Jump to content
Tuts 4 You

ConfuserEx 1.6.0

cipsi

By cipsi
in UnPackMe (.NET)

 Share
Go to solution Solved by BlackHat,

Recommended Posts

  • Solution
BlackHat

BlackHat

Posted
  • Solution
Posted

2023-02-04_09-11-14.png.9c82d59d74cb20e62122f3a431253520.png

2023-02-04_09-10-56.png.2b023c2688d0df998054e0c7cbeead35.png

 

  • Debug with dnSpy and Remove Anti-Tamper.
  • NOP Anti-Tamper Call and Save.
  • Search for "GCHandle.Free" and put BP.
  • Debug the File and Save koi module from Memory.
  • NOP Anti-Tamper Call after debugging in dnSpy.
  • Clean Cflow as It is a basic "switch" one.
  • Clean Proxy.
  • Clean Constants.
  • Rename using de4dot.

 

WindowsFormsApp1_unpacked.exe

  • Like 5
  • Thanks 2
Link to comment
Share on other sites
cipsi

cipsi

Posted
  • Author
Posted
39 minutes ago, BlackHat said:

2023-02-04_09-11-14.png.9c82d59d74cb20e62122f3a431253520.png

2023-02-04_09-10-56.png.2b023c2688d0df998054e0c7cbeead35.png

 

  • Debug with dnSpy and Remove Anti-Tamper.
  • NOP Anti-Tamper Call and Save.
  • Search for "GCHandle.Free" and put BP.
  • Debug the File and Save koi module from Memory.
  • NOP Anti-Tamper Call after debugging in dnSpy.
  • Clean Cflow as It is a basic "switch" one.
  • Clean Proxy.
  • Clean Constants.
  • Rename using de4dot.

 

WindowsFormsApp1_unpacked.exe 11.5 kB · 0 downloads

Can you elaborate a bit on the part about cleaning the control flow?

Link to comment
Share on other sites
BlackHat

BlackHat

Posted
Posted
12 hours ago, cipsi said:

Can you elaborate a bit on the part about cleaning the control flow?

1. You don't need any tool to remove Anti Tamper.

2. Cflow/Proxy = Use Cawk Cfex Unpacker/ TheProxy Proxy Remover.

3. Contants = You have to make your own as Cawk Unpacker doesn't support newer version of Cfex Mods. 

4. de4dot is available on Github.

  • Like 1
Link to comment
Share on other sites
  • 6 months later...
Abdelrahman Mahrous

Abdelrahman Mahrous

Posted
Posted
On 2/4/2023 at 1:33 PM, BlackHat said:

1. You don't need any tool to remove Anti Tamper.

2. Cflow/Proxy = Use Cawk Cfex Unpacker/ TheProxy Proxy Remover.

3. Contants = You have to make your own as Cawk Unpacker doesn't support newer version of Cfex Mods. 

4. de4dot is available on Github.

i can't get tools can you upload it and some hint for use it . Thanks

Link to comment
Share on other sites
fireboxdev

fireboxdev

Posted
Posted
On 2/4/2023 at 3:16 PM, BlackHat said:

2023-02-04_09-11-14.png.9c82d59d74cb20e62122f3a431253520.png

2023-02-04_09-10-56.png.2b023c2688d0df998054e0c7cbeead35.png

 

  • Debug with dnSpy and Remove Anti-Tamper.
  • NOP Anti-Tamper Call and Save.
  • Search for "GCHandle.Free" and put BP.
  • Debug the File and Save koi module from Memory.
  • NOP Anti-Tamper Call after debugging in dnSpy.
  • Clean Cflow as It is a basic "switch" one.
  • Clean Proxy.
  • Clean Constants.
  • Rename using de4dot.

 

WindowsFormsApp1_unpacked.exe 11.5 kB · 14 downloads

can you explain or share your tools ? 
have a problem when unpack confuser.core same as above, cctor just have gchandle.free and i bp just have koi.exe no have entry point

Link to comment
Share on other sites
Abdelrahman Mahrous

Abdelrahman Mahrous

Posted
Posted
On 8/21/2023 at 9:08 AM, fireboxdev said:

can you explain or share your tools ? 
have a problem when unpack confuser.core same as above, cctor just have gchandle.free and i bp just have koi.exe no have entry point

upload the file to see it

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...