API tools faq
paste
BaSs_HaXoR

Unpacking Confuser

BaSs_HaXoR
Mar 23rd, 2014
249
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.03 KB | None | 0 0
raw download clone embed print report
  1. ///////////////////// Keyz World-Dev.com - to DDC Team //////////////////////
  2.  
  3. Unpacking confuser v1.9 max settings enabled.
  4. first download the msil decryptor.
  5.  
  6. http://adf.ly/rt7Wn
  7. http://adf.ly/rt7Zt
  8. Now Just browse the confused assembly... its important to check on the use loadlibrary, then click on decrypt..
  9.  
  10. You still cant browse on the methods when you open it on SAE dont use reflector coz that was a trash as simple as that.
  11.  
  12. So here's the next step..
  13.  
  14. Download this: universal fixer, if you dont have..
  15.  
  16. http://adf.ly/rt7ab
  17.  
  18. Browse the decryted assembly, then click on fix just use default.. wait for the tool to fix the program, remember that it will takes a longer time to do its job since we know that confuser sucks it also defend on the program size.. seeing on the statistic of the fixer that it successfully fixed and save the assembly on a directory signals us that it already done on its job...
  19.  
  20. open it on SAE and feel happy to browse on those methods and you gonna see those il codes... Smile
  21.  
  22. but the last problem is that it wont run.. Mad ?
  23.  
  24. so here's the solution... on SAE search for the word "broken file" it will be found by the decompiler and go to the first il code of that method,copy its RVA address.
  25.  
  26. open the fixed file on CFF EXPLORER..
  27.  
  28. http://adf.ly/rt7cG
  29.  
  30. input the RVA ADDRESS on the rva box on the cff explorer and it will give you its offset address of the file, then change the bytes on that offset with this hex byte value 2A (IN SImple word, we ret that method, we just only use hexbyte patching.), and maybe wait also for my search and replace byte patcher to easily do this or someone can generate it or just program the tool.
  31.  
  32. run the file, and it will run now... so cheers..
  33.  
  34. the strings are still encrypted, but there is a tool named dotnet tracer, to help you crack easy as like you are blind.. Tongue
  35.  
  36. de4dot can also cleaned the fixed the running assembly, so newbie cracker will now wont have problem on confuser..
  37.  
  38. AND SO, CONFUSER WILL NOW ENDS.. Enjoy
  39. Keyz / Jejus.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!