A walkthrough to deobfuscating a ConfuserEx v1.0.0-4 g3fd0d55 protected .NET application

In this blog post, I will show you how to deobfuscated a ConfuserEx protected .NET application.

Unfortunately, there is a lot of videos on YouTube about how to deobfuscate such programs but these videos are so complicated and the instructions are either convoluted or do not yield a good result.

Let’s get started.

Step 1 – Inspecting the binary

You will need to get the dnSpy tool from here: https://github.com/0xd4d/dnSpy/releases

Open the program with dnSpy (or drag and drop it):

At first inspection, we can tell there’s obfuscation due to the name of the entrypoint at line 4 (being so cryptic). Additionally, if you click on the “ConfusedTest.exe” node, you will see more attributes and the obfuscator name (ConfuserEx v1.0.0-4-g3fd0d55):

Continue reading “A walkthrough to deobfuscating a ConfuserEx v1.0.0-4 g3fd0d55 protected .NET application”

15 Useful Batch files programming recipes

In the Batchography book, I cover basic to advanced Batch files programming topics. Since the book was published in 2016, I kept blogging about Batch programming language.

Here’s a collection of some useful recipes:

  1. Check if the script is running as an Administrator
  2. String substitution
  3. Number counting
  4. Batch files and Unicode
  5. Read from a text file, one line at a time
  6. Switch/case in Batch files
  7. Auto reinterpret/compile changed files
  8. Reading from a file
  9. Tokenizing command output
  10. Polyglot: Python and Batch files
  11. Polyglot: Batch file + self compiling C++
  12. Embedding binaries inside Batch files
  13. Interactive Batch files
  14. Writing a game – The Hangman
  15. Batchography: Parsing INI files from a Batch file

 

flower separator
batchography-good-resDo you want to master Batch Files programming? Look no further, the Batchography is the right book for you.

Available in print or e-book editions from Amazon.

flower separator


flower separator

You might also like:

Batchography: what happens when you redirect ‘cls’ to a file?

Let’s assume you have a Batch file (test.bat) with the following contents:

@echo off
echo 1
cls
echo 2

And then you run this Batch file and redirect its output to a text file called “out.txt”:

C:>test.bat >out.txt

What do you think the output would be?

At first, I thought it would be:

1
2

But little did I know that when ‘cls’ is invoked in a context where stdout is redirect to a file, then a form feed character (0xC) is emitted instead:

I was curious, so I disassembled ‘cmd.exe’ to verify my findings. Lo and behold, indeed, ‘cmd.exe’ does that:

int __stdcall eCls(struct cmdnode *a1)
{
  HANDLE hStdOut;
  HANDLE v2;
  SMALL_RECT ScrollRectangle; 
  COORD dwDestinationOrigin;
  CHAR_INFO Fill;
  struct _CONSOLE_SCREEN_BUFFER_INFO ConsoleScreenBufferInfo;

  if ( FileIsDevice((char *)1) )
  {
    hStdOut = GetStdHandle(STD_OUTPUT_HANDLE);
    if ( GetConsoleScreenBufferInfo(hStdOut, &ConsoleScreenBufferInfo) )
    {
      dwDestinationOrigin.Y = -ConsoleScreenBufferInfo.dwSize.Y;
      dwDestinationOrigin.X = 0;
      *(_DWORD *)&ScrollRectangle.Left = 0;
      ScrollRectangle.Bottom = ConsoleScreenBufferInfo.dwSize.Y;
      ScrollRectangle.Right = ConsoleScreenBufferInfo.dwSize.X;
      Fill.Char.UnicodeChar = 32;
      Fill.Attributes = ConsoleScreenBufferInfo.wAttributes;
      ScrollConsoleScreenBufferW(hStdOut, &ScrollRectangle, 0, dwDestinationOrigin, &Fill);
      ConsoleScreenBufferInfo.dwCursorPosition = 0;
      v2 = GetStdHandle(0xFFFFFFF5);
      SetConsoleCursorPosition(v2, 0);
    }
    else
    {
      cmd_printf(page_feed);
    }
  }
  else
  {
    cmd_printf(page_feed);
  }
  return 0;
}

(Lines 29 and 34 are of interest)

In conclusion, be aware if you redirect a Batch file to another file and compare the result. If the Batch file uses CLS, you have to account for the form feed character showing up!
flower separator
batchography-good-resDo you want to master Batch Files programming? Look no further, the Batchography is the best book on the topic and the most up to date!

Available in print or e-book editions from Amazon.

 


You might also like:

 

Apple’s Measure App

If you have iOS 12+ then you should try Apple’s Measure app. It is really handy.

You can measure:

  • Bookshelves
  • Picture frames
  • Window sizes
  • Door sizes
  • etc…


You might also like:

Riddle: How many brothers and sisters are there in this family? Z3 Theorem prover

The other day, I ran into a riddle:

A brother said to his sister: “I have as many sisters as brothers”
His sister replied: “I have twice as many brothers as I have sisters”

How many brothers and sisters exist in this family?

I figured that it’s a nice exercise for the Z3 theorem prover. All I had to do is express the riddle in a series of constraints and ask Z3 to try to find a solution.

The following is a Z3Py program that expresses the riddle:

import z3

# Create a solver instance
s = z3.Solver()

# Create two variables representing the total number of males and females (m and f)
m, f = z3.Ints('m f')

# The brother said: I have as many brothers as sisters
s.add(m - 1 == f)

# The sister said: I have twice as much brothers as I have sisters
s.add(2 * (f - 1) == m)

# Check for the solution
if s.check() == z3.sat:
  sol = s.model()
  print "Brothers: %d, Sisters: %d" % (sol[m].as_long(), sol[f].as_long())

When we run the solver, we get the following solution: 4 males, 3 females.

If you prefer the good old systems of equations, we can solve it like this:

The brother said:
m - 1 = f          (1)

The sister said:
2 * (f - 1) = m    (2)


So we have 2 equations, let's do some substitution:

-> f = m - 1        (1)
-> 2f - 2 = m       (2)

--> m = 2f - 2      (2)
--> f = 2f - 2 - 1  (1)
--> f = 2f - 3
--> f - 2f = -3
--> -f = -3
--> f = 3

--> m = 2f - 2
--> m = 2*3 - 2
--> m = 6 - 2
--> m = 4

 

You might also like:

Batchography: Batch script to automatically recompile or run a script interpreter

Hello,

In a previous blog post, I showed you how to write a polyglot Batch file that is both a Batch script and a C++ source file. When the Batch file is executed, it compiles itself (as C++).  In this blog post I am going to show you how to write a Batch file script that polls the file system periodically to see if a given input file is changed and if so, it will invoke the compiler or interpreter of your choice.

This concept is similar to what the Compiler Explorer does actually.

I am going to write a small script that keeps running your Python script automatically in a separate console window the moment you save the script in your editor. Check the script in action:

Continue reading “Batchography: Batch script to automatically recompile or run a script interpreter”

Evernote: 7 easy steps to editing an Evernote note created by another program

If you used Evernote before with 3rd-party apps such as Livescribe’s SmartPens then you might have encountered the message:

This note was created in another application

To edit this note, open it in the app where it was created.

And because of that it is not possible to edit the note directly. Continue reading “Evernote: 7 easy steps to editing an Evernote note created by another program”

Evernote: Importing multiple (batch import) exported (ENEX) notes

If you used Evernote‘s graphical interface, you might have noticed that you can only import a single note at once. In this article I am going to show you how to import multiple notes at once into Evernote.

Evernote ships with a command line tool that is suitable for scripting (ENScript). By default, on Windows, it is installed in: C:\Program Files (x86)\Evernote\Evernote\ENScript.exe

Open the command prompt and type: Continue reading “Evernote: Importing multiple (batch import) exported (ENEX) notes”

Compiler Explorer – An online tool to test compilers

The compiler explorer is a very handy tool for testing compiler behaviors and the generated assembly code online. It was created by Matt Godbolt (and others).

An instance of the compiler explorer is hosted here https://godbolt.org/.

You can also host it on your own if you wish. Grab its sources from GitHub.

You might also like:

WordPress’ Gutenberg Editor

Of Mountains & Printing Presses

The goal of this new editor is to make adding rich content to WordPress simple and enjoyable. This whole post is composed of pieces of content—somewhat similar to LEGO bricks—that you can move around and interact with. Move your cursor around and you’ll notice the different blocks light up with outlines and arrows. Press the arrows to reposition blocks quickly, without fearing about losing things in the process of copying and pasting.

What you are reading now is a text block, the most basic block of all. The text block has its own controls to be moved freely around the post…

… like this one, which is right aligned.

Headings are separate blocks as well, which helps with the outline and organization of your content.

A Picture is worth a Thousand Words

Handling images and media with the utmost care is a primary focus of the new editor. Hopefully, you’ll find aspects of adding captions or going full-width with your pictures much easier and robust than before.

Beautiful landscape
If your theme supports it, you’ll see the “wide” button on the image toolbar. Give it a try.

Try selecting and removing or editing the caption, now you don’t have to be careful about selecting the image or other text by mistake and ruining the presentation. Continue reading “WordPress’ Gutenberg Editor”

Batchography: Parsing INI files from a Batch file

Often times you might want to write Batch file scripts to automate system administration tasks, and in addition to that you might want to pass configuration files to your Batch scripts.

This article, inspired by the Batchography book, shows you how to parse INI files and retrieve values from a given section and key.

Quick background

An INI file (or initialization file) is a text file that has the following format:

; comment

[section_name1]
Key1Name=Value1
.
.
.
[section_name2]
Key1Name=Value1
Key2Name=Value2
.
.
.

In the MS Windows operating system, a C/C++ programmer can read/write values from the INI files using the following APIs:

But can we do the same using Batch files?

Yes and in the next section, we show you how to read values from the INI file. Continue reading “Batchography: Parsing INI files from a Batch file”

3 Easy steps to interactively debug Go code with Visual Studio Code in Windows

If you are like me, then you like to be able to write code and develop both from the same integrated environment. Microsoft’s Visual Studio is my favorite IDE. Not long ago, Microsoft released a new free editor called VS Code. It is a powerful editor that is highly configurable and customizable (with extensions).

In this blog post, I am going to illustrate how to set up VS Code in order to debug source code written in the Go language.

Step 1 – Installing the Go language support

First, install the Go language on your computer from here: https://golang.org/dl/

If you did not install VS Code before, install it from here: https://code.visualstudio.com/Download

From inside VS Code, install the Go language extension by clicking on the extensions icon and then searching for “Go” and installing it.

Press the “Reload” button once the extension is installed. Continue reading “3 Easy steps to interactively debug Go code with Visual Studio Code in Windows”

Windows Error Reporting – Local crash dump collection – Graphical tool

According to Microsoft, the Windows Error Reporting feature is defined as follows:

The error reporting feature enables users to notify Microsoft of application faults, kernel faults, unresponsive applications, and other application specific problems. Microsoft can use the error reporting feature to provide customers with troubleshooting information, solutions, or updates for their specific problems. Developers can use this infrastructure to receive information that can be used to improve their applications.

When a program crashes in Windows, if it did not have built-in exception handling and crash dump generation, the Windows Error Reporting tool usually creates a crash dump and then queues it for upload to Microsoft.

The Windows Error Reporting tool can be configured in such a way to collect the crashes locally instead of queuing them for upload. The following document explains how.

In short, you have to add the follow registry values:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\<program_name>.exe]
"DumpFolder"=hex(2):43,00,3a,00,5c,00,74,00,65,00,6d,00,70,00,00,00
"DumpCount"=dword:00000100
"DumpType"=dword:00000002

Tweaking the registry manually is often not the best thing to do, therefore I wrote a simple open-source graphical utility that does the registry modification on your behalf.

WerFault GUI Tool

The graphical tool is very simple, but let me explain a few things.

WerFault supports three crash dump types: custom, mini or full memory dumps. Only when the custom dump is selected you can specify additional custom dump flags to WerFault. The custom flags are for advanced users.

In most cases it is advised to select the “Full dump” option because it captures lots of information needed for debugging. And finally, the dump count option lets you specify how many crash dumps to keep around.

There are two blue buttons that allows you to add or update an entry and to delete an entry. That’s it!

In the downloaded package, there’s an executable called crash.exe that you can use for testing. Continue reading “Windows Error Reporting – Local crash dump collection – Graphical tool”