Prab Posted April 17, 2020 Share Posted April 17, 2020 Language : C# Platforms : Windows Packer/obfuscator : 198 Protector V2 ( ConfuserEx Modded ) Description : Hi everyone, hope one of you friends can unpack the target and teach us how to unpack it. Virustotal : https://www.virustotal.com/gui/file/07638f4335a23fbb62e7c8e471398a8d556ca8ecbdea8395f4d55f76aebe3bce/detection Download : Unpackme.exe 1 Link to comment Share on other sites More sharing options...
Josman Posted April 18, 2020 Share Posted April 18, 2020 Password: Spoiler Youdidit! Link to comment Share on other sites More sharing options...
ForlaxPy Posted May 7, 2020 Share Posted May 7, 2020 (edited) CCtor => 0x06000034 => Clean the antitamper => Clean cflow => clean string encryption and that's it Most cleans are done by tweaking some public cleaners. The right key is "Youdidit!" Edited May 7, 2020 by ForlaxPy 3 Link to comment Share on other sites More sharing options...
krown Posted May 8, 2020 Share Posted May 8, 2020 Unpacked file???? Link to comment Share on other sites More sharing options...
Prab Posted May 16, 2020 Author Share Posted May 16, 2020 On 5/8/2020 at 5:09 AM, ForlaxPy said: CCtor => 0x06000034 => Clean the antitamper => Clean cflow => clean string encryption and that's it Most cleans are done by tweaking some public cleaners. The right key is "Youdidit!" How do you remove anti tamp without breaking the file ? Link to comment Share on other sites More sharing options...
Cursedzx Posted June 5, 2020 Share Posted June 5, 2020 Unpacked! So here's what i did. Removing the antitamper is really difficult if you're going to decrypt the methods by executing the method decrypt call in <module>.cctor. I think this is caused by the function that modifies some parts of metadata. The function is placed before the method decrypt function and after PE section finding part. So what i did was i modified abugger's antitamper remover and it pretty much worked. After antitamper was removed, it somehow created an error when decompressing constant data. Anyways, im too lazy to find out how removing antitamper was causing that. I just executed the original file and grabbed the decompressed byte array value for constant and moved the initializer in <module>.cctor. After that, i resolved the values of mutations. If i remember, there were sizeof, convert.toint32, math.(function) and int/short.parse. After the mutations, all you need to do is to convert the fields to locals, calli to call, resolve the delegates, and resolve and remove the proxy call delegates. You have to make your own approach on removing the proxy call delegates on this one. The values of the delegates are initialized at <module>.cctor. here's the result of what i did. (manually cleaned junk types). Unpackme_cleaned.exe screenshot: 1 Link to comment Share on other sites More sharing options...
andrus_777123 Posted December 22, 2023 Share Posted December 22, 2023 (edited) On 5/8/2020 at 1:09 AM, ForlaxPy said: 0x06000034 Edited December 22, 2023 by andrus_777123 error messaging Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now