Jump to content
CodeExplorer

Unpacking Confuser

Recommended Posts

Unpacking Confuser

Tools:
cff_patched by kao
MegaDumper (ex DotnetDumper) http://forum.tuts4you.com/topic/24087-dotnet-dumper-10/page-3
ConfuserMethodsDecryptor http://forum.tuts4you.com/topic/30968-confusermethodsdecryptor/
ModuleToAssembly http://forum.tuts4you.com/topic/30789-moduletoassembly-10/

Universal Fixer http://forum.tuts4you.com/topic/25376-universal-fixer/
and Hacked Reflector

Step1: Dumping the .NET module called "___.netmodule"
Start MegaDumper (ex DotnetDumper)
Select the option Main->Dumping Options->Don't restore file name
since we want only addresses this time!
Go on Main->Process Manager and select Confuser_UnpackMe.exe
Click on Start!
Now we watch for a memcpy with the source MZ (since it is an exe);
First Source: 01D905F0 MZ?
Go on the process Confuser_UnpackMe.exe; right click and choose Net Dump
after that we choose "Go to Location" and we go under the Dump directory
Open the file rawdump_01D905F0.dll under CFF Explorer
and look under Module table - we should find "___.netmodule"
Nop is not this one.
We again click Continue for several time since no new Source with MZ finded
MegaDumper stops for several times with no apparent reason (don't know why!)
just click Continue

The last MZ before the application start is the right one:
memcpy reached:
Value of EBP:0012EA9C
Old ESP: 0012ED00
Return Address: 79493D82
Source: 01C25248 MZ?
len: (hex) 00038200
Destination: 02C20000

Go on the process Confuser_UnpackMe.exe; right click and choose Net Dump
Load rawdump_01C25248.dll under CFF Explorer
and yes this has two modules - first one called "___.netmodule"
so this is the right file.
We rename this file to "___.netmodule"
and we place it under same directory with Confuser_UnpackMe.exe

Step2: Restoring MSIL of "___.netmodule" with ConfuserMethodsDecryptor
This is Framework 4.0 so we must have Confuser_Methods_Decryptor.exe.config
under ConfuserMethodsDecryptor.exe directory.
Simple select Confuser_UnpackMe.exe and "___.netmodule"
and click on Decrypt.

Step3: Convert "___.netmodule" to a module using Module ModuleToAssembly
Once again select Confuser_UnpackMe.exe and "____decryptedmethods.netmodule"
and click on Convert.

Step4: Let's see if it runs: no it doesn't: we open the file in CFF Explorer
and go at Nt Headers->File Headers; double click on Characteristics member
and unmark "File is a DLL".
We also go under Optional Header and we set Subsystem to 02 (Windows GUI).

Step5: Fix the file ____decryptedmethods_assembly.exe
with Universal Fixer so we could load it under Hacked Reflector.
We load the file under Reflector and we search for "GetHINSTANCE"
using CodeSearch plugin for Reflector.
We finded two methods the one we want is the smallest wich has 3 exception handlers.
real token: 060000AC

This is the anti-tamper method, also the method wich decrypt methods!
We go under CFF Explorer at index 172 (=AC in hex)
and at RVA of method which is in this case is 0000D4B8
and we change from 1B30 to 062A (a simply return).
And job done: the program runs!

Edited by CodeCracker
  • Upvote 9

Share this post


Link to post

looks like you totally pwned confuser, congratz and thanks for the tutorial :)

now yck1509 have to update, i guess :D

Share this post


Link to post

"I always get "Process is terminated" when I click start? "

 

 

Yeah. I don't understand what you just said, you only repeated what I said.

 

[edit]

OMG, ImPlode then writes :

Which is the target, can I have a link?

 

aka upload the target^

Edited by whoknows

Share this post


Link to post

many thx. But i have a question how to fix the Delegate?

 

http://board.b-at-s.info/index.php?showtopic=9048

Share this post


Link to post

I think that it's because of Reflexil. It uses Mono.Cecil. Try to patch it by some hex editors

Share this post


Link to post

Whenever I tick Log memcpy is doesn't work, the process just gets terminated.

 



Process created!
Logging memcpy enabled!

Process terminated, exit code: 4294967295

 

EDIT: Win7 x64

EDIT: Execute as WinXP sp3 doesn't terminate it; but then it doesn't log anything..

Edited by w00tare

Share this post


Link to post

I think that it's because of Reflexil. It uses Mono.Cecil. Try to patch it by some hex editors

Is there any other ways?

Share this post


Link to post

I am getting this error on win 7 and xp systems when i am trying to use confuserMethodsDecryptor. i do have the config file in the folder.PS: can someone post a link to the CFF patched by KAO. i searched all over and unable to find it. the standard version crashes when trying to access the tables. THANKS guys

2883cz.jpg

 

***PLEASE DISREGARD*** Thanks to Kao and his CFF explorer i know the .netmodule file was in fact incorrectly named. this program works great thanks codecracker and kao

Edited by rooster1

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...