ConfuserEx v1.0.0 De-obfuscation with dnSpy
Recently, I downloaded a exe file from the website and I wanna to go through the internal implementations. So this project is on the floor. Here is a sample of de-obfuscating protector: Confuser(1.0)
Prerequisites:
https://github.com/0xd4d/dnSpy/releases (Use 32-bit to analyze 32bits binary file, same as 64-bits)
Peperations:
I got a exe file, first let's drag into DIE to check.
It is a bonus that the Enigma Virtual Box Packing program enables us to pack up multi-files into one executable file.
Use EnigmaVBUnpacker to unpack this file.
Now, as we can see, after taking off the first wrapper, there is still a long way to go.
After using DIE to check each significant file, undoubtly, the main exe file was obfuscated, fortunately the DownLoadFile.dll wasn't.
I was a little confused by this name, Confuser, since I haven't met this before. After searching on google for several tutorials, I finally successed.
Main Part:
Set a breakpoint at here.
Start debug with this selection
Now we can see the process is interrupted:
Afterwards, we can get a file. Drag it into dnSpy as well:
It seems a little bit chaos, however, forrtunately, I discovered several authentic Chinese Words!!!
It means we have almost de-obsfucated this binary file, but a few points should be fixed.
Use de4dot to clean-up:(Just drag this binary onto the de4dot.exe icon, then it will generate the cleaned file)
Finally, we successfully De-Obsfucated this file! Very elegant!
Reference:
How to Unpack and Deobfuscate ConfuserEx 0.6 or 1.0 (Max Settings) https://www.youtube.com/watch?v=eK3D-qgLY80
How to Unpack ConfuserEx *Easiest Method* (Max Settings) https://www.youtube.com/watch?v=X0F_-sE-6GU