[Skip if you’re an English Speaker 🙂 ]First, a note for my French compatriots. I get a lot of message asking me to write my tutorials in French. Due to my short time, I cannot write tuts in French or In English, and because most of the viewers of this website a English speakers, most of the tuts will be write in English and the « importants » one will also be write in French 🙂
Today I’ll focus on constants protection of ConfuserEx. Not the original one but the one that we can find on 95% of modded confuserex. (Beds 4.5, 6.9 and also 7.0, Ben Mhenni all versions, …). To counter publics deobfuscators, they use X86 mode of confuserex which is an original function of Confuserex so it’s not a mod !!. This mode can counter publics deobfuscator because the obfuscated app cannot be reflected. And most of the publics tools rely on reflection (Invoke). And that’s the same for static deobfuscator. We can’t see the value of x86 int because as its name says, it’s native. So if you want to decrypt constant, you first have to resolve the x86 ints
So how can we resolve these ints?
- You can emulate the x86 code to grab the result (SharpDisasm, BeaEngine, …)
- Simply Invoke the methods but without reflection
- Convert the x86 code to MSIL code
All these solutions are equivalent.
If you translate the x86 code to MSIL code, you’ll see something like this :
You just have to replace the call to the native method with a call to this MSIL method. Then delete all x86 methods and the assembly can be reflected and the public tools will work 🙂
Note : for ben mhenni (as it’s a copy paste of NetGuard 4.5), you must clean mutations
The best solution is to write a tool which works like this :
- Translate/Invoke/Emulate all x86 methods to get a MSIL result
- Delete all x86 methods
- [Optional] Get rid of the mutations
- Use Invoke to decrypts constants
If you have some problems with a target or if you have question 🙂 , contact me on Skype : MindSystemm, Discord : MindSystemm#4159 or by mail : email@example.com
I hope you enjoy this tutorial !!