UnconfuserExTools

A repository containing tools used for unpacking and deobfuscating .NET applications protected with ConfuserEx

WARNING: These tools have been aggragated from multiple sources around the web. These tools are provided as-is, and there is no guarantee on the safety or authenticity of the file(s). It is recommended to run them in a sandboxed environment. I have tried my best to aggregate the same tools from multiple sources and to compare file-size to ensure there is no signs of obvious tampering.

IMPORTANT: A lot of the tools contained are part of CodeCracker's Tools. These tools are from 2011-2015, and are no longer maintained, nor is there much documentation about them. Once again, I want to reiterate that this repository is "as-is" and I cannot guarantee the safety or authenticity of the files provided. As such, without proper documentation on these files, I cannot say for sure what they do. All the information provided is from sources that are available today. Please DO NOT create issues regarding a program not working, as I am not the original author of any of the tools included here. Thanks!

What is this?

This repository contains tools used in the unpacking and deobfuscation of .NET applications protected with ConfuserEx. I was analyzing a malware artifact protected by ConfuserEx, and most tutorials online referenced tools such as "UnconfuserEx" and "ConfuseExSwitchKiller", but links were dead / not readily available. I've created this repository to act as a centralized place for all tools related to the deobfuscation of ConfuserEx protected applications, without the worry of expiring or paywalled file downloads. Furthermore, a lot of tools, such as NoFuserEx, require you to build from source, so this repository has pre-compiled binaries for ease of use.

How to use?

WIP

ConfuserExMethodsDecryptor
ConfuserExFixer
ConfuserExConstant

WIP

Unconfuser.Exe
ConfuserEx Proxy Call Fixer v2
ConfuseExConstantsDecryptor
ConfuseExSwitchKiller
ConfuseExFixer

WIP

NoFuserEx.exe

WIP This is the recommended order of tools, but other tools are available at your disposal.

Download files via git clone or through the latest release.
Run UnconfuserEx.exe - This unpacks the application.
Run ConfuserEx Proxy Call Fixer v2.exe - Fixes proxy function calls.
Run ConfuseExConstantDecryptor.exe - Fixes strings.
Run ConfuseExSwitchKiller.exe (might crash) - Fixes switch control flow.
(optional) Run ConfuserExFixer.exe - Fixes general errors
Clean up with de4dot
Open the executable in dnSpy, Ghidra, etc.

Sources

Other possibly helpful tools

Here are some other tools that might be helpful. They could also entirely replace the tools in this list. I need to test more with them.

https://github.com/ViRb3/de4dot-cex - de4dot with ConfuserEx support
https://github.com/BedTheGod/ConfuserEx-Unpacker-Mod-by-Bed/tree/1.1 - An all-in-one ConfuserEx unpacker and deobfuscator with mod support

Tools contained:

UnconfuserEx - Unpacks ConfuserEx protected applications
NoFuserEx - Removes anti-tamper, anti-debugger, anti-dump, fixes proxy calls and constants (built from src)
ConfuserEx ProxyCallFixer v2 - Fixes proxy function calls
ConfuserExConstantDecryptor.exe - Fixes strings/constants
ConfuserExceptionsRestore.exe - Fixes any errors
ConfuserExCfgKiller.exe - Fixes any errors
ConfuserExCallFixer.exe - Same as ProxyCallFixer
ConfuserExDupPopPatcher.exe - (?)
ConfuserExExpressionKiller.exe - Fixes control flow (Doesn't work on newer versions)
ConfuserExFixer.exe - Fixes errors
ConfuserExMethodsDecryptor.exe - Decrypts method body
ConfuseExSwitchKiller.exe - Fixes switch control flow
ConfuserCleanUp.exe - Cleans up file
ConfuserDelegateKiller.exe - (?)
ConfuserExPredicateKiller.exe - (?)
ConfuserLdcPopPatcher.exe - (?)
ConfuserStringDecryptor.exe - Older version of ConstantsDecryptor(?)
ConfuserExStringDecryptor2.exe - (?)
ConfuserExStringDecryptor_fr40.exe - (?)
ConfuserXorCalc.exe - Resolves XOR calculations(?)
ConfuserExConstant.exe - (?)
ConfuserExConstant2.exe - (?)

axe-usat / unconfuserextools-all-tools Goto Github PK