Patch Confuser Without Reflector

PATCH CONFUSER WITHOUT REFLECTOR By Predator www.nexenteam.net

Protection: Confuser 1.9 maximun protection Target: Defeat antitamper protection from crackme Spezzacuori (in this archive) and patch it. Tools: - Simple MSIL Decryptor - Universal Fixer - SAE - CFF Explorer - DotNet Tracer (optional for fast finding where to patch) Open the exe with Simple MSIL Decryptor and make sure you check LoadLibrary

press decrypt and now we have CrackMe_msil.exe, but the exe still no run, we must fix more for run it.

Then Open it with Universal Fixer, with the default options and press [Fix assembly]

Now we have CrackMe_msil_fix.exe that still not work because we must fix the antitamper protection. Open it with SAE (Simple Assembly Explorer): On the Search select for "String", put the worlds "Broken file", and on left panel select "ConfusedByAttribute" like this image:

press [Next], we find the string.

Now we must take the RVA of the first instruction of this method, we have 2 way first way: - move at the first line of code and move the mouse over the second colon over "L_0000": and a tooptips show the RVA 0x54f9a

second way: - select the tab General and see this

we see RVA: 0x54f8e we add the hex value 0xC (12 dec) that is the size of the Fat Header, and we have 0x54f9a.

Now we go to defeat the antitamper protection, open CrackMe_msil_fix.exe with CFF Explorer and go to Address Converter. On the RVA box put the value just calculated: 54f9a and press enter. CFF is show the exact offset of the antitamper method

for defeat it, we change the first istruction of exe with a RET. The hexadecimal value of the opcode Ret is 2A, then change D0 to 2A From

To

and save the exe with a different name ex. CrackMe_msil_fix2.exe Try to run it, good it's work! ;-)

Now patch the crackme for accept any serial is easy. I think there are various techniques to find the right point... for fast find the Net method to patch, I use a DotNet Tracer (DKT By Kurapica). I run the crackme on the tracer and wait for load completely. Now I copy the last parent class:

then I paste the 朵퐡鴋嵪τ뙂‑嘖 string on SAE and search for ClassName:

Well, we are on the parent class, I you scroll the method inside this class you can easily find the code to patch:

Yes this is the method to patch. If you're handy of IL code, you can use de4dot over this executable for make code more readable, but the exe don't run anymore. Ok I can patch it for accept any serial. Too easy! Look at row 9 bne.un.s check if the value is == to 0 we use the same technique for defeat antitamper, for edit bne.un.s to bge.s.

Look at RVA that is 0x49e0d

Then go to CFF -> Address Converter put on RVA box the value 49e0d and press enter, and change 33 to 2E that is the hex value of opcode bge.s. Save and finish :-)

My thanks fly to all reversing team and individual reverser, especially to all members of the UIC and SnD Team. Predator