Título: Help to deobfuscate Confuser 1.9 Publicado por: zilox en 10 Agosto 2016, 12:19 pm Hi guys,
Sorry for the english but my spanish is very bad. :( I am trying to deobfuscate (unpack) the following app: http://www.chevolume.com/Download.aspx It is a .Net app and I've tried many things but no success. I can successfuly use de4dot to rename the methods, fields and remove the delegates but if I try to run the executable it shows the splash screen and crashes. I am not sure if I am using the d34dot with the correct attributes. The dlls are signed but at the moment I am not trying to change them. steps I followed: 1)run de4dot to rename the methods: de4dot.exe --keep-names d CheVolume.exe (names are used by the delegates). Generated exe already crashes. 2)Remove delegates using DelegateKiller. 3)Try to run the resulting executable. It shows the splash screen and crashes. I noticed that if I just open the original executable in Reflector and "save as" using Reflexil 2.0 the generated executable crashes, even if I don't change any IL instruction. I compared both EXE(s) and for some reason reflexil makes changes to the binary. RDG Detector says that it is obfuscated but not crypted. I appreciate any help to "unpack" or at least solve the problem with Reflexil 2.0. If I can make the saved executable, generated by Reflexil, may be sufficient to progress with my analysis. Thank you in advance. Título: Re: Help to deobfuscate Confuser 1.9 Publicado por: MCKSys Argentina en 10 Agosto 2016, 14:03 pm Hi!
Check this (https://www.youtube.com/watch?v=gKQkIn7sqC8) out. Cheers! Título: Re: Help to deobfuscate Confuser 1.9 Publicado por: zilox en 10 Agosto 2016, 15:48 pm Hi MCKSys,
Thanks for replying. I had already tried the link you sent and even this one: https://www.scribd.com/doc/207710371/NET-Decrypt-Confuser-1-9-Methods The first step they show how to decrypt the code but I don't think the app I am trying to deobfuscate is encrypted. I guess it is just obfuscated. It nevers stops at the GetHINSTANCE() breakpoint and even in the <module>cctor() I cannot see any call to the AntiTamper, AntiDebug and AntiDump methods. Regards, Edit: For some reason renaming the methods corrupts the binary so I just removed the delegates, to make easier tracing the program, and I used a Hex Editor to edit the binary as the Reflexil corrupts the file too. Now everything is working and deobfuscate it is not necessary. :) Cheers, |