Jump to content
Tuts 4 You
Sign in to follow this  
12135555

Custom ConfuserEx

Recommended Posts

12135555
Posted (edited)

Language : .NET
Platform : Windows [x32/x64]
OS Version : Windows 10
Packer / Protector : ConfuserEX Custom

Description :

Packed by custom ConfuserEx. If you can, write how you unpacked it. Virustotal link.

Screenshot :

Screenshot_5.png.b879a88364d5b94276cbe32803df2535.png

CrackMe.exe

Edited by 12135555
Crackme update (see edit history)

Share this post


Link to post
illuZion

Almost unpacked! I was only not able to remove the Delegates and the Control flow.

What I removed is:

- Anti Tamper (manually)

- Hide Methods (quickly wrote a tool for it ; you can still find the code of it on my github: https://github.com/illuZion9999/Rzy-Protector-V2-unpacker/blob/master/Rzy Protector V2 Unpacker/Protections/Hide Methods.cs)

- Anti Debug (manually)

- Module Flood & Junk (manually)

- Native methods (using cawk emulator x86 methods retranslater: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/cawk-Emulator/.NET-Instruction-Emulator-master/CawkEmulatorV4/Instructions/Native/X86MethodToILConverter.cs)

- Constants Protection (modded the ConfuserEx Unpacker 2 Constants Decryptor to support 3 parameters: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/ConfuserEx Unpacker/ConfuserEx Unpacker/Protections/Constants/Remover.cs)

- Some Control Flow (not fully removed)

- Mutations (sizeof (my tool, you can still find one on github: https://github.com/RivaTesu/SizeOf-Fixer), simple operations (de4dot: https://github.com/0xd4d/de4dot) & double.parse (quickly wrote a tool for it ; the double.parse method was hidden by a delegate but I recognized the protection ; you can still find a tool for it on github, but you would have to change the parameter check if there are delegates: https://github.com/Riziebtw/DoubleParseFixer)

- Call to calli (manually + my tool ; you can still find a call to calli remover on github: https://github.com/Riziebtw/CalliFixer)

Don't hesitate to get my file and remove the Delegates (and control flow but I consider it not necessary to remove) in order to fully solve the challenge! :)

CrackMe - almost unpacked.exe

  • Like 4

Share this post


Link to post
12135555
On 4/11/2020 at 8:10 PM, illuZion said:

Almost unpacked! I was only not able to remove the Delegates and the Control flow.

What I removed is:

- Anti Tamper (manually)

- Hide Methods (quickly wrote a tool for it ; you can still find the code of it on my github: https://github.com/illuZion9999/Rzy-Protector-V2-unpacker/blob/master/Rzy Protector V2 Unpacker/Protections/Hide Methods.cs)

- Anti Debug (manually)

- Module Flood & Junk (manually)

- Native methods (using cawk emulator x86 methods retranslater: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/cawk-Emulator/.NET-Instruction-Emulator-master/CawkEmulatorV4/Instructions/Native/X86MethodToILConverter.cs)

- Constants Protection (modded the ConfuserEx Unpacker 2 Constants Decryptor to support 3 parameters: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/ConfuserEx Unpacker/ConfuserEx Unpacker/Protections/Constants/Remover.cs)

- Some Control Flow (not fully removed)

- Mutations (sizeof (my tool, you can still find one on github: https://github.com/RivaTesu/SizeOf-Fixer), simple operations (de4dot: https://github.com/0xd4d/de4dot) & double.parse (quickly wrote a tool for it ; the double.parse method was hidden by a delegate but I recognized the protection ; you can still find a tool for it on github, but you would have to change the parameter check if there are delegates: https://github.com/Riziebtw/DoubleParseFixer)

- Call to calli (manually + my tool ; you can still find a call to calli remover on github: https://github.com/Riziebtw/CalliFixer)

Don't hesitate to get my file and remove the Delegates (and control flow but I consider it not necessary to remove) in order to fully solve the challenge! :)

CrackMe - almost unpacked.exe 447.5 kB · 2 downloads

Wow! Thanks for such a great answer!

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...