NiggaEX

Unpack and provide a overview of how you did it and what tools were used.

File Information

Submitter DarkShadow

Submitted 02/13/2022

Category UnPackMe (.NET)

View File

you did not change anything, whats cool about it ? the protector Name?

use this program. you can easily unpack this without errors.

ConfuserEx-Unpacker-v2.0.zip unpack me-Cleaned.exe

On 2/28/2022 at 4:20 PM, Mr-Toms said:

you did not change anything, whats cool about it ? the protector Name?

NiggaEX is a ConfuserEx modification with the following changes;

Renamed (types, methods, fields, resources)

String enc

Control flow

 

Control flow is alredy includet in the normal confuserEx ergo not new function same for string enc is ther to alredy same for resource and the orther stuff you mention that you attet it that stuff is alredy includet in each cunfuserEx.

HM what should i say xd :

of curse its not komplett devizert but the standart tools work so far

Spoiler

Edited April 30, 20223 yr by Underground

you need to know the right order to unpack this 

this is the order i do after decompress and remove anti tamper

and the unpacked file is not de4doted yet , and the entrypoint still missing 

NiggaEx_Decompressed_NoCfex.exe

Edited May 4, 20223 yr by Mr-Toms

On 4/30/2022 at 11:33 AM, Accede said:

 

Control flow is alredy includet in the normal confuserEx ergo not new function same for string enc is ther to alredy same for resource and the orther stuff you mention that you attet it that stuff is alredy includet in each cunfuserEx.

HM what should i say xd :

of curse its not komplett devizert but the standart tools work so far

  Reveal hidden contents

It's not the same string encryption & not same renamer

i've solved this but i dont know why moderator didnt approved my comments

On 5/11/2022 at 5:46 AM, Mr-Toms said:

i've solved this but i dont know why moderator didnt approved my comments

Check the rules 

There's not much to describe about the unpacking steps, I just dumped it and made a de-obfuscator for it.

Unpacked.exe

Edited November 7, 20222 yr by SychicBoy

Well, what did you use to dump it and can you show the deobfuscator?

On 11/7/2022 at 10:14 PM, deepzero said:

Well, what did you use to dump it and can you show the deobfuscator?

Steps:
1-Execute the target file
2-Open "ExtremeDumper-x86" and select AntiDump mode from Options>DumpType. On processes list right click on the target process and select View Modules option and find the <<EmptyName>> from the modules list and dump it.
3-Open the dumped file in dnSpy find the entrypoint then right click on the assembly module and set the entrypoint of the module then save the changes.
4-Use "ConfuserEx-Unpacker" to get rid of cflow, call proxy, etc...
5-Use "Size and Mathematical Fixer" to get rid of sizeof's and mathematical obfuscation.
6-Use "de4dot" to rename symbols.
7-Now you should do the rest yourself: (clean if cflow, fix string/int proxy, decrypt strings).

Tools.zip

Edited November 11, 20222 yr by SychicBoy

filepath -c corruptFile 
filepath -c vv
filepath -c dd

-c corruptFile will make nop cflow but file will not run , because i am new;

-c vv will show u the process

-c dd [manual :: Class removing process disable ]

use only -vv will de4dot args as usual 

NSCL restored fixed 

 

or simple just drop this target 

2015Unpacker.zip

2015UnpackerM.zip

Edited November 14, 20222 yr by Only_Islams_The_Rifht_Path
fixed bugs and remove chain M