Prab Posted April 17, 2020 Posted April 17, 2020 Language : C# Platforms : Windows Packer/obfuscator : 198 Protector V2 ( ConfuserEx Modded ) Description : Hi everyone, hope one of you friends can unpack the target and teach us how to unpack it. Virustotal : https://www.virustotal.com/gui/file/07638f4335a23fbb62e7c8e471398a8d556ca8ecbdea8395f4d55f76aebe3bce/detection Download : Unpackme.exe 1
ForlaxPy Posted May 7, 2020 Posted May 7, 2020 (edited) CCtor => 0x06000034 => Clean the antitamper => Clean cflow => clean string encryption and that's it Most cleans are done by tweaking some public cleaners. The right key is "Youdidit!" Edited May 7, 2020 by ForlaxPy 3
Prab Posted May 16, 2020 Author Posted May 16, 2020 On 5/8/2020 at 5:09 AM, ForlaxPy said: CCtor => 0x06000034 => Clean the antitamper => Clean cflow => clean string encryption and that's it Most cleans are done by tweaking some public cleaners. The right key is "Youdidit!" How do you remove anti tamp without breaking the file ?
Cursedzx Posted June 5, 2020 Posted June 5, 2020 Unpacked! So here's what i did. Removing the antitamper is really difficult if you're going to decrypt the methods by executing the method decrypt call in <module>.cctor. I think this is caused by the function that modifies some parts of metadata. The function is placed before the method decrypt function and after PE section finding part. So what i did was i modified abugger's antitamper remover and it pretty much worked. After antitamper was removed, it somehow created an error when decompressing constant data. Anyways, im too lazy to find out how removing antitamper was causing that. I just executed the original file and grabbed the decompressed byte array value for constant and moved the initializer in <module>.cctor. After that, i resolved the values of mutations. If i remember, there were sizeof, convert.toint32, math.(function) and int/short.parse. After the mutations, all you need to do is to convert the fields to locals, calli to call, resolve the delegates, and resolve and remove the proxy call delegates. You have to make your own approach on removing the proxy call delegates on this one. The values of the delegates are initialized at <module>.cctor. here's the result of what i did. (manually cleaned junk types). Unpackme_cleaned.exe screenshot: 1
andrus_777123 Posted December 22, 2023 Posted December 22, 2023 (edited) On 5/8/2020 at 1:09 AM, ForlaxPy said: 0x06000034 Edited December 22, 2023 by andrus_777123 error messaging
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now