[.NET] ConfuserEx脱壳工具打包
ConfuserEx 1.0.0脱壳步骤
Written by 今夕何夕[W.B.L.E. TeAm]
1.先用UnconfuserEx把主程序Dump出来;
2.使用CodeCracker大牛的ConfuserExStringDecryptor将加密的字符串解密;
3.使用CodeCracker大牛的ConfuserExSwitchKiller将混淆的switch分支结构解密;
4.若步骤3中解密导致程序崩溃,可以尝试ConfuserExUniversalControlFlowRemover这个工具,但是这个工具有bug,不是很推荐;
5.使用ConfuserExProxyCallFixer v2将混淆的函数名解析出来;
6.拖入de4dot去除其他混淆;
7.拖入dnspy应该能看到源码了。
资源链接参考
https://gist.github.com/Rottweiler/44fe4461a4552acf303a
实战
以炉石兄弟的2017年的最后版本为例
ConfuserExStringDecryptor.exe得到vrdtoilmab_strdec.exe
ConfuserExSwitchKiller.exe得到vrdtoilmab_strdec_deobfuscated.exe
ConfuserEx Proxy Call Fixer v2.exe得到vrdtoilmab_strdec_deobfuscated_noproxy.exe
de4dot处理得到
de4dot v3.1.41592.3405 Copyright (C) 2011-2015 [email protected]
Latest version and source code: https://github.com/0xd4d/de4dotDetected SmartAssembly 6.9.0.114 (C:\Program Files\de4dot-net35\vrdtoilmab_strdec_deobfuscated_noproxy.exe)
Cleaning C:\Program Files\de4dot-net35\vrdtoilmab_strdec_deobfuscated_noproxy.exe
WARNING: File 'C:\Program Files\de4dot-net35\vrdtoilmab_strdec_deobfuscated_noproxy.exe' contains XAML which isn't supported. Use --dont-rename.
Renaming all obfuscated symbols
Saving C:\Program Files\de4dot-net35\vrdtoilmab_strdec_deobfuscated_noproxy-cleaned.exe
ERROR:
ERROR:
ERROR:
ERROR: Hmmmm... something didn't work. Try the latest version.
需要用一个特殊版本de4dot-Reactor5.0 https://ci.appveyor.com/project/ViRb3/de4dot-cex/build/artifacts?branch=master
de4dot v3.1.41592.3405 Copyright (C) 2011-2015 [email protected]
Latest version and source code: https://github.com/0xd4d/de4dotMore than one obfuscator detected:
ConfuserEx v0.5.0-custom (use: -p crx)
SmartAssembly 6.9.0.114 (use: -p sa)
Detected SmartAssembly 6.9.0.114 (C:\workspace\clu\Downloads\de4dot-cex\vrdtoilmab_strdec_deobfuscated_noproxy.exe)
Cleaning C:\workspace\clu\Downloads\de4dot-cex\vrdtoilmab_strdec_deobfuscated_noproxy.exe
WARNING: File 'C:\workspace\clu\Downloads\de4dot-cex\vrdtoilmab_strdec_deobfuscated_noproxy.exe' contains XAML which isn't supported. Use --dont-rename.
Renaming all obfuscated symbols
Saving C:\workspace\clu\Downloads\de4dot-cex\vrdtoilmab_strdec_deobfuscated_noproxy-cleaned.exe
尝试了一下de4dot-cex,貌似可以一步做完
de4dot v3.1.41592.3405 Copyright (C) 2011-2015 [email protected]
Latest version and source code: https://github.com/0xd4d/de4dotMore than one obfuscator detected:
ConfuserEx v0.5.0-custom (use: -p crx)
SmartAssembly 6.9.0.114 (use: -p sa)
Detected SmartAssembly 6.9.0.114 (C:\workspace\clu\Downloads\de4dot-cex\vrdtoilmab.exe)
Cleaning C:\workspace\clu\Downloads\de4dot-cex\vrdtoilmab.exe
WARNING: File 'C:\workspace\clu\Downloads\de4dot-cex\vrdtoilmab.exe' contains XAML which isn't supported. Use --dont-rename.
Renaming all obfuscated symbols
Saving C:\workspace\clu\Downloads\de4dot-cex\vrdtoilmab-cleaned.exe
标签:脱壳,exe,ConfuserEx,de4dot,vrdtoilmab,strdec,NET,deobfuscated,cex From: https://www.cnblogs.com/lidabo/p/17281386.html