Help to deobfuscate Confuser 1.9

Iniciado por zilox, 10 Agosto 2016, 12:19 PM

0 Miembros y 2 Visitantes están viendo este tema.


Hi guys,

Sorry for the english but my spanish is very bad.  :(

I am trying to deobfuscate (unpack) the following app:

It is a .Net app and I've tried many things but no success. I can successfuly use de4dot to rename the methods, fields and remove the delegates but if I try to run the executable it shows the splash screen and crashes. I am not sure if I am using the d34dot with the correct attributes.

The dlls are signed but at the moment I am not trying to change them.

steps I followed:

1)run de4dot to rename the methods: de4dot.exe  --keep-names d CheVolume.exe (names are used by the delegates). Generated exe already crashes.

2)Remove delegates using DelegateKiller.

3)Try to run the resulting executable. It shows the splash screen and crashes.

I noticed that if I just open the original executable in Reflector and "save as" using Reflexil 2.0 the generated executable crashes, even if I don't change any IL instruction. I compared both EXE(s) and for some reason reflexil makes changes to the binary.

RDG Detector says that it is obfuscated but not crypted. I appreciate any help to "unpack" or at least solve the problem with Reflexil 2.0. If I can make the saved executable, generated by Reflexil, may be sufficient to progress with my analysis.

Thank you in advance.

MCKSys Argentina


Check this out.

MCKSys Argentina

"Si piensas que algo está bien sólo porque todo el mundo lo cree, no estás pensando."


Hi MCKSys,

Thanks for replying.

I had already tried the link you sent and even this one:

The first step they show how to decrypt the code but I don't think the app I am trying to deobfuscate is encrypted. I guess it is just obfuscated.

It nevers stops at the GetHINSTANCE() breakpoint and even in the <module>cctor() I cannot see any call to the AntiTamper, AntiDebug and AntiDump methods.


Edit: For some reason renaming the methods corrupts the binary so I just removed the delegates, to make easier tracing the program, and I used a Hex Editor to edit the binary as the Reflexil corrupts the file too. Now everything is working and deobfuscate it is not necessary.  :)
