Tuts 4 You

# Blogs

## One More Time for fun...flash backs

So in my adventures to track down the elusive Phrozencrew ( last 2yrs), its come to my attention that they all grown up.. Not in a bad way of course, but just done with the scene...moved on....among other peeps from my love of 98...some great crackers of the day...just done. .  So now in this day and age who is active anymore? I went to the almighty ICU website...gone..maybe im out of the loop but the page is gone...FFF..not sure, SnD..nope efnet  is nearly closed..mostly bots ...what happen to ARTEAM..they had a bad ass e-magazine....C-YA ugh..Im lost. I tried to re-energize myself with OLLY, and like a bum i downloaded crackerskit 2.0  (so fresh in the day) where are the new packages? I find myself even more lazier then trying to do my own thing with OLLY and find a All In One ( AIO)..   oh well I miss those days..im back trying to find it..let me know...Im out here looking to get connected again!!   Peace, Overkill^

## Immdbg - scripting

It has been a while since this good debugger is available for download at immunity's homepage. Such debugger has a lot of improvements over his older brother - odbgr. One of such improvements is the ability of coding scripts on python integrated interface that runs over completely the obsolete odbgr scripting. It has got endless potential and I advice you to look elsewhere for more information on the use of immdbg's integrated APIs. Today I am posting a small script I coded to unpack upx code - keep in mind that no iat reconstruction will be preformed as this is merely an ilustrative script that may help you to get started at coding scripts over immunity if you feel interested. __VERSION__ = '1.0'import immlib import getoptimport immutilsfrom immutils import *imm = immlib.Debugger() #init debugger#functions#maindef main(args): imm.log("Started search for jmp at oep...") imm.updateLog() regtable = imm.getRegs() # gets all register table-like patt = "\x00\x00\x00\x00\x00\x00\x00\x00" #UPX-Target pattern count = 0 eip_curr = regtable["EIP"] #retrives current ep while (count < 768): mem = imm.readMemory(eip_curr+count, 8) if (mem == patt): imm.log("match: %08x" % (eip_curr+count)) break count = count + 1 if (mem != patt): imm.log( "No pattern found: YOU NEED TO BE AT OEP!" ) return "failure" imm.setBreakpoint(eip_curr+count-5) imm.run() imm.stepIn() imm.log( "code ep sucessfully found" ) return "success" Check the help file for the list of all Immunity API, keep in mind that this list does not describe the behaviour of the APIs - it just lists them. Also the unpacker seems to be working fine - report otherwise

## A simple way to make animations with Delphi.

I've made ​​more simple, I include source manually code with different code as well, Example + Source Code. This time I just use my 4-layer stacking horizontally so easy to understand, [120x80] [120x80] [120x80] [120x80] = [480 x 80] may can help. Download Source Code + Example ----------> ZNP Easy.zip Have Fun.

I'm not really used to the whole 'blog' thing so bear with me while i simply spill some thoughts, Anybody who has seen the Keymaker.c source code for Armadillo keygenerating can see how the keys are built and put together, i'm not going to be explaining how i came to any conclusions aside from referring back to that document. The single most important thing to make genuine Level 10 Short V3 keys is the Encryption Template, from it the symmetric key is made as well as the private key being generated from it for ECDSA signing. People have already successfully attacked the signature verification as well as symmetric key verification, so this post isn't revealing anything new. The string is uppercased in a function called 'CookText' before it is hashed with the MD5 algorithm. Looking at the source code, we can see that the BasePointInit value for the elliptic curve used is also taken from the Encryption Template, the first unsigned long of the MD5 hash to be precise. So, what do we have at the moment?
// Hypothetical variables
unsigned long MD5Hash[4];
char temp[256];
unsigned long BasePointInit;
unsigned long Symmetric;

// Get the hash of the uppercased string
CookText(temp, EncryptionTemplate);
md5(MD5Hash, temp, strlen(temp));

// Set BasePointInit and Symmetric values
BasePointInit = MD5Hash[0];
Symmetric = MD5Hash[0] ^ MD5Hash[1];

// Remembering the ECDSAPrivateKey is derived from EncryptionTemplate.

Okay, not a lot to look at to begin with but with the BasePointInit, we have the first dword of the MD5 hash and we can perform a bruteforce lookup for any hashes that begin with that value. On its own, this would be totally useless because it returns a lot of false positives so incorporating a check to see whether or not the generated symmetric key will yield a matching checksum when passed through the symmetric checksum function was necessary. Now, using CUDA and the symmetric check plus a large charset, it finds a 6 character encryption template in 80 seconds. Nothing to jump up and down about but the main thing is it works at all! There would most likely be a way to speed it up more but i'm not sure where to start, it is only a PoC and i'm sharing the theory only so please don't ask me for a copy. I also had the brainwave idea of bruteforcing the 128 bit value which is the private key for ECDSA signing but couldn't find a way that was fast enough using my limited math experience, hehe. My conclusion from this little experiment is that although it is possible to recover the encryption template, the character set and probable length of the strings used by Armadillo's users will prevent it from becoming an attack vector for keygenning, especially when the ECDSA_Verify and symmetrickey can both be defeated with faster means. HR, Ghandi

## Played 6 File [*. Xm] with Delphi.

Not for the Expert, just for amateur programmers. ~~~~~~~~~~~~~~~~~~~~~~~~~~BeGiN~~~~~~~~~~~~~~~~~~~~~~~~~~~ unit Unit1; interface uses Forms, uFMOD, Sfx, Sfx2, Sfx3, Sfx4, Sfx5, Sfx6, Classes, Controls, StdCtrls; type TForm1 = class(TForm) Label1: TLabel; procedure FormActivate(Sender: TObject); procedure FormDestroy(Sender: TObject); procedure FormKeyPress(Sender: TObject; var Key: Char); procedure FormCreate(Sender: TObject); private { By : X-88 } public { hmm.... } end; var Form1: TForm1; implementation {\$R *.dfm} procedure TForm1.FormActivate(Sender: TObject); begin uFMOD_SetVolume(256); uFMOD_PlaySong(@SfxData, SfxSize, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end; procedure TForm1.FormDestroy(Sender: TObject); begin uFMOD_StopSong; end; procedure TForm1.FormKeyPress(Sender: TObject; var Key: Char); begin if (Key = '1') then begin uFMOD_StopSong; uFMOD_PlaySong(@SfxData, SfxSize, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '2') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx2Data, Sfx2Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '3') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx3Data, Sfx3Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '4') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx4Data, Sfx4Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '5') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx5Data, Sfx5Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '6') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx6Data, Sfx6Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '7') then begin uFMOD_StopSong; Label1.Caption := 'Press 1-6 to Change Sfx' +#13#10+ '7 = Stop'; end; end; procedure TForm1.FormCreate(Sender: TObject); begin Application.Title := 'Test'; end; end. ~~~~~~~~~~~~~~~~~~~~~~~~~~EnD~~~~~~~~~~~~~~~~~~~~~~~~~~ NB : Uses Sfx, Sfx2, Sfx3, Sfx4, Sfx5, Sfx6 if (Key = '1') then begin uFMOD_StopSong; uFMOD_PlaySong(@SfxData, SfxSize, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '2') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx2Data, Sfx2Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '3') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx3Data, Sfx3Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '4') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx4Data, Sfx4Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '5') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx5Data, Sfx5Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end else if (Key = '6') then begin uFMOD_StopSong; uFMOD_PlaySong(@Sfx6Data, Sfx6Size, XM_MEMORY); Label1.Caption := 'Title : '+uFMOD.uFMOD_GetTitle; end ----------------------------------------------------------------> Unit Sfx2; Interface Const Sfx2Size = 268215; Sfx2Data : Array[1..Sfx2Size] of Byte = ( 69,120,116,101,110,100,101,100,32,77,111, .., .., .., .., .., .., .., .., .., .., .., .., .., .., .., .., .., Etc Done.

## XM on x64

This is the result of trying to play back xm music on 64-bit Windows. I wrote a simple wrapper around libmodplug that reads its raw PCM output and writes it to the standard wave output. All you have to do is create an instance of ModPlay which needs a buffer + size of the xm file to be played. Then just call the play() function and voila I have to say that it roughly adds 40kb of code to your binaries, you have to decide if that is worth it for you. Personally I don't care, especially because you can compress the **** out of it with UPX Attached are the wrapper C++ files, WINMM import libraries from the Windows SDK and 2 static libraries of libmodplug (compiled with VS 2008, you might need to build libmodplug yourself for other compilers/configs, see below for tips) Any problems, questions, suggestions, let me know. PS: If you want/need to compile libmodplug, just make sure you define these to keep the library size as small as possible: MODPLUG_BASIC_SUPPORT MODPLUG_FASTSOUNDLIB MODPLUG_NO_FILESAVE NO_PACKING For VC++ I added this version of stdint.h, added the libmodplug subfolder to the include dirs and it pretty much compiled out of the box.

## From: [ARTeam] ActiveMark "dismembered"

Hi all, guess what, we again targeted activemark new version and this time we are releasing an updated tool for inlining the protection beside of course a tutorial which explains the technique. You can grab them all from here: tutorial: http://www.accessroo...ad.php?view.324 tool: http://www.accessroo...ad.php?view.325 thanks to SSlEviN for his great work. Beside this is the first tool he coded on his own! Veery nice beginning Source: [ARTeam] ActiveMark "dismembered"

## MTCT Dup Skin v.0.1

This is my first Dup Skin ...

## MTCT Nfo Maker

Master Turkish Crack Team Nfo Maker Coded By TreaxeR

• To Someone likes to solve crossword, somebody likes to play chess.
I like RE because I need to strain my brain like when I solve a crossword, think and analyze like when I play chess. After every cracking, I get a moral satisfaction, I'm happy with my success, success in cracking my friends.
I'm glad when I receive a message from the developers, where they are grateful for cracking  of their program and promise to eliminate the hole in the protection of the program in the next release.
I thank everyone who writes articles about RE, makes tutorials, new tools, shares my knowledge with others.
• am just a beginner , and believe me... Reverse Engineering is taking a huge part in my personal life
i wanna be that professional cracker ! programmer , i need to learn more and more
i won't stop what am doing because i love it ! from deep of my heart
this is not just a hobby for me , its a way of thinking .
• CriticalError  ==> this is the password
• time factor maybe...I got an interest on reversing sometime 6 yrs ago but work schedule is pushing me away. I still remember the old days where a good site (astatalk) emerge and helping each other. Yes, reversing is a long process, if you put space on the process then you'll be lost just like me, been idle in re for so many years..
• ### Blog Statistics

• Total Blogs
24
• Total Entries
50
×

• #### Search

• All Activity
• Terms & Privacy