I decided to talk about the Confuserex’s compressor because this protection is hardly ever changed on mods and is very interesting to analyse.
So, as Confuserex’s documentation says : « This packer reduces the size of output using LZMA compression algorithm. Only one executable module may be in the project and it would be used as the main entry module. »
The decryption key can be : Normal or Dynamic.
As almost all packer, it can be removed by dumping the executable with MegaDumper. But, confuserex is more clever than that because if you dump the stub, you’ll get and executable which has no entry point and which can’t work.
The original module is now a netmodule which will be first decrypted and then loaded :
(Original name is « koi » but for this paper, I used a modded version)
If you look at the entrypoint, you’ll first see a big array. This array is your original exe which will be decrypted using LZMA algorithm.
Now that the module has been decrypted, it can be loaded using the fonction LoadModule.
The last step is to start the decrypted assembly but as I said before, the decrypted asm has no entrypoint. So confuserex will resolve the MDToken of the EP and then invoke this method.
To remove the packer, there’re multiple options
- Dump and fix manually EP
- Debug using dnSpy and grab decrypted module
- Debug using WinDBG. Run decryption routine and finally, get the decrypted module
- Code a decompressor by invoking LZMA algorithm
- Code a decompressor, grab all key and decrypt the module statically
The last option is not really reliable. You should absolutely get the right key and if Dynamic Mode has been used, the task is harder.
Last think that I wanted to show you is the difference between normal and Dynamic mode.
Normal Mode :
Dynamic Mode :
As you can see, getting the key statically is really hard in the second case. So the best way to code a tool is to invoke Decrypt method with the right key
If you have any question, suggestion,… please contact me on Discord : MindSystemm#4159 or by mail : firstname.lastname@example.org (I’m not using skype anymore 😉 )