Jump to content
Tuts 4 You

Custom ConfuserEx

12135555

By 12135555
in UnPackMe (.NET)

 Share
Go to solution Solved by illuZion,

Recommended Posts

12135555

12135555

Posted
Posted (edited)

Language : .NET
Platform : Windows [x32/x64]
OS Version : Windows 10
Packer / Protector : ConfuserEX Custom

Description :

Packed by custom ConfuserEx. If you can, write how you unpacked it. Virustotal link.

Screenshot :

Screenshot_5.png.b879a88364d5b94276cbe32803df2535.png

CrackMe.exe

Edited by 12135555
Crackme update
  • 4 weeks later...
  • Solution
illuZion

illuZion

Posted
  • Solution
Posted (edited)

Almost unpacked! I was only not able to remove the Delegates and the Control flow.

What I removed is:

- Anti Tamper (manually; the easiest way consists in finding the call to the anti tamper method (which can be identified by looking at ConfuserEx's source code), setting a breakpoint just after (so that the anti tamper method decrypts the CIL code) and getting the decrypted module in the "Module" section of the dnSpy debugger)

- Hide Methods (https://github.com/illuZion9999/Rzy-Protector-V2-unpacker/blob/master/Rzy Protector V2 Unpacker/Protections/Hide Methods.cs (not really reliable, though; a good way would be to get the invalid instructions from the exception handler)

- Anti Debug (identify the anti debug method by looking at ConfuserEx's source code and add a ret instruction at its start)

- Module Flood & Junk (these are just useless methods & instructions, which can be removed without problems (i removed them manually))

- Native methods (using cawk emulator x86 methods retranslater: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/cawk-Emulator/.NET-Instruction-Emulator-master/CawkEmulatorV4/Instructions/Native/X86MethodToILConverter.cs)

- Constants Protection (modded the ConfuserEx Unpacker 2 Constants Decryptor to support 3 parameters: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/ConfuserEx Unpacker/ConfuserEx Unpacker/Protections/Constants/Remover.cs ; you can also invoke the decryption which makes it way easier than emulating it)

- Mutations (sizeof (https://github.com/RivaTesu/SizeOf-Fixer), simple operations (de4dot: https://github.com/0xd4d/de4dot) & double.parse (the double.parse method is hidden by a delegate but I recognized the protection ; you can still find a tool for it on GitHub, but you would have to change the parameter check if there are delegates (or, ideally, use an emulator, which should support the double.parse protection with or without delegates): https://github.com/Riziebtw/DoubleParseFixer (note that this tool is not really reliable, and would need some changes))

- Call to calli (https://github.com/Riziebtw/CalliFixer; note that this tool solves the call to calli when the call and its pointer are one after the other, while, in the challenge, the call pointer (an ldftn instruction) is set to an IntPtr field, which is used as a parameter for the calli. You would hence have to grab the fields value (which are assigned in the constructor of the <Module> type) and then solve the callis with these values.)

Don't hesitate to get my file and remove the Delegates (and control flow but I consider it not necessary to remove) in order to fully solve the challenge! :)

CrackMe - almost unpacked.exe

Edited by illuZion
Added more details to the unpacking process
  • Like 5
  • Thanks 1
12135555

12135555

Posted
  • Author
Posted
On 4/11/2020 at 8:10 PM, illuZion said:

Almost unpacked! I was only not able to remove the Delegates and the Control flow.

What I removed is:

- Anti Tamper (manually)

- Hide Methods (quickly wrote a tool for it ; you can still find the code of it on my github: https://github.com/illuZion9999/Rzy-Protector-V2-unpacker/blob/master/Rzy Protector V2 Unpacker/Protections/Hide Methods.cs)

- Anti Debug (manually)

- Module Flood & Junk (manually)

- Native methods (using cawk emulator x86 methods retranslater: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/cawk-Emulator/.NET-Instruction-Emulator-master/CawkEmulatorV4/Instructions/Native/X86MethodToILConverter.cs)

- Constants Protection (modded the ConfuserEx Unpacker 2 Constants Decryptor to support 3 parameters: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/ConfuserEx Unpacker/ConfuserEx Unpacker/Protections/Constants/Remover.cs)

- Some Control Flow (not fully removed)

- Mutations (sizeof (my tool, you can still find one on github: https://github.com/RivaTesu/SizeOf-Fixer), simple operations (de4dot: https://github.com/0xd4d/de4dot) & double.parse (quickly wrote a tool for it ; the double.parse method was hidden by a delegate but I recognized the protection ; you can still find a tool for it on github, but you would have to change the parameter check if there are delegates: https://github.com/Riziebtw/DoubleParseFixer)

- Call to calli (manually + my tool ; you can still find a call to calli remover on github: https://github.com/Riziebtw/CalliFixer)

Don't hesitate to get my file and remove the Delegates (and control flow but I consider it not necessary to remove) in order to fully solve the challenge! :)

CrackMe - almost unpacked.exe 447.5 kB · 2 downloads

Wow! Thanks for such a great answer!

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...