All Activity

It's a decent writeup, thanks for the effort! However, you stopped 2 steps too early: 1) The undetected file ("df65l1.l56") is not malicious per-se. It contains encrypted code - but without matching decryption code it's harmless. No wonder it gets only 3/60 detections on VirusTotal. Autoit script ("df65l") is the one that decrypts it. 2) Inside the AutoIt script, there's a DLL called "u0bhc83.dll". This DLL has only one real purpose - to decrypt and execute malicious code from "C:/p8yqa7ux6/df65l1.l56". VT detection of the DLL 22/69. 3) Final malicious code is a banking trojan cal

Hello, to edit and convert a PDF file, I think Renee PDF Aide could be a good choice. New version of this software can not only convert PDF files to editable file formats like Word, Excel, PowerPoint, Text, extract image from PDF, etc., but also provides many useful edit functions like split, optimize, merge, de/encrypt, rotate and add watermark to PDF function. Split function inside Renee PDF Aide could help you delete unnecessary pages from target PDF files by specifying the pages you do not want. Here is how it go through. Hope it can help you. https://www.reneelab.com/how-to-free-conv

A victim related to me got infected with a virus, and I decided to perform some reverse engineering on it. The victim received an e-mail that claimed to be an invoice from a portuguese company called "Galp". This seems to be a virus specifically made for this scam since the code has function and variables names that make sense if interpreted as portuguese language. I would like to mention that I'm trying to keep this guide as educational as possible so that newer people can also get something out of it and, therefore, there may be some statements and explanations that are not needed

no idea deepzero, i don't really check how their cracks work, i'm just interested into archiving new installers design for defacto2 but i guess this kind of shenanigans wouldn't pass nukenets. and yet i still remember the codex AC:O release, although i haven't played it i've read the nfo https://defacto2.net/f/b42cb65

EMPRESS, CODEX (when EMPRESS was their cracker) and other P2P cracks - dumping and patching to replace the hardware infromation through ugly exception abuse CPY, STEAMPUNKS - license generation and inecjtion through a dll but some CPY newer releases take a step back and do some kind hooking inside important VM handlers instead of patching every CPUID out there CODEX AC:O release - complete removal of both vmprotect and denuvo This is a load of bullshit considering the whole "dox, arrest, investigation and release" occurred over a span of three days. In case of CPY a

Well, they modify the exe to load a dll and the dll then does the "patching in memory". Smells pretty loadery to me. There was one codex crack though that fully defeated the denuvo+vmp combo, inc. full devirtualization. That is unique afaik.

I grab exception message. It's look like:

Did anyone follow this denuvo business closer? So far all the cracks are loader-based, except for that one CODEX crack which fully defeated everything, right?

Thanks for supply sources.

https://github.com/x64dbg/TitanEngine https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler

How can I find Titan Engine, and how can I add exception handler to thread?

I tried put AddressOfEntryPoint instead BaseOfCode but, issue still continues.

Doubt it will work this way you will have to add exeption handler to this thread... I would try with titan engine it can statically load pe image and run it with it's own debugger and exception handler.

BaseOfCode is not the correct field, try using AddressOfEntryPoint instead. EDIT: another guess: some anti-malware solution might hate "read+write+execute" memory pages and deny access to them. Try changing memory access rights to "read+execute" after copying your executable.

yeah man..every now and than i go over to defacto and read.. these days you can easily find a website (not hidden or anything) with just "codex" game iso relesses for example..than you have re -packers using scene fixes/ isos and adding all the updates and dlc's with their own installers etc..and nothing happens hahaha that to me alone is nuts things have changed big time...

It is always interesting to reflect on how the game cracking scene has evolved over the years. Now we have poles, donations and real time drama... 🙃 Ted.

I'm working on different PE Injection technique. I want inject PE file into virtual memory of current executable. After that, I want execute injected PE file, I wrote inject code but my method is not working. Dos header and NT header parse correct, I write correctly sections and create new thread on the entrypoint of the .text section, but thread not working. What is the problem here? #include <iostream> #include <windows.h> int main() { DWORD* ImageBase; void* pImageBase; IMAGE_NT_HEADERS* NTHeader; IMAGE_DOS_HEADER* DOSHeader; IMAGE_NT_HEADERS* mem_NTHead

a global variable of dwordsize .data? Seed dd ?

.Data alphabet db "0123456789", 0 xor esi, esi nextChar: invoke nrandom, 10 movzx edx, byte ptr alphabet[eax] mov byte ptr serial[esi], dl shl edx, 4 add ebx, edx inc esi cmp esi, 8 jb nextChar Mov byte ptr ds: [serial], 38h invoke SetDlgItemText,hWin,1001,addr serial This also works!!!

https://www.reddit.com/r/CrackWatch/comments/lqibnh/empress_there_and_back_again/

Is the problem moving the code? Just try this; (compatible with "generate proc") Randomize proc call GetTickCount mov deger1, eax Ret Randomize endp Random proc rdtsc mul edx mov eax,edx ret Random endp http://masm32.com/board/index.php?topic=838.0 ->can be examined in more detail.

What is the seed?

call QueryPerformanceCounter test eax, eax I am having problem here.

issue fixed seem