NiggaEX

[DarkShadow]

View File

NiggaEX

---

Unpack and provide a overview of how you did it and what tools were used.

---

• Submitter
  DarkShadow
• Submitted
  02/13/2022
• Category
  UnPackMe (.NET)

 

[Mr-Toms]

you did not change anything, whats cool about it ? the protector Name?

[Sean Park]

use this program. you can easily unpack this without errors.

ConfuserEx-Unpacker-v2.0.zip unpack me-Cleaned.exe

[DarkShadow]

On 2/28/2022 at 4:20 PM, Mr-Toms said:

you did not change anything, whats cool about it ? the protector Name?

NiggaEX is a ConfuserEx modification with the following changes;

Renamed (types, methods, fields, resources)

String enc

Control flow

[Accede]

 

Control flow is alredy includet in the normal confuserEx ergo not new function same for string enc is ther to alredy same for resource and the orther stuff you mention that you attet it that stuff is alredy includet in each cunfuserEx.

HM what should i say xd :

of curse its not komplett devizert but the standart tools work so far

Spoiler

Edited April 30, 2022 by Underground

[Mr-Toms]

you need to know the right order to unpack this 

this is the order i do after decompress and remove anti tamper

and the unpacked file is not de4doted yet , and the entrypoint still missing 

NiggaEx_Decompressed_NoCfex.exe

Edited May 4, 2022 by Mr-Toms

[DarkShadow]

On 4/30/2022 at 11:33 AM, Accede said:

 

Control flow is alredy includet in the normal confuserEx ergo not new function same for string enc is ther to alredy same for resource and the orther stuff you mention that you attet it that stuff is alredy includet in each cunfuserEx.

HM what should i say xd :

of curse its not komplett devizert but the standart tools work so far

  Reveal hidden contents

It's not the same string encryption & not same renamer

[Mr-Toms]

i've solved this but i dont know why moderator didnt approved my comments

[DarkShadow]

On 5/11/2022 at 5:46 AM, Mr-Toms said:

i've solved this but i dont know why moderator didnt approved my comments

Check the rules 

[SychicBoy]

There's not much to describe about the unpacking steps, I just dumped it and made a de-obfuscator for it.

Unpacked.exe

Edited November 7, 2022 by SychicBoy

[deepzero]

Well, what did you use to dump it and can you show the deobfuscator?

[SychicBoy]

On 11/7/2022 at 10:14 PM, deepzero said:

Well, what did you use to dump it and can you show the deobfuscator?

Steps:
1-Execute the target file
2-Open "ExtremeDumper-x86" and select AntiDump mode from Options>DumpType. On processes list right click on the target process and select View Modules option and find the <<EmptyName>> from the modules list and dump it.
3-Open the dumped file in dnSpy find the entrypoint then right click on the assembly module and set the entrypoint of the module then save the changes.
4-Use "ConfuserEx-Unpacker" to get rid of cflow, call proxy, etc...
5-Use "Size and Mathematical Fixer" to get rid of sizeof's and mathematical obfuscation.
6-Use "de4dot" to rename symbols.
7-Now you should do the rest yourself: (clean if cflow, fix string/int proxy, decrypt strings).

Tools.zip

Edited November 11, 2022 by SychicBoy

[Hadits follower]

filepath -c corruptFile 
filepath -c vv
filepath -c dd

-c corruptFile will make nop cflow but file will not run , because i am new;

-c vv will show u the process

-c dd [manual :: Class removing process disable ]

use only -vv will de4dot args as usual 

NSCL restored fixed 

 

or simple just drop this target 

2015Unpacker.zip

2015UnpackerM.zip

Edited November 14, 2022 by Only_Islams_The_Rifht_Path
fixed bugs and remove chain M