Sólo texto | Texto con Imágenes

Test Foro de elhacker.net SMF 2.1

Programación => Ingeniería Inversa => Mensaje iniciado por: zilox en 10 Agosto 2016, 12:19 PM

Título: Help to deobfuscate Confuser 1.9
Publicado por: zilox en 10 Agosto 2016, 12:19 PM
Hi guys,

Sorry for the english but my spanish is very bad.  :(

I am trying to deobfuscate (unpack) the following app:

http://www.chevolume.com/Download.aspx

It is a .Net app and I've tried many things but no success. I can successfuly use de4dot to rename the methods, fields and remove the delegates but if I try to run the executable it shows the splash screen and crashes. I am not sure if I am using the d34dot with the correct attributes.

The dlls are signed but at the moment I am not trying to change them.

steps I followed:

1)run de4dot to rename the methods: de4dot.exe  --keep-names d CheVolume.exe (names are used by the delegates). Generated exe already crashes.

2)Remove delegates using DelegateKiller.

3)Try to run the resulting executable. It shows the splash screen and crashes.

I noticed that if I just open the original executable in Reflector and "save as" using Reflexil 2.0 the generated executable crashes, even if I don't change any IL instruction. I compared both EXE(s) and for some reason reflexil makes changes to the binary.

RDG Detector says that it is obfuscated but not crypted. I appreciate any help to "unpack" or at least solve the problem with Reflexil 2.0. If I can make the saved executable, generated by Reflexil, may be sufficient to progress with my analysis.

Thank you in advance.
Título: Re: Help to deobfuscate Confuser 1.9
Publicado por: MCKSys Argentina en 10 Agosto 2016, 14:03 PM
Hi!

Check this (https://www.youtube.com/watch?v=gKQkIn7sqC8) out.

Cheers!
Título: Re: Help to deobfuscate Confuser 1.9
Publicado por: zilox en 10 Agosto 2016, 15:48 PM
Hi MCKSys,

Thanks for replying.

I had already tried the link you sent and even this one:

https://www.scribd.com/doc/207710371/NET-Decrypt-Confuser-1-9-Methods

The first step they show how to decrypt the code but I don't think the app I am trying to deobfuscate is encrypted. I guess it is just obfuscated.

It nevers stops at the GetHINSTANCE() breakpoint and even in the <module>cctor() I cannot see any call to the AntiTamper, AntiDebug and AntiDump methods.

Regards,

Edit: For some reason renaming the methods corrupts the binary so I just removed the delegates, to make easier tracing the program, and I used a Hex Editor to edit the binary as the Reflexil corrupts the file too. Now everything is working and deobfuscate it is not necessary.  :)

Cheers,

Sólo texto | Texto con Imágenes