ConfuserEx 1.6.0

Public key sample protected using ConfuserEx 1.6.0.

https://github.com/mkaring/ConfuserEx/releases/tag/v1.6.0

Your challenge is to unpack and decompile the file.

File Information

Submitter cipsi

Submitted 02/04/2023

Category UnPackMe (.NET)

View File

 

• Debug with dnSpy and Remove Anti-Tamper.
• NOP Anti-Tamper Call and Save.
• Search for "GCHandle.Free" and put BP.
• Debug the File and Save koi module from Memory.
• NOP Anti-Tamper Call after debugging in dnSpy.
• Clean Cflow as It is a basic "switch" one.
• Clean Proxy.
• Clean Constants.
• Rename using de4dot.

 

WindowsFormsApp1_unpacked.exe

39 minutes ago, BlackHat said:

 

• Debug with dnSpy and Remove Anti-Tamper.
• NOP Anti-Tamper Call and Save.
• Search for "GCHandle.Free" and put BP.
• Debug the File and Save koi module from Memory.
• NOP Anti-Tamper Call after debugging in dnSpy.
• Clean Cflow as It is a basic "switch" one.
• Clean Proxy.
• Clean Constants.
• Rename using de4dot.

 

WindowsFormsApp1_unpacked.exe 11.5 kB · 0 downloads

Can you elaborate a bit on the part about cleaning the control flow?

12 hours ago, cipsi said:

Can you elaborate a bit on the part about cleaning the control flow?

1. You don't need any tool to remove Anti Tamper.

2. Cflow/Proxy = Use Cawk Cfex Unpacker/ TheProxy Proxy Remover.

3. Contants = You have to make your own as Cawk Unpacker doesn't support newer version of Cfex Mods. 

4. de4dot is available on Github.

On 2/4/2023 at 1:33 PM, BlackHat said:

1. You don't need any tool to remove Anti Tamper.

2. Cflow/Proxy = Use Cawk Cfex Unpacker/ TheProxy Proxy Remover.

3. Contants = You have to make your own as Cawk Unpacker doesn't support newer version of Cfex Mods. 

4. de4dot is available on Github.

i can't get tools can you upload it and some hint for use it . Thanks

On 2/4/2023 at 3:16 PM, BlackHat said:

 

• Debug with dnSpy and Remove Anti-Tamper.
• NOP Anti-Tamper Call and Save.
• Search for "GCHandle.Free" and put BP.
• Debug the File and Save koi module from Memory.
• NOP Anti-Tamper Call after debugging in dnSpy.
• Clean Cflow as It is a basic "switch" one.
• Clean Proxy.
• Clean Constants.
• Rename using de4dot.

 

WindowsFormsApp1_unpacked.exe 11.5 kB · 14 downloads

can you explain or share your tools ? 
have a problem when unpack confuser.core same as above, cctor just have gchandle.free and i bp just have koi.exe no have entry point

On 8/21/2023 at 9:08 AM, fireboxdev said:

can you explain or share your tools ? 
have a problem when unpack confuser.core same as above, cctor just have gchandle.free and i bp just have koi.exe no have entry point

upload the file to see it

i have file ConfuserEx 1.6.0 . but it not exe only  file .dll . how to do dubug

you can't debug dll

find exe that runs you dll

 

no create an assembly loader to load the dll and then use dnspy and the rest

 

loader not enough

you need to call dll API

 

yes you call it inside a assembly loader app

this is .dll file it has all the functions of .exe .exe file just call up and written in c++ to call .dll file to run

 

@kenvevn

did u try @

forum.tuts4you.com/topic/45360-confuseexdantitamper/#findComment-224077

?

https://www.youtube.com/watch?v=D1uc1u2d3Dw&t=161s

Edited August 27, 2025Aug 27 by .hloire

On 8/21/2023 at 9:08 PM, fireboxdev said:

can you explain or share your tools ? 
have a problem when unpack confuser.core same as above, cctor just have gchandle.free and i bp just have koi.exe no have entry point

fixxing entry point?

Write Click on Koi Press Alt + Enter Click on Managed & Click on empty Box then select your Entry point. Press ok....

Edited August 27, 2025Aug 27 by .hloire

@.hloire there is another confuser-ex on steroids -> https://forum.tuts4you.com/topic/40934-fujifuscator/

try to put your stanza over it! :)

20 hours ago, jackyjask said:

@.hloire there is another confuser-ex on steroids -> https://forum.tuts4you.com/topic/40934-fujifuscator/

try to put your stanza over it! :)

@jackyjask this one....

@jackyjask Friend You want tutorial for thiss.

Edited August 28, 2025Aug 28 by .hloire

On 8/28/2025 at 5:11 PM, .hloire said:

@jackyjask this one....

@jackyjask Friend You want tutorial for thiss.

There is no gchandle.free in the Confuser.Core 1.6.0+447341964f module. How to deal with it?

19 hours ago, Nooboy said:

There is no gchandle.free in the Confuser.Core 1.6.0+447341964f module. How to deal with it?

just dump it & fix dump.

5 hours ago, .hloire said:

just dump it & fix dump.

just DO it :) © any action

just DO it :) © any action

@Nooboy
my methode = noob methode😅

Edited September 4, 2025Sep 4 by .hloire
For 4x

.

Edited September 3, 2025Sep 3 by .hloire

2 hours ago, .hloire said:

.

Hello colleague, good afternoon, so you can unpack any modified version?

1.dump
2.fix dump
3.ConfuserEx-Unpacker-v2.0 &Constants Decrypter
4.de4dot


ConfuserEx-Unpacker-v2.0 prompts an error
[$] Loading Module...
[$] Loading References...
[$] Detected: Confuser.Core 1.6.0+447341964f
[$] Anti Tamper Detected
[$] Anti Tamper Removed Successfully
[$] Cleaned Control Flow on 272 Methods
[$] Fixed proxy calls: 6749
[$] Removed proxy methods: 944
[$] Cleaned Control Flow on 2 Methods
[$] Cleaned Control Flow on 2 Methods
[$] Patched 5 Anti Invokes
[$] Cleaned Control Flow on 2 Methods
Error:
Could not load file or assembly 'DEMO123456, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'. This assembly was compiled for a different processor.
at System.Reflection.RuntimeAssembly.nLoadImage(Byte[] rawAssembly, Byte[] rawSymbolStore, Evidence evidence, StackCrawlMark& stackMark, Boolean fIntrospection, Boolean fSkipIntegrityCheck, SecurityContextSource securityContextSource)
at System.Reflection.Assembly.Load(Byte[] rawAssembly)
at Unpacker.Core.Deobfuscators.Resource.ResourceDeobfuscator.Deobfuscate(UnpackerContext context) in D:\Documents\Visual Studio 2017\Projects\GitHub\ConfuserEx-Unpacker\Unpacker.Core\Deobfuscators\Resource\ResourceDeobfuscator.cs:line 40
at Unpacker.Core.UnpackerEngine.Run(UnpackerParameters parameters) in D:\Documents\Visual Studio 2017\Projects\GitHub\ConfuserEx-Unpacker\Unpacker.Core\UnpackerEngine.cs:line 38
Error:
Object reference not set to an instance of an object.
at Unpacker.Core.Utils.FindInstructionsNumber(MethodDef method, OpCode opCode, Object operand) in D:\Documents\Visual Studio 2017\Projects\GitHub\ConfuserEx-Unpacker\Unpacker.Core\Helpers\Utils.cs:line 33
at Unpacker.Core.Deobfuscators.AntiDebugDeobfuscator.Deobfuscate(UnpackerContext context) in D:\Documents\Visual Studio 2017\Projects\GitHub\ConfuserEx-Unpacker\Unpacker.Core\Deobfuscators\AntiDebugDeobfuscator.cs:line 18
at Unpacker.Core.UnpackerEngine.Run(UnpackerParameters parameters) in D:\Documents\Visual Studio 2017\Projects\GitHub\ConfuserEx-Unpacker\Unpacker.Core\UnpackerEngine.cs:line 38
[$] Removed 1 Attributes
[$] Cleaning unused methods...
[$] Writing Module...
[$] Saving Module...