Search the Community

Unpacker tool by Cawk for ConfuserEx. Github link dead and I decided to post who needs it. [hide][Hidden Content]]

tools used when unpacking a modded confuserex including max settings [Hidden Content] [Hidden Content]

Exellent tool for decrypting NET. Reactor. [hide][Hidden Content]]

Magicmida is a Themida auto-unpacker that works on some 32-bit applications. It works on all versions of Windows (XP and later). Functions: Unpack: Unpacks the binary you select. The unpacked binary will be saved with an U suffix. MakeDataSects: Restores .rdata/.data sections. Only works on very specific targets. Dump process: Allows you to enter the PID of a running process whose .text section will be dumped (overwritten) into an already unpacked file. This is useful after using Oreans Unvirtualizer in OllyDbg. Only works properly if MakeDataSects was done before. Shrink: Deletes all sections that are no longer needed (if you unvirtualized or if your binary does not use virtualization). Warning: This will break your binary for non-MSVC compilers. Note: The tool focuses on cleanness of the resulting binaries. Things such as VM anti-dump are explicitly not fixed. If your target has a virtualized entrypoint, the resulting dump will be broken and won't run (except for MSVC6, which has special fixup code to restore the OEP). Important: Never activate any compatibility mode options for Magicmida or for the target you're unpacking. It would very likely screw up the unpacking process due to shimming. 2023-01-14 Removed some assumptions about IAT layout to achieve broader compatibility. Fixed a bug where sections were misaligned in dumped binaries. Fixed a crash in Themida v3 import tracing. Compiled with Delphi 10.4. [hide][Hidden Content]]

How to use Greenline.exe <path> [--config-only] Greenline will by default unpack Redline Stealers string obfuscation, if you only want the config use the --config-only argument after the path to your binary. Features String deobfuscation Greenline will unpack string obfuscation like this back to a readable form like this. Config extraction Greenline also automatically extracts the config of RedLine Stealer Release v1.1 fixed Latest Fixing Replace call patcher not checking pattern value for null [Hidden Content]

Also drag and drop supported. A dotnet unpacker/cleaner tool that can remove Anti De4Dot, Junk Types, Math Protection, Anti Decompiler, Control Flow etc. protections from a .NET assembly. [hide][Hidden Content]]

I would like to share the ILProtect Unpacker toolkit for anyone who needs it. In the compressed file there are 2 unpack versions: 1. ILProtect Unpacker by ElectroKill 2. ILProtect Unpacker (GitHub) I recommend using ElectroKill's tool for best unpacking. [hide][Hidden Content]]

What is DarksVM ? DarksVM is a modified version of KoiVM which is a ConfuserEx plugin that allows you to virtualize methods to be understandable only by our computer. This version includes: Modified VMEntry name and entries Renamed 'Run' method to 'Load' Added some calculation OldRod is no longer able to devirtualize Improved compatibility Only supported OS is Windows. Original Link - GitHub - Aekras1a/KoiVM-modded: DarksVM is a modified version of KoiVM, a complex ConfuserEx plugin that made it possible to virtualize methods and other data, increasing the difficulty to R.E. the app.. If Your target is Protected with this KoiVM Mod Version (DarksVM), You can unpack it easily with the Devirtualizer. How to Use? Simple Drag and Drop in OldRod. Info - OldRod project was created by Washi to devirt the KoiVM. So in order to defeat the KoiVM Mod, Here is the Mod. of OldRod which can unpack that. Credits - Washi [hide][Hidden Content]]

Unpack Nazi Protect [hide][Hidden Content]]

Modded Cfex Unpacker by ElectroKill [hide][Hidden Content]]

what is Themida Unpacker for .NET? Themida Unpacker for .NET is a tool developed to quickly and easily unpack packed .NET files. Support all version! (Tested in 1.x, 2.x, 3.x) How to use? goto SuspendProcess/bin/Release/ folder Just drag .NET file and select pd.exe! (32bit to 32bit, 64bit to 64bit) pd.exe will dump file! if not, just manual dump with SCYLLA!!!!! you have to install vbruntime and .NET runtime etc.... JUST INSTALL VISUAL STUDIO .NET, C++, Universal Windows Platform!!!!!! :) [hide][Hidden Content]]

[hide][Hidden Content]]

Phoenix Protector String Decryptor [hide][Hidden Content]]

ConfuserEx Unpacker Dynamic Edited copy of cawks confuserex unpacker, this one supports trinity and netguard 4.5 ConfuserEx Unpacker 2 (Supports Trinity & Netguard 4.5) STILL UNDER BETA This is my own "mod" of this unpacker, ive added constant support for 2 parameter decryption support (Netguard 4.5, Ben Mhenni 4.5), and i added support for 3 parameters with string (Trinity). Added support for the packer in trinity and also added many different mutation removers that will come in handy for custom mods. You can easily clean programs piece by piece or however you want by editing the program.cs. //////////////////////////////////////////////////////////// A new and updated version of my last unpacker for confuserex which people actually seem to use so i thought i would update it and actually make it better as that version is very poor this is currently in beta and in its first version will only support confuserex with no modifications or additional options from confuserex itself. this will change as i add more features this will heavily be based off my instruction emulator which makes it much more reliable as long as theres no hidden surprises from modified confuserex i have not used sub modules due to making changes within de4dot.blocks in Int32/64Value i have modified the Shr_Un methods and such to fix a bug (well not really a bug but it prevents some operations from giving correct result) if you have an issue with this unpacker please make an issue report but if you simply go 'does not work on this file please fix' i simply will just close your issue please make a detailed report and explain where it crashes [hide][Hidden Content]]

RzyFixer - A .NET Unpacker tool A .NET Unpacker tool, with many features. Using dnlib assembly & cui for the design. Credits Me for the code Developer of Dnlib XSilent for CUI (Console design). Someone else helped me on the anti de4dot fixer, but i forgot who. feel free to get in contact. [hide][Hidden Content]]

Emotet research In this repository you can find documentation about the packer of Emotet and its unpacker. This unpacker extracts the command and controls, and the public RSA key of Emotet (botnet identifier). General purpouse The purpose of this repository is, to show how the packet of emotet works, provide a sample of emotet payload with its idc (made by me) Also I wrote an unpacker for emotet (using TitanEngine) which extracts the final payload of emotet and the intermediate layers for extracting it. In addition, the unpackers extrats to a file the static configuration of emotet, the command and controls and its public RSA key (botnet identifier). Directories and files ./unpacker/src: - Source code of the packer. main.py file is the script for running the unpacker. ./unpacker/TitanEngine.dll - Titan Engine DLL, or you can download from reversinglabs.com. The DLL must be on C:/windows/system32/ folder. ./doc: - Documentation of the emotet unpacker. ./unpacked_sample_id: - In this directory you can find a sample of final payload of the Emotet next to an idc documented by me. Requeriments Before to use the unpacker, I recommend to read the documentation I did about this packer. (./doc/EN_emotet_packer_analysis_and_config_extraction_v1.pdf) pyrhon2.7 yara-python Titan Engine DLL. Provided in this repo, or you can download from its web page Output If success a folder named "output" will be created. ./output/unpacked/{packed_file_name}.emotet.unpacked: - Emotet payload unpacked. (PE File) ./output/extracted_files/layer2/{packed_file_name}.layer2.bin: - Layer2 of emotet packer. (PE File) ./output/extracted_files/broken_payload/{packed_file_name}.payload.bin: - Emotet payload unpacked step 1, if you read the packer documentation you will realized that in the first step this file doesn't work, it must be fixed up. (PE File) ./output/static_configuration/{packed_file_name}.ips.txt: - List of "ip:port" of commands and controls. ./output/static_configuration/{packed_file_name}.rsa.txt: - RSA key used for communicating with the command and control. Usage After install all requeriments and the Titan Engine DLL... cd unpacker/src/ ./main.py [options] {filename or folder} OR double click :S Then select the target file in the box. Press the "UnPack" buttom. Enjoy 😃 Final words These documentation and unpacker were done between November and December of 2018 if after these dates it doesn't work maybe the unpacker doesn't work well or Emotet developers changed the packer. This unpacker isn't perfect, it's my first dynamic unpacker using Titan Engine. I did this research on my free time, because currently I'm not working on this kind of stuff and I don't have enough time. It'd be cool keep the repository updated for new versions of the packer or for some future error fixes. Therefore, feel free to send PR or open issues. I will try to keep it updated if I have time. Enjoy and keep fighting against the malware 😃 Download: [HIDE][Hidden Content]]

NetGuard-Unpacker-Public Public NetGuard Deobfuscator made by Cawk this is cawk's netguard unpacker thats now public. Enjoy it while it lasts he wont be pushing anymore updates unless the community keep this alive and requires some small help here and there [HIDE][Hidden Content]]

The usage of runtime packers by malware authors is very common, as it is a technique that helps to hinder analysis. Furthermore, packers are a challenge for antivirus products, as they make it impossible to identify malware by signatures or hashes alone. In order to be able to analyze a packed malware sample, it is often required to unpack the binary. Usually, this means, that the analyst will have to manually unpack the binary by using dynamic analysis techniques (Tools: OllyDbg, x64Dbg). There are also some approaches for automatic unpacking, but they are all only available for Windows. Therefore when targeting a packed Windows malware the analyst will require a Windows machine. The goal of our project is to enable platform-independent automatic unpacking by using emulation. Supported packers UPX: Cross-platform, open source packer ASPack: Advanced commercial packer with a high compression ratio PEtite: Freeware packer, similar to ASPack FSG: Freeware, fast to unpack Any other packers should work as well, as long as the needed API functions are implemented in Unipacker. For packers that aren’t specifically known you will be asked whether you would like to manually specify the start and end addresses for emulation. If you would like to start at the entry point declared in the PE header and just emulate until section hopping is detected, press Enter [HIDE][Hidden Content]]

Download: [HIDE][Hidden Content]] Password: level23hacktools.com

DNGuard HVM Unpacker Full Dnguard 3.68 support. Dnguard trial should be all supported! Dnguard 3.69/3.70 are not yet supported. Recommended OS: Windows XP DNGuard_HVM_Unpacker.exe should be loaded by Framework 2.0 DNGuard_HVM_Unpackerfr4.exe should be loaded by Framework 4.0 [hide][Hidden Content]]