Hi, i received some message from people that are confused on recognising confuserex protection so i’ll try to make a clear tutorial to recognise them.
Here’s a list of confuserex features :
- Symbol renaming (Support WPF/BAML)
- Protection against debuggers/profilers
- Protection against memory dumping
- Protection against tampering (method encryption)
- Control flow obfuscation
- Constant/resources encryption
- Reference hiding proxies
- Disable decompilers
- Embedding dependency
- Compressing output
Some of them are easy to recognise (for example : renamer, ….)
It depends of confuserx version but it’ll be almost the same in all cases even in very good mods. Some of them also add features.
So here, i’ll show you : Anti-Debug/Anti-Dump/Anti-Tamper/Packer/Control Flow/Constant/Proxy/Resource
When you open a ConfuserEx Protected assembly, first go on the entry point. If you see something like that, it means that packer is activated :
Sometimes, there’s control flow so it’s a bit more confused !
Then, go on the <Module>.Cctor and you’ll probably see some calls. Just follow them to see where they reach ! The first will be the anti tamper because it has to decrypt methods :
The best way to recognise the anti tamper protection is the call to the method Marshal.GetHINSTANCE
Alright, decrypt the methods, remove the call to the decrypted and look at the others calls.
If you see something like this at the bottom of a method, it means that resources are encrypted :
To make things easier, I decided to decrypt control flow 🙂
This one is associated to constant decryptor. You can’t remove it !!
These two ones are Anti-Debug and Anti-Dump. You can remove them !
Now let’s look at reference proxy protection :
As you can see, when you call a method (for example Application.EnableVisualStyles), you don’t see the real method, you see a proxy that call the real method :p
I suppose you saw what the control flow is. And the last protection is the constant encryption :
Here you go ! If you have some question : mail -> firstname.lastname@example.org or Skype : MindSystemm