All Activity

sir pleaze give Google drive link sir mega,MediaFire request sir thnks

sir pleaze give new link sir @markaz.jamal

SIR PLEAZE GIVE NEW LINK LINK IS NOY WORKINGS SIR.

Mono still makes sense for environments that cannot work with JIT and require an interpreter (e.g., wasm), and is still the default implementation for legacy .NET Framework in e.g., wine. Also, MonoMod is not affiliated with Mono, nor does it work "just" for Mono. Its name originates from Unity using Mono, but it is built to also work for other versions of .NET, including .NET Framework, .NET Core and .NET. Harmony under the hood also uses MonoMod. If you want to use MonoMod directly instead of Harmony, it should be doable using MonoMod.RuntimeDetour. Example from their docs: // Create a Hook. using (var d = new Hook(methodInfoFrom, methodInfoTo)) { // When the detour goes out-of-scope (and thus has Dispose() called), the detour is undone. // If the object is collected by the garbage collector, the detour is also undone. }

@CodeExplorer I'd suggest to open up an issue on harmony GH repo https://github.com/pardeike/Harmony/issues asking for support .net 10/11

is .net MONO still alive? after MS ported/opensourced .NET to Linux/Mac - not sure it was making sense to support it anymore...

Harmony works on .NET 7 and 8. But doesn't work on .NET 9 as the BinaryFormatter was deprecated and just throws error. https://steven-giesel.com/blogPost/4271d529-5625-4b67-bd59-d121f2d8c8f6 https://github.com/pardeike/Harmony/releases I've tried to compile Harmony source code with VS 2022 Community, it gives lot of errors. I seen they are alternatives like MonoMod https://lethal.wiki/dev/fundamentals/patching-code/monomod-examples but they are only for .NET 5 so wasn't updated from a lot of time.

Seems bit old but decided to tackle this one as well. Sections : Address=00400000 Size=00001000 Party=User Page Information=crackme.exe Allocation Type=IMG Current Protection=-R--- Allocation Protection=ERWC- Address=00401000 Size=0001F000 Party=User Page Information=".text" Allocation Type=IMG Current Protection=ER--- Allocation Protection=ERWC- Address=00420000 Size=00001000 Party=User Page Information=".data" Allocation Type=IMG Current Protection=-RW-- Allocation Protection=ERWC- Address=00421000 Size=00001000 Party=User Page Information=".rsrc" Allocation Type=IMG Current Protection=-R--- Allocation Protection=ERWC- Address=00422000 Size=00074000 Party=User Page Information=".vmp0" Allocation Type=IMG Current Protection=ER--- Allocation Protection=ERWC- Address=00496000 Size=00087000 Party=User Page Information=".vmp1" Allocation Type=IMG Current Protection=ERW-- Allocation Protection=ERWC- A good place to patch to accept random creds -> 0046B02B | E9 E83EFBFF | jmp <crackme.sub_41EF18> | Valid combination -> They are located in -> Address=00422000 Size=00074000 Party=User Page Information=".vmp0" Allocation Type=IMG Current Protection=ER--- Allocation Protection=ERWC-

the article says about ReadyToRun are you doing this? the article was written back in 2020 .NET7/8/9 was released later

That is not the problem, eax registers is changed anyway for returning the value; and it is not used by runtime in other ways. Patched address is not called at all. I found this article: .NET Inside Out Part 23 – Machine code address of any .NET Core method https://blog.adamfurmanek.pl/2020/08/22/net-inside-out-part-23/index.html

even if yes, you are vandalically damaging CPU registers

Everything get compiled to native code in the end. I don't know why on .NET 7/8 MethodHandle.GetFunctionPointer() doesn't return the native compiled address, I've just used Harmony lib in the end.

another points of concerns: 1) this is .net (IL bytecode) system, why do you treat it as a native one? eg: lpBuffer = new byte[] { 0xb8, 1, 2, 3, 4, 0xff, 0xe0 }; --> mov eax, 0x04030201 jmp eax at least you are damaging register EAX of the CPU (what if it was using by .net engine? 2) next, how do you know that address is having native code and not .net IL bytes? 3) also, even if you are sure 100% that address is having native code, you are using brutal WriteProcessMemory WINAPI wihtout setting appropriate execution bits on memory page too many questions...

.net7 is dead switch to .net8/9 or 10

Change return of Assembly.GetCallingAssembly fails in .NET 7 Having this code: public static Assembly PGetCallingAssembly() { return assembly; } public static void PathGetExecuting() { Assembly.GetCallingAssembly(); Assembly.GetExecutingAssembly(); PGetCallingAssembly(); int lpNumberOfBytesWritten = 0; MethodInfo metGetExecutingAssembly = typeof(Assembly).GetMethod("GetExecutingAssembly", BindingFlags.Public | BindingFlags.Static | BindingFlags.Instance); MethodInfo metGetCallingAssembly = typeof(Assembly).GetMethod("GetCallingAssembly", BindingFlags.Public | BindingFlags.Static | BindingFlags.Instance); MethodInfo metPGetCallingAssembly = typeof(MainForm).GetMethod("PGetCallingAssembly", BindingFlags.Public | BindingFlags.Static | BindingFlags.Instance); IntPtr AGetCalling = IntPtr.Zero; IntPtr functionPointer = IntPtr.Zero; IntPtr AGetExecuting = IntPtr.Zero; byte[] lpBuffer = new byte[] { 0xb8, 1, 2, 3, 4, 0xff, 0xe0 }; if ((metGetCallingAssembly != null) && (metPGetCallingAssembly != null)) { AGetCalling = metGetCallingAssembly.MethodHandle.GetFunctionPointer(); functionPointer = metPGetCallingAssembly.MethodHandle.GetFunctionPointer(); AGetExecuting = metGetExecutingAssembly.MethodHandle.GetFunctionPointer(); if (((AGetCalling != IntPtr.Zero) && (functionPointer != IntPtr.Zero)) && (AGetExecuting != IntPtr.Zero)) { if (IntPtr.Size == 4) { byte[] buffer2 = BitConverter.GetBytes((uint)(int)functionPointer); lpBuffer[1] = buffer2[0]; lpBuffer[2] = buffer2[1]; lpBuffer[3] = buffer2[2]; lpBuffer[4] = buffer2[3]; } else if (IntPtr.Size == 8) { lpBuffer = new byte[] { 0x48, 0xb8, 1, 2, 3, 4, 5, 6, 7, 8, 0xff, 0xe0 }; byte[] buffer2 = BitConverter.GetBytes((ulong)(long)functionPointer); lpBuffer[1 + 1] = buffer2[0]; lpBuffer[1 + 2] = buffer2[1]; lpBuffer[1 + 3] = buffer2[2]; lpBuffer[1 + 4] = buffer2[3]; lpBuffer[1 + 5] = buffer2[4]; lpBuffer[1 + 6] = buffer2[5]; lpBuffer[1 + 7] = buffer2[6]; lpBuffer[1 + 8] = buffer2[7]; } int res_1 = WriteProcessMemory(-1, AGetExecuting, lpBuffer, lpBuffer.Length, ref lpNumberOfBytesWritten); int res_2 = WriteProcessMemory(-1, AGetCalling, lpBuffer, lpBuffer.Length, ref lpNumberOfBytesWritten); Assembly asm1 = Assembly.GetCallingAssembly(); Assembly asm2 = Assembly.GetExecutingAssembly(); } } } Assembly asm1 = Assembly.GetCallingAssembly(); still return original value; any explanation why this happens? Any alternatives to this code, instead of using Harmony: https://research.checkpoint.com/2024/net-hooking-harmonizing-managed-territory/

View File Eazfuscator v2025.01 File protected by eazfuscator v2025.01 having Code Virtualization enabled. Find registration combination and reply it with the success message! Submitter whoknows Submitted 07/23/2025 Category UnPackMe (.NET)  

Did you finally solve it? Could you make a video? The OP stop to reply, because it doesn't want to explain how he solved it.

https://github.com/vxunderground/MalwareSourceCode/tree/main This has a whole list. If bitcoin miners are counts as malware, I can upload that too if you want.

Here are the steps to get a completely modified version of x64dbg. Go to https://github.com/x64dbg/x64dbg Press this button in the top-right corner of your screen: You can then change the code to your liking (e.g., to bypass the anti-debug problem).

I want a completely modified version of xdbg64 to bypass the anti-debug problem

For some reason, when I press VMCode, nothing happens. No badboy or goodboy message. But for now, I’ve managed to get any key to register successfully. I’ll still take a look at the VMCode routine—just out of curiosity—and if I manage to figure it out, I’ll definitely write a tutorial. Btw whats up with your x86 with your anti-anti tricks? It wont even start on my machine for some reason. Could you please take a look at it?

Finally dotnet_UnPkd.7z

I am stuck and need help Things I have found 1. de4dot-mobile46 Debug the de4dot Here I found the decrytion key from header: K‡Îë7tÃHPË{ü0€ and the decryption uses only the first 4 bytes Got key uint array key0: 88836046, key1: 3946280131, key2: 1213203403key3: 2080125056 for SigType.pro In ParseMethodBody2 throws an exception because the first byte of the reader is 101. which not he tight value for the "&" can anyone points me in the right direction Thank you