler

 

Hint: It is the same high ryukyu

 

Also, your anti debug by process name / window tittle does not work :

0x34e3748 (11): Fiddler.exe
0x34e3758 (13): Wireshark.exe
0x34e376c (14): MegaDumper.exe
0x34e3780 (11): OllyDBG.exe
0x34e3790 (10): de4dot.exe
0x34e37a0 (17): de4dotmodded.exe
0x34e37b4 (13): exeinfope.exe
0x34e37c8 (31): Improve .NET - Deobfuscator.exe
0x34e37ec (26): SimpleAssemblyExplorer.exe
0x34e380c (19): StringDecryptor.exe
0x34e3824 (19): Universal_Fixer.exe
0x34e383c (29): .NET Tookit Rebirth v 0.1.exe
0x34e3860 (7): SAE.exe
0x34e386c (15): CFFExplorer.exe
0x34e3880 (19): Process Monitor.exe
0x34e3898 (18): Process Hacker.exe
0x34e38b0 (9): DNSpy.exe
0x34e38c0 (9): ILSpy.exe
0x34e38d0 (10): x64dbg.exe
0x34e38e0 (11): dotPeek.exe
0x34e38f0 (30): RDG Packer Detector v0.7.6.exe

I think you use RSA / AES

Share this post


Link to post
  • 0
xmen

detect it easy result :

 Babel .NET(1.0-2.X)[-]

 CliSecure(4.0-5.X)[-]

 DNGuard(-)[-]

 Dotfuscator(-)[-]

 Goliath(-)[-]

 Smart Assembly(-)[-]

 Spices.Net(-)[-]

 Xenocode Postbuild(2.X-3.X)[-]

 Yano(1.X)[-]

 

 .NET(v4.0.30319)[-]

 VB.NET(-)[-]

 Microsoft Linker(80.0*)[EXE32]

Share this post


Link to post
  • 0
XenocodeRCE
1 hour ago, xmen said:

detect it easy result :

 Babel .NET(1.0-2.X)[-]

 CliSecure(4.0-5.X)[-]

 DNGuard(-)[-]

 Dotfuscator(-)[-]

 Goliath(-)[-]

 Smart Assembly(-)[-]

 Spices.Net(-)[-]

 Xenocode Postbuild(2.X-3.X)[-]

 Yano(1.X)[-]

 

 .NET(v4.0.30319)[-]

 VB.NET(-)[-]

 Microsoft Linker(80.0*)[EXE32]

Those are fake attributes

Share this post


Link to post
  • 0
wabafit
On 4/1/2019 at 10:55 AM, xmen said:

detect it easy result :

 Babel .NET(1.0-2.X)[-]

 CliSecure(4.0-5.X)[-]

 DNGuard(-)[-]

 Dotfuscator(-)[-]

 Goliath(-)[-]

 Smart Assembly(-)[-]

 Spices.Net(-)[-]

 Xenocode Postbuild(2.X-3.X)[-]

 Yano(1.X)[-]

 

 .NET(v4.0.30319)[-]

 VB.NET(-)[-]

 Microsoft Linker(80.0*)[EXE32]

These are fake attributes

Share this post


Link to post
  • 0
wabafit
Posted (edited)
On 4/1/2019 at 2:56 AM, XenocodeRCE said:

I am not able to debug it, however I found a flag. I do not understand it, its not proper english.

  Reveal hidden contents

 

Hint: It is the same high ryukyu

 

Also, your anti debug by process name / window tittle does not work :

0x34e3748 (11): Fiddler.exe
0x34e3758 (13): Wireshark.exe
0x34e376c (14): MegaDumper.exe
0x34e3780 (11): OllyDBG.exe
0x34e3790 (10): de4dot.exe
0x34e37a0 (17): de4dotmodded.exe
0x34e37b4 (13): exeinfope.exe
0x34e37c8 (31): Improve .NET - Deobfuscator.exe
0x34e37ec (26): SimpleAssemblyExplorer.exe
0x34e380c (19): StringDecryptor.exe
0x34e3824 (19): Universal_Fixer.exe
0x34e383c (29): .NET Tookit Rebirth v 0.1.exe
0x34e3860 (7): SAE.exe
0x34e386c (15): CFFExplorer.exe
0x34e3880 (19): Process Monitor.exe
0x34e3898 (18): Process Hacker.exe
0x34e38b0 (9): DNSpy.exe
0x34e38c0 (9): ILSpy.exe
0x34e38d0 (10): x64dbg.exe
0x34e38e0 (11): dotPeek.exe
0x34e38f0 (30): RDG Packer Detector v0.7.6.exe

I think you use RSA / AES

Yes, I know this code is non-working. I developed the crackme quite a while ago and the purpose of me publishing this was purely to check how impermeable my obfuscation is to the individuals visiting this site. Also, that flag serves no purpose. You may ignore it. Also, I do not use RSA/AES.

Edited by wabafit (see edit history)

Share this post


Link to post
  • 0
Wadu
Spoiler

い港口ゅじ泉ドキマなリ高同周い泉口なドキ周港同じ高リゅマ

Key ^

 

List of blacklisted programs:
blacklisted.Add("Fiddler.exe");
blacklisted.Add("Wireshark.exe");
blacklisted.Add("MegaDumper.exe");
blacklisted.Add("OllyDBG.exe");
blacklisted.Add("de4dot.exe");
blacklisted.Add("de4dotmodded.exe");
blacklisted.Add("exeinfope.exe");
blacklisted.Add("Improve .NET - Deobfuscator.exe");
blacklisted.Add("SimpleAssemblyExplorer.exe");
blacklisted.Add("StringDecryptor.exe");
blacklisted.Add("Universal_Fixer.exe");
blacklisted.Add(".NET Tookit Rebirth v 0.1.exe");
blacklisted.Add("SAE.exe");
blacklisted.Add("CFFExplorer.exe");
blacklisted.Add("Process Monitor.exe");
blacklisted.Add("Process Hacker.exe");
blacklisted.Add("DNSpy.exe");
blacklisted.Add("ILSpy.exe");
blacklisted.Add("x64dbg.exe");
blacklisted.Add("dotPeek.exe");
blacklisted.Add("RDG Packer Detector v0.7.6.exe");

Share this post


Link to post
  • 0
wabafit
On 4/13/2019 at 5:38 AM, Wadu said:
  Reveal hidden contents

い港口ゅじ泉ドキマなリ高同周い泉口なドキ周港同じ高リゅマ

Key ^

 

List of blacklisted programs:
blacklisted.Add("Fiddler.exe");
blacklisted.Add("Wireshark.exe");
blacklisted.Add("MegaDumper.exe");
blacklisted.Add("OllyDBG.exe");
blacklisted.Add("de4dot.exe");
blacklisted.Add("de4dotmodded.exe");
blacklisted.Add("exeinfope.exe");
blacklisted.Add("Improve .NET - Deobfuscator.exe");
blacklisted.Add("SimpleAssemblyExplorer.exe");
blacklisted.Add("StringDecryptor.exe");
blacklisted.Add("Universal_Fixer.exe");
blacklisted.Add(".NET Tookit Rebirth v 0.1.exe");
blacklisted.Add("SAE.exe");
blacklisted.Add("CFFExplorer.exe");
blacklisted.Add("Process Monitor.exe");
blacklisted.Add("Process Hacker.exe");
blacklisted.Add("DNSpy.exe");
blacklisted.Add("ILSpy.exe");
blacklisted.Add("x64dbg.exe");
blacklisted.Add("dotPeek.exe");
blacklisted.Add("RDG Packer Detector v0.7.6.exe");

Please post the executable and, if possible steps you took to manage to reverse it. Thank you!

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...