zoukankan      html  css  js  c++  java

  • [.NET] ConfuserEx脱壳工具打包

    [.NET] ConfuserEx脱壳工具打包

     ConfuserEx 1.0.0脱壳步骤
            Written by 今夕何夕[W.B.L.E. TeAm]

    1.先用UnconfuserEx把主程序Dump出来;
    2.使用CodeCracker大牛的ConfuserExStringDecryptor将加密的字符串解密;
    3.使用CodeCracker大牛的ConfuserExSwitchKiller将混淆的switch分支结构解密;
    4.若步骤3中解密导致程序崩溃,可以尝试ConfuserExUniversalControlFlowRemover这个工具,但是这个工具有bug,不是很推荐;
    5.使用ConfuserExProxyCallFixer v2将混淆的函数名解析出来;
    6.拖入de4dot去除其他混淆;
    7.拖入dnspy应该能看到源码了。

    资源链接参考

    https://gist.github.com/Rottweiler/44fe4461a4552acf303a

    实战

    以炉石兄弟的2017年的最后版本为例

    ConfuserExStringDecryptor.exe得到vrdtoilmab_strdec.exe

    ConfuserExSwitchKiller.exe得到vrdtoilmab_strdec_deobfuscated.exe

    ConfuserEx Proxy Call Fixer v2.exe得到vrdtoilmab_strdec_deobfuscated_noproxy.exe

    de4dot处理得到   

    de4dot v3.1.41592.3405 Copyright (C) 2011-2015 de4dot@gmail.com
    Latest version and source code: https://github.com/0xd4d/de4dot

    Detected SmartAssembly 6.9.0.114 (C:Program Filesde4dot-net35vrdtoilmab_strdec_deobfuscated_noproxy.exe)
    Cleaning C:Program Filesde4dot-net35vrdtoilmab_strdec_deobfuscated_noproxy.exe
    WARNING: File 'C:Program Filesde4dot-net35vrdtoilmab_strdec_deobfuscated_noproxy.exe' contains XAML which isn't supported. Use --dont-rename.
    Renaming all obfuscated symbols
    Saving C:Program Filesde4dot-net35vrdtoilmab_strdec_deobfuscated_noproxy-cleaned.exe
    ERROR:
    ERROR:
    ERROR:
    ERROR: Hmmmm... something didn't work. Try the latest version.

     需要用一个特殊版本de4dot-Reactor5.0  https://ci.appveyor.com/project/ViRb3/de4dot-cex/build/artifacts?branch=master

    de4dot v3.1.41592.3405 Copyright (C) 2011-2015 de4dot@gmail.com
    Latest version and source code: https://github.com/0xd4d/de4dot

    More than one obfuscator detected:
    ConfuserEx v0.5.0-custom (use: -p crx)
    SmartAssembly 6.9.0.114 (use: -p sa)
    Detected SmartAssembly 6.9.0.114 (C:workspacecluDownloadsde4dot-cexvrdtoilmab_strdec_deobfuscated_noproxy.exe)
    Cleaning C:workspacecluDownloadsde4dot-cexvrdtoilmab_strdec_deobfuscated_noproxy.exe
    WARNING: File 'C:workspacecluDownloadsde4dot-cexvrdtoilmab_strdec_deobfuscated_noproxy.exe' contains XAML which isn't supported. Use --dont-rename.
    Renaming all obfuscated symbols
    Saving C:workspacecluDownloadsde4dot-cexvrdtoilmab_strdec_deobfuscated_noproxy-cleaned.exe

    尝试了一下de4dot-cex,貌似可以一步做完

    de4dot v3.1.41592.3405 Copyright (C) 2011-2015 de4dot@gmail.com
    Latest version and source code: https://github.com/0xd4d/de4dot

    More than one obfuscator detected:
    ConfuserEx v0.5.0-custom (use: -p crx)
    SmartAssembly 6.9.0.114 (use: -p sa)
    Detected SmartAssembly 6.9.0.114 (C:workspacecluDownloadsde4dot-cexvrdtoilmab.exe)
    Cleaning C:workspacecluDownloadsde4dot-cexvrdtoilmab.exe
    WARNING: File 'C:workspacecluDownloadsde4dot-cexvrdtoilmab.exe' contains XAML which isn't supported. Use --dont-rename.
    Renaming all obfuscated symbols
    Saving C:workspacecluDownloadsde4dot-cexvrdtoilmab-cleaned.exe
  • 相关阅读:
    三年Android开发经验,挥泪整理字节跳动、微软中国凉经,你不看看吗?
    App怎么做才能永不崩溃
    做了八年的Android开发,谁不是一边崩溃,一边默默坚守!
    阿里员工年年绩效A,晒出收入后感叹:996虽然痛苦,发钱时候真香
    2021阅读书单
    不动产测绘概念
    Elasticsearch 集成
    Elasticsearch 环境
    Elasticsearch 优化
    Elasticsearch入门
  • 原文地址:https://www.cnblogs.com/chucklu/p/11396092.html
Copyright © 2011-2022 走看看