A walkthrough to deobfuscating a ConfuserEx v1.0.0-4 g3fd0d55 protected .NET application

In this blog post, I will show you how to deobfuscated a ConfuserEx protected .NET application.

Unfortunately, there is a lot of videos on YouTube about how to deobfuscate such programs but these videos are so complicated and the instructions are either convoluted or do not yield a good result.

Let’s get started.

Step 1 – Inspecting the binary

You will need to get the dnSpy tool from here: https://github.com/0xd4d/dnSpy/releases

Open the program with dnSpy (or drag and drop it):

At first inspection, we can tell there’s obfuscation due to the name of the entrypoint at line 4 (being so cryptic). Additionally, if you click on the “ConfusedTest.exe” node, you will see more attributes and the obfuscator name (ConfuserEx v1.0.0-4-g3fd0d55):

Continue reading “A walkthrough to deobfuscating a ConfuserEx v1.0.0-4 g3fd0d55 protected .NET application”

Windows Error Reporting – Local crash dump collection – Graphical tool

According to Microsoft, the Windows Error Reporting feature is defined as follows:

The error reporting feature enables users to notify Microsoft of application faults, kernel faults, unresponsive applications, and other application specific problems. Microsoft can use the error reporting feature to provide customers with troubleshooting information, solutions, or updates for their specific problems. Developers can use this infrastructure to receive information that can be used to improve their applications.

When a program crashes in Windows, if it did not have built-in exception handling and crash dump generation, the Windows Error Reporting tool usually creates a crash dump and then queues it for upload to Microsoft.

The Windows Error Reporting tool can be configured in such a way to collect the crashes locally instead of queuing them for upload. The following document explains how.

In short, you have to add the follow registry values:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\<program_name>.exe]
"DumpFolder"=hex(2):43,00,3a,00,5c,00,74,00,65,00,6d,00,70,00,00,00
"DumpCount"=dword:00000100
"DumpType"=dword:00000002

Tweaking the registry manually is often not the best thing to do, therefore I wrote a simple open-source graphical utility that does the registry modification on your behalf.

WerFault GUI Tool

The graphical tool is very simple, but let me explain a few things.

WerFault supports three crash dump types: custom, mini or full memory dumps. Only when the custom dump is selected you can specify additional custom dump flags to WerFault. The custom flags are for advanced users.

In most cases it is advised to select the “Full dump” option because it captures lots of information needed for debugging. And finally, the dump count option lets you specify how many crash dumps to keep around.

There are two blue buttons that allows you to add or update an entry and to delete an entry. That’s it!

In the downloaded package, there’s an executable called crash.exe that you can use for testing. Continue reading “Windows Error Reporting – Local crash dump collection – Graphical tool”