Help to deobfuscate Confuser 1.9

Iniciado por zilox, 10 Agosto 2016, 12:19 PM

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario

zilox

10 Agosto 2016, 12:19 PM Ultima modificación: 10 Agosto 2016, 12:29 PM por zilox
Hi guys,

Sorry for the english but my spanish is very bad.  :(

I am trying to deobfuscate (unpack) the following app:

http://www.chevolume.com/Download.aspx

It is a .Net app and I've tried many things but no success. I can successfuly use de4dot to rename the methods, fields and remove the delegates but if I try to run the executable it shows the splash screen and crashes. I am not sure if I am using the d34dot with the correct attributes.

The dlls are signed but at the moment I am not trying to change them.

steps I followed:

1)run de4dot to rename the methods: de4dot.exe  --keep-names d CheVolume.exe (names are used by the delegates). Generated exe already crashes.

2)Remove delegates using DelegateKiller.

3)Try to run the resulting executable. It shows the splash screen and crashes.

I noticed that if I just open the original executable in Reflector and "save as" using Reflexil 2.0 the generated executable crashes, even if I don't change any IL instruction. I compared both EXE(s) and for some reason reflexil makes changes to the binary.

RDG Detector says that it is obfuscated but not crypted. I appreciate any help to "unpack" or at least solve the problem with Reflexil 2.0. If I can make the saved executable, generated by Reflexil, may be sufficient to progress with my analysis.

Thank you in advance.

MCKSys Argentina

#1
10 Agosto 2016, 14:03 PM Ultima modificación: 10 Agosto 2016, 14:24 PM por MCKSys Argentina
Hi!

Check this out.

Cheers!
MCKSys Argentina

"Si piensas que algo está bien sólo porque todo el mundo lo cree, no estás pensando."

Reglas del foro - FAQ Ing. Inversa - Buscador del foro

zilox

#2
10 Agosto 2016, 15:48 PM Ultima modificación: 11 Agosto 2016, 12:19 PM por zilox
Hi MCKSys,

Thanks for replying.

I had already tried the link you sent and even this one:

https://www.scribd.com/doc/207710371/NET-Decrypt-Confuser-1-9-Methods

The first step they show how to decrypt the code but I don't think the app I am trying to deobfuscate is encrypted. I guess it is just obfuscated.

It nevers stops at the GetHINSTANCE() breakpoint and even in the <module>cctor() I cannot see any call to the AntiTamper, AntiDebug and AntiDump methods.

Regards,

Edit: For some reason renaming the methods corrupts the binary so I just removed the delegates, to make easier tracing the program, and I used a Hex Editor to edit the binary as the Reflexil corrupts the file too. Now everything is working and deobfuscate it is not necessary.  :)

Cheers,

Imprimir
Ir Arriba Páginas1
Acciones del Usuario