Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- https://forum.tuts4you.com/topic/41056-confuserex-unpacker-2/
- GITHUB: https://github.com/cawk/ConfuserEx-Unpacker-2
- A new and updated version of my last unpacker for confuserex which people actually seem to use so i thought i would update it and actually make it better as that version is very poor
- this is currently in beta and in its first version will only support confuserex with no modifications or additional options from confuserex itself. this will change as i add more features
- this will heavily be based off my instruction emulator which makes it much more reliable as long as theres no hidden surprises from modified confuserex
- i have not used sub modules due to making changes within de4dot.blocks in Int32/64Value i have modified the Shr_Un methods and such to fix a bug (well not really a bug but it prevents some operations from giving correct result)
- if you have an issue with this unpacker please make an issue report but if you simply go
- 'does not work on this file please fix' i simply will just close your issue
- please make a detailed report and explain where it crashes
- Credits TheProxy for his Reference Proxy Remover Shadow Anti Tamper remover 0xd4d dnlib/de4dot
- =====================================================================================================================================================================================
- .NET-Instruction-Emulator
- This project is an extremely helpful toolkit for any reverser dealing with complicated MSIL. using this you can emulate certain instructions complete methods or even just 1 instruction. this can be extremely helpful for many obfuscators i mainly use this in confuserex appfuscator and netguard
- this can replace invoking of most methods as you can just run the instructions with this emulator and you have complete control over which instructions are ran and contains events so you can intercept certain instructions
- this requires fw 4.0+ since this uses dynamic variables a few people have said that its a bad idea to use dynamic variables in this project however this is incorrect since an emulator is not made for performance rather its accuracy of emulating and getting the correct result they keep the code alot cleaner and easier to understand.
- Usage
- to use this you just supply the method along with the start of the instructions to the end of the instructions
- call/callvirt is included but the implementation is not good this invokes the method or atleast tries to i didnt bother coding it well as if you are emulating a method you should use the event handler to handle the call/virt instruction
- there are two handlers
- OnCallPrepared
- OnInstructionPrepared
- calls will use the fake call unless changed in eventhandler this is to prevent any malicious code to be executed
- there are many improvements to be made to this but as of now i have no real interest in changing anything as it works for everything i require for there are some missing opcodes if anyone feels free to add them just check how they are executed online and implement them is very simple
- Credits
- Pan - for the events
- NetGuard and ConfuserEx - for making obfuscation where static decryption is harder than just copying and pasting
- =====================================================================================================================================================================================
- https://github.com/cawk/ConfuserEx-Unpacker-2
- =====================================================================================================================================================================================*/
- using ConfuserEx_Unpacker.Protections;
- using dnlib.DotNet;
- using dnlib.DotNet.Writer;
- using System;
- using System.Collections.Generic;
- using System.IO;
- using System.Linq;
- using System.Text;
- using System.Threading.Tasks;
- using EasyPredicateKiller;
- namespace ConfuserEx_Unpacker
- {
- class Program
- {
- private static Base[] bases = new Base[]
- {
- new Protections.Antitamper.Remover(),
- new Protections.Control_Flow.Remover(),
- new Protections.Compressor.Remover(),
- new Protections.Antitamper.Remover(),
- new Protections.Control_Flow.Remover(),
- new Protections.RefProxy.Remover(),
- new Protections.Control_Flow.Remover(),
- new Protections.Constants.Remover(),
- new Protections.Control_Flow.Remover(),
- new Protections.RefProxy.Remover(),
- };
- static void Main(string[] args)
- {
- if (args.Length != 1)
- throw new Exception("Invalid arguments.");
- filename = args[0];
- if (!File.Exists(filename))
- throw new FileNotFoundException($"{Path.GetFileName(filename)} doesn't exist.");
- module = ModuleDefMD.Load(filename);
- LoadAsmRef();
- Base.ModuleDef = module;
- MethodDefExt2.OriginalMD = Base.ModuleDef;
- foreach (Base base1 in bases)
- {
- base1.Deobfuscate();
- }
- if (Protections.Compressor.Remover.ModuleEp != 0)
- {
- Base.ModuleDef.EntryPoint =
- Base.ModuleDef.ResolveToken(Protections.Compressor.Remover.ModuleEp) as MethodDef;
- }
- ModuleWriterOptions ModOpts = new ModuleWriterOptions(Base.ModuleDef);
- ModOpts.MetadataOptions.Flags = MetadataFlags.PreserveAll;
- ModOpts.Logger = DummyLogger.NoThrowInstance;
- Console.WriteLine("Writing the file...");
- Base.ModuleDef.Write(NewPath(filename), ModOpts);
- Console.ReadLine();
- }
- public static string NewPath(string path)
- {
- return $"{Path.GetDirectoryName(path)}\\{Path.GetFileNameWithoutExtension(path)}-cleaned{Path.GetExtension(path)}";
- }
- private static string filename;
- private static ModuleDefMD module;
- public static void LoadAsmRef()
- {
- var asmResolver = new AssemblyResolver();
- var modCtx = new ModuleContext(asmResolver);
- asmResolver.DefaultModuleContext = modCtx;
- asmResolver.EnableTypeDefCache = true;
- module.Location = filename;
- var asmRefs = module.GetAssemblyRefs().ToList();
- module.Context = modCtx;
- foreach (var asmRef in asmRefs)
- {
- if (asmRef == null)
- continue;
- var asma = asmResolver.Resolve(asmRef.FullName, module);
- // Protections.Protections.ModuleDef.Context.AssemblyResolver.AddToCache(asma);
- ((AssemblyResolver)module.Context.AssemblyResolver).AddToCache(asma);
- }
- }
- }
- }
- /*====================================================================================================================================================================================*/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement