A walkthrough to deobfuscating a ConfuserEx v1.0.0-4 g3fd0d55 protected .NET application

In this blog post, I will show you how to deobfuscated a ConfuserEx protected .NET application.

Unfortunately, there is a lot of videos on YouTube about how to deobfuscate such programs but these videos are so complicated and the instructions are either convoluted or do not yield a good result.

Let’s get started.

Step 1 – Inspecting the binary

You will need to get the dnSpy tool from here: https://github.com/0xd4d/dnSpy/releases

Open the program with dnSpy (or drag and drop it):

At first inspection, we can tell there’s obfuscation due to the name of the entrypoint at line 4 (being so cryptic). Additionally, if you click on the “ConfusedTest.exe” node, you will see more attributes and the obfuscator name (ConfuserEx v1.0.0-4-g3fd0d55):

You can also r-click and select “Go to <Module>.cctor” and inspect the module constructor:

The module constructor code runs before the actual program entry point:

Here we can still see more control flow obfuscation at play.

Step 2 – Cleaning up the binary with de4dot

For this step, you need de4dot (a .NET deobfuscator). Run it from the command line as follows:

After you do this step, you should get a new executable with the “-cleaned.exe” suffix.

flower separator
batchography-good-resDo you want to master Batch Files programming? Look no further, the Batchography is the right book for you.

Available in print or e-book editions from Amazon.
flower separator

Step 3 – Decrypting strings

The ConfuserEx encrypts all the strings used by the program and therefore, we need another tool to decrypt the strings. If we r-click on the EXE (on the left-hand-side) and select “Go to Entrypoint”:

We can see the Main function and two things are clear:

  1. Strings are not in plain text
  2. and the control flow is obfuscated.

To decrypt the strings, we will use a tool called ConfuserExStringDecryptor.exe. You can find this tool on the internet (or from down below).

Drag and drop the executable we got from step 2 into the strings decryption tool then click “Decrypt”. You should get a new executable.

Inspect the new executable at the Entrypoint, and notice plaintext strings:

Step 4 – Deobfuscating the control flow graph

Now we have to deobufscate the control flow so that the code in Main looks more or less like code written by a human (and not a machine/obfuscator generated code).

For this step, we use a tool called: “ConfuserExSwitchKiller.exe“:

After successful control flow deobfuscation, if we re-inspect the Entrypoint, we can see a much cleaner code.

You have to know though, that some method names have dummy names. This is where you have to do manual refactoring to restore the function names.

Step 5 – Cleaning the program so it runs

In this step we have to cleanup some remnant code from the obfuscator. The idea here is to get rid of the code in the module’s cctor().

R-click and goto the module’s cctor(). You might observe a few function calls as above. Now R-click on the first function call and select “Edit IL instructions”:

We then have to NOP edit all of the 3 calls (NOP means: “No Operation”).

Repeat this step for each function call until the cctor() function disappears (since it has an empty body now).

Step 6 – Saving the final binary

This is the last step where we get to save our changes back to disk and have a clean / deobfuscated binary:

Just select “File / Save module” and give the binary a new name.

The newly saved binary should run if you try to run it. If you encounter problems, you might want to try saving it again but this time by tweaking some options in the “MD Writer Options” tab like so:

Final notes

The ConfuserExStringDecryptor.exe and ConfuserExSwitchKiller.exe work with I386 modules only. Therefore, if your binary was an x64 binary, you might want to save it-as an I386 program before going through Step 2 to Step 6.

Do this by tweaking the “Machine” field in the “PE” tab in the “Save Module” dialog like so:

For convenience, you can also download some of the tools used in this article from here (password = lallouslab):

You might also like:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.