本帖最后由 BlackHatRCE 于 2022-8-31 03:10 编辑
LET'S START THE DECRYPTION
STEPS -
- I downloaded the File and It was very Big in Size = approximately - 23 MB (My mood was off when I saw such a big Unpack Me)
- I ran the "CrackMeRun" and did a memory Dump as you used "Winlicense" as Native Wrapper.
- It is absolutely a worst Idea to use Protector like "Winlicense/Themida/Enigma/Obsidium" over C#/.NET file as they just increase the size and don't contribute anything in protection unless used with SDK and licensing in a proper way.
- I got the Original "CrackMeRun" file (Posted above) with "CrackMeMain" file (posted below).
Question - Why did you use "Temp" folder to drop a "RunDLL" exe with a ".cs" code ? --> It made this 'Unpack Me" like a Malware.
- I got a random name generated folder in "Temp" though the .cs file having code can be seen in "CrackMeMain" as well.
- I see a "RunDLL" exe in Temp folder too along with A .cmdline file.
- Anyways, I decrypted "CrackMeMain" file from ConfuserEx.
- Now I bypassed Anti-debugging and Ran the "CrackMeMain" file and saved "CrackMe" file from memory.
- I fixed the dumped File of "CrackMe" and I saw that It also have the ConfuserEx so I unpacked it.
How did I unpack ConfuserEx?
- Unpack Anti Tamper via Module.cctor
- Unpack Cflow. It is a basic One.
- Unpack Proxy Calls.
- Deal with Anti Invoking and Decrypt Strings. Strings int value is Mutated. You can do some Math Mutations to get final Result.
- Now I fixed the Type Scrambler, Renamed methods.
- I decrypted base64 of "CrackMeMain" to get the same code posted above which is similar to .cs file in "Temp" folder.
- After unpacking ConfuserEx from "CrackMe" We can clearly see the Code.
- I used my modified Renamer to rename it properly and made it 100% like original.
As You can see, It is properly Unpacked and restored like Original unprotected File.
Tip : Don't make un-necessary larger size Unpack Me. Don't use coding style which looks like a Virus/Dropper otherwise People won't check it.
Difficulty : 1.5/10 (0.5 for Math Mutations added on String Encryptions) that's it.
If anyone knows English and Chinese both language,
He can translate it properly for everyone. I do not know Chinese so I can not type in Chinese language (may be I am not smart enough to learn it).
| 
发表于 2022-8-30 19:06
|
发表于 2022-8-30 21:07
