A walkthrough to deobfuscating a ConfuserEx v1.0.0-4 g3fd0d55 protected .NET application

In this blog post, I will show you how to deobfuscated a ConfuserEx protected .NET application.

Unfortunately, there is a lot of videos on YouTube about how to deobfuscate such programs but these videos are so complicated and the instructions are either convoluted or do not yield a good result.

Let’s get started.

Step 1 – Inspecting the binary

You will need to get the dnSpy tool from here: https://github.com/0xd4d/dnSpy/releases

Open the program with dnSpy (or drag and drop it):

At first inspection, we can tell there’s obfuscation due to the name of the entrypoint at line 4 (being so cryptic). Additionally, if you click on the “ConfusedTest.exe” node, you will see more attributes and the obfuscator name (ConfuserEx v1.0.0-4-g3fd0d55):

Continue reading “A walkthrough to deobfuscating a ConfuserEx v1.0.0-4 g3fd0d55 protected .NET application”

Can you solve this puzzle?

I got this silly puzzle via chain mail:

Can you solve it?

Maybe you will be able to, but don’t beat yourself up if you don’t get it right.

You might also like:

Batchography: Detect Windows Language

To detect the Windows Operating system language, it is enough to query the registry. We use the “reg query” command and then parse the output.

@echo off

setlocal

:: https://docs.microsoft.com/en-us/previous-versions/office/developer/speech-technologies/hh361638(v=office.14)

for /F "usebackq tokens=3" %%a IN (`reg query "hklm\system\controlset001\control\nls\language" /v Installlanguage`) DO (
  set lang_id=%%a
)
:: 0409 English ; 0407 German ; 040C French ; 0C0A Spanish

if "%lang_id%"=="0409" (
  echo English detected
) else if "%lang_id%" == "040C" (
  echo French detected
) else (
  echo Note: Unknown language ID %lang_id%!
)

echo LangID=%lang_id%

You can learn about advanced Batch scripting techniques in the Batchography book.
flower separator
batchography-good-resDo you want to master Batch Files programming? Look no further, the Batchography is the best book on the topic and the most up to date!

Available in print or e-book editions from Amazon.

 


You might also like:

Apple’s Measure App

If you have iOS 12+ then you should try Apple’s Measure app. It is really handy.

You can measure:

  • Bookshelves
  • Picture frames
  • Window sizes
  • Door sizes
  • etc…


You might also like:

Evernote: 7 easy steps to editing an Evernote note created by another program

If you used Evernote before with 3rd-party apps such as Livescribe’s SmartPens then you might have encountered the message:

This note was created in another application

To edit this note, open it in the app where it was created.

And because of that it is not possible to edit the note directly. Continue reading “Evernote: 7 easy steps to editing an Evernote note created by another program”

Evernote: Importing multiple (batch import) exported (ENEX) notes

If you used Evernote‘s graphical interface, you might have noticed that you can only import a single note at once. In this article I am going to show you how to import multiple notes at once into Evernote.

Evernote ships with a command line tool that is suitable for scripting (ENScript). By default, on Windows, it is installed in: C:\Program Files (x86)\Evernote\Evernote\ENScript.exe

Open the command prompt and type: Continue reading “Evernote: Importing multiple (batch import) exported (ENEX) notes”

Batchography: Parsing INI files from a Batch file

Often times you might want to write Batch file scripts to automate system administration tasks, and in addition to that you might want to pass configuration files to your Batch scripts.

This article, inspired by the Batchography book, shows you how to parse INI files and retrieve values from a given section and key.

Quick background

An INI file (or initialization file) is a text file that has the following format:

; comment

[section_name1]
Key1Name=Value1
.
.
.
[section_name2]
Key1Name=Value1
Key2Name=Value2
.
.
.

In the MS Windows operating system, a C/C++ programmer can read/write values from the INI files using the following APIs:

But can we do the same using Batch files?

Yes and in the next section, we show you how to read values from the INI file. Continue reading “Batchography: Parsing INI files from a Batch file”

3 Easy steps to interactively debug Go code with Visual Studio Code in Windows

If you are like me, then you like to be able to write code and develop both from the same integrated environment. Microsoft’s Visual Studio is my favorite IDE. Not long ago, Microsoft released a new free editor called VS Code. It is a powerful editor that is highly configurable and customizable (with extensions).

In this blog post, I am going to illustrate how to set up VS Code in order to debug source code written in the Go language.

Step 1 – Installing the Go language support

First, install the Go language on your computer from here: https://golang.org/dl/

If you did not install VS Code before, install it from here: https://code.visualstudio.com/Download

From inside VS Code, install the Go language extension by clicking on the extensions icon and then searching for “Go” and installing it.

Press the “Reload” button once the extension is installed. Continue reading “3 Easy steps to interactively debug Go code with Visual Studio Code in Windows”

Shuffling function addresses in C/C++ with MSVC

The Microsoft C/C++ compiler allows you to specify link order of functions or variables. Using the #pragma directive with either code_seg or data_seg and specifying the segment name and its sorting key, you can tell the linker how to place the object code in the final executable.

Let’s start with a simple example:

#pragma code_seg(push, ".text$EB009")
__declspec(noinline) void f1()
{
    printf("this is f1()\n");
}
#pragma code_seg(pop)


#pragma code_seg(push, ".text$EB005")
__declspec(noinline) void f2()
{
    printf("this is f2()\n");
}
#pragma code_seg(pop)


#pragma code_seg(push, ".text$EB001")
__declspec(noinline) void f3()
{
    printf("this is f3()\n");
}
#pragma code_seg(pop)

int main()
{
    f1();
    f2();
    f3();
    return 0;
}

When the code_seg pragma is used, we can specify where the subsequent code should lie (in which section in the PE file). When the section name contains the “$” sign, then the subsequent text is not part of the section name (the string prior to the “$”) and instead is used as a sorting key. Continue reading “Shuffling function addresses in C/C++ with MSVC”

Batchography: Batch files and Unicode

Recently, I had to update my popular utility that resets NTFS files permission to support Unicode paths. I had to investigate how to add Unicode support in Batch scripts. It seems that this was a topic I forgot to add into my comprehensive Batch files programming book.

This article is the result of my investigation, in which I am going to show you how to add Unicode support to your Batch file scripts in 3 easy steps.

Continue reading “Batchography: Batch files and Unicode”

Batchography: Embedding Python scripts in your Batch file script

I keep writing about Batch programming, so it is obvious by now that Batch files programming has become one of my favorite activities. Every time I have to write a quick script to automate a task, I go first for the Batch files programming language. If that does not do the job, I use the Python programming language and if that fails, I go for C/C++ before deciding to writing using the assembly language.

Now, what about combining the two languages to achieve what you want?

That’s today’s topic. It is an excerpt from Chapter 4 in the Batchography book. Continue reading “Batchography: Embedding Python scripts in your Batch file script”

7 DLL injection techniques in Microsoft Windows

In this article, I am going to list half a dozen DLL injection techniques that can be used by a user mode process running on MS Windows. There could be more techniques but I am sharing with you the techniques that I had first hand experience with.

1. AppInit_DLLs

People used to rely on the AppInit_DLLs registry key. The OS loader queries this value and loads the DLLs specified there when a process is created. I have not used this technique in a long while (last time I used it was on Windows XP) and I heard it is now restricted or discontinued because it was widely used by malware.

2. SetWindowsHookEx API

The SetWindowsHookEx API installs an application-defined hook procedure into a given hook chain. There are various supported hook chains (CBT, Journal, Window messages, keyboard, mouse, etc).

When using the SetWindowsHookEx API, you are instructing the operating system to inject your custom hook DLL into other process where it is relevant. The Windows hooks work when the other processes import / use functionality from USER32.dll.

Continue reading “7 DLL injection techniques in Microsoft Windows”

Take aways from the Defensive Driving Course

Recently, I took the 6 session defensive driving course. The following are some of the notes I extracted from the course that I would like to share with my you:

There were lots of information in the course, I highly recommend taking it! You can download the notes as a single PDF file from here:

(The PDF was created using the free Pic2Pdf tool)

The defensive driving formula


Continue reading “Take aways from the Defensive Driving Course”