Hi, i received some message from people that are confused on recognising confuserex protection so i’ll try to make a clear tutorial to recognise them.

Here’s a list of confuserex features :

  • Symbol renaming (Support WPF/BAML)
  • Protection against debuggers/profilers
  • Protection against memory dumping
  • Protection against tampering (method encryption)
  • Control flow obfuscation
  • Constant/resources encryption
  • Reference hiding proxies
  • Disable decompilers
  • Embedding dependency
  • Compressing output

Some of them are easy to recognise (for example : renamer, ….)

It depends of confuserx version but it’ll be almost the same in all cases even in very good mods. Some of them also add features.

So here, i’ll show you : Anti-Debug/Anti-Dump/Anti-Tamper/Packer/Control Flow/Constant/Proxy/Resource

When you open a ConfuserEx Protected assembly, first go on the entry point. If you see something like that, it means that packer is activated :

Screenshot_1

Sometimes, there’s control flow so it’s a bit more confused !

Then, go on the <Module>.Cctor and you’ll probably see some calls. Just follow them to see where they reach ! The first will be the anti tamper because it has to decrypt methods :

Screenshot_2

The best way to recognise the anti tamper protection is the call to the method Marshal.GetHINSTANCE

Screenshot_3

Alright, decrypt the methods, remove the call to the decrypted and look at the others calls.

If you see something like this at the bottom of a method, it means that resources are encrypted :

Screenshot_4

To make things easier, I decided to decrypt control flow 🙂

Screenshot_5

This one is associated to constant decryptor. You can’t remove it !!

Screenshot_6

Screenshot_7

These two ones are Anti-Debug and Anti-Dump. You can remove them !

Now let’s look at reference proxy protection :

Screenshot_8

As you can see, when you call a method (for example Application.EnableVisualStyles), you don’t see the real method, you see a proxy that call the real method :p

I suppose you saw what the control flow is. And the last protection is the constant encryption :

Screenshot_9

Here you go ! If you have some question : mail -> mindlockreverser@gmail.com or Skype : MindSystemm

Enjoy !

Publicités