View Single Post
  #72  
Old 12-29-2012, 22:46
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,657
Rept. Given: 801
Rept. Rcvd 1,283 Times in 561 Posts
Thanks Given: 226
Thanks Rcvd at 562 Times in 240 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Here is a solution for Confuser 1.9

Quote:
Originally Posted by heima911 View Post
Hope to support Confuser
///////////////////// Keyz World-Dev.com - to DDC Team //////////////////////

Unpacking confuser v1.9 max settings enabled.
first download the msil decryptor.

http://uppit.com/irrah14pjhm6/Simple_MSIL_Decryptor.zip
http://uppit.com/qinahamvavsw/1_msil_fix12.rar
Now Just browse the confused assembly... its important to check on the use loadlibrary, then click on decrypt..

You still cant browse on the methods when you open it on SAE dont use reflector coz that was a trash as simple as that.

So here's the next step..

Download this: universal fixer, if you dont have..

http://uppit.com/tmkcdyz2fc2h/Universal_Fixer.zip

Browse the decryted assembly, then click on fix just use default.. wait for the tool to fix the program, remember that it will takes a longer time to do its job since we know that confuser sucks it also defend on the program size.. seeing on the statistic of the fixer that it successfully fixed and save the assembly on a directory signals us that it already done on its job...

open it on SAE and feel happy to browse on those methods and you gonna see those il codes... Smile

but the last problem is that it wont run.. Mad ?

so here's the solution... on SAE search for the word "broken file" it will be found by the decompiler and go to the first il code of that method,copy its RVA address.

open the fixed file on CFF EXPLORER..

http://www.ntcore.com/exsuite.php

input the RVA ADDRESS on the rva box on the cff explorer and it will give you its offset address of the file, then change the bytes on that offset with this hex byte value 2A (IN SImple word, we ret that method, we just only use hexbyte patching.), and maybe wait also for my search and replace byte patcher to easily do this or someone can generate it or just program the tool.

run the file, and it will run now... so cheers..

the strings are still encrypted, but there is a tool named dotnet tracer, to help you crack easy as like you are blind.. Tongue

de4dot can also cleaned the fixed the running assembly, so newbie cracker will now wont have problem on confuser..

AND SO, CONFUSER WILL NOW ENDS.. Enjoy
Keyz / Jejus.

Quote:
http://pastebin.com/TABT1xPm
Reply With Quote
The Following 2 Users Gave Reputation+1 to giv For This Useful Post:
alekine322 (12-30-2012), wilson bibe (01-04-2013)