| Feature | Description | Effectiveness vs v1 | |---------|-------------|---------------------| | | Mangles namespaces, classes, methods, parameters (non-encryptable symbols preserved). | Slightly improved – less predictable hex names. | | Control Flow | Adds junk code, predicates, and dispatcher-based jumps. | Moderate – new patterns resist simple de4dot. | | Constant Encryption | Embeds constants in encrypted buffers, decrypted at runtime. | Weak – runtime decryption exposes cleartext in memory. | | Resources Encryption | Compressed + encrypted embedded resources (e.g., binaries, configs). | Good – resources not trivially extractable. | | Anti-Tamper (Hash) | Signs assembly hash; if modified, app refuses to run or crashes. | Improved – uses stronger hashing (SHA256) vs original MD5. | | Anti-Debug | Detects debuggers (IsDebuggerPresent, remote threads). | Basic – bypassable with kernel-mode debuggers. | | Reference Proxy | Indirect method calls via proxies, obscuring call graphs. | Moderate – complicates static analysis. |
While ConfuserEx 2 offers more robust anti-tamper and control-flow obfuscation than its predecessor, it remains bypassable by determined analysts using advanced deobfuscation frameworks (e.g., de4dot modded versions, dnSpy with plugins). It is not equivalent to commercial-grade protectors (ConfuserEx, Agile.NET, Themida). 2. Background: What is ConfuserEx 2? ConfuserEx 2 is an unofficial, updated fork of the original ConfuserEx (last updated 2015). The original suffered from predictable patterns, weak string encryption, and signature-based detection. confuserex 2
Report ID: SAR-2024-CE2-01 Date: October 2024 Subject: ConfuserEx 2 – Capabilities, Improvements, and Security Limitations Classification: Public / Technical Analysis 1. Executive Summary ConfuserEx 2 is a community-driven continuation of the original ConfuserEx, an open-source protector for .NET applications (C#, VB.NET, etc.). Unlike commercial obfuscators, ConfuserEx 2 focuses on providing intermediate protection against reverse engineering, targeting casual crackers and script-kiddie deobfuscation tools. | Feature | Description | Effectiveness vs v1