ConfuserEx icon indicating copy to clipboard operation
ConfuserEx copied to clipboard

Published 20 hours ago verified publisher icon yck1509

Confuser 1.X

Open J4yRich opened this issue 8 years ago • 7 comments

image

http://farm9.staticflickr.com/8599/29426620652_6c62995c43_o.png

Can you for me tutorial unpack it ?

J4yRich avatar Sep 08 '16 06:09 J4yRich

It's not that easy to unpack confuser. You can try using NoFuserEx or if it's really Confuser not ConfuserEx try using de4dot However you will need to do some research by yourself, cause most of the tutorials are for specific cases. To give you some hints:

  • I use dnSpy to debug .exe set breakpoints, where it loads and decrypts packed module (usualy it's called koi), then I save it from memory (I haven't found exactly where it decrypts it completely I just bruteforce it)
  • you will need to edit PE, set main module and entry point etc... for saved module.
  • de4dot for cleaning saved module
  • Read some papers from here these gave me a kick start on reverse engineering .net.

SlowLogicBoy avatar Sep 08 '16 09:09 SlowLogicBoy

Can you help me handle it ? Please send for me your email.

J4yRich avatar Sep 08 '16 09:09 J4yRich

Well I don't have an email I could give you. You can ask something in this issue if project owners do not mind.

SlowLogicBoy avatar Sep 08 '16 12:09 SlowLogicBoy

Hi J4yRich , can you share the tools in image. Thanks

maithanhtan avatar Jun 29 '17 09:06 maithanhtan

@maithanhtan https://github.com/horsicq/Detect-It-Easy

SlowLogicBoy avatar Jun 29 '17 12:06 SlowLogicBoy

@SlowLogicBoy what about those cases where it isn't called koi?

longlostbro avatar Mar 24 '18 19:03 longlostbro

@longlostbro then modify your tools to handle the other name.

SlowLogicBoy avatar Mar 25 '18 07:03 SlowLogicBoy