All Activity
This stream auto-updates
- Today
-
lovap16965 joined the community
-
Manaferre joined the community
-
zahid.singhh joined the community
-
ibrahimserhat joined the community
-
DERDER joined the community
-
PAPOL joined the community
-
kitwit joined the community
-
FleTime joined the community
- Yesterday
-
To my luck the 1st program I want to use with X64BDG has issues. It seems that the program cannot open without also opening an INI setting file which might be the reason it does not run from within the program. I am new to it so I am not sure what I am doing. I tried attaching a process and DLL and a process to get it to open but with no luck. Please find below the link to the small program. https://www.sordum.org/7941/askadmin-v1-6/ Please assist.
-
Rosebud joined the community
-
I was debugging an application that loads many DLLs Trying to search for a pattern pops up this dialog after 2 or 3 seconds I'm using this snapshot : snapshot_2019-11-13_01-33
-
mrexodia, thanks for fixing it and for making this wonderful tool! Now I'm using the new memcpy command! :)
-
Thanks for your great reproduction steps! The issue has been fixed and a new snapshot should be out soon.
- Last week
-
Hi, I made a simple x64dbg script that copies DWORD values from source to a destination buffer. The problem is that it crashes the debugger with EXCEPTION_ACCESS_VIOLATION. It doesn't happen all the times though, but it's pretty often. If I debug the script (using TABs) the crash does not occur. Increasing the size of the buffer seems to increase the probability of occuring the problem. Anybody else having the same problem? More infos below. Script: ; HOWTO: Open any target in the debugger, open this script, and run it. ; Repeat this process many times to ensure it's (not) working. ; I used cip as the src, but the problem happens with any other inputs too. src = cip size = 900 alloc size dest = $result offset = 0 LB_COPY: cmp offset, size jge LB_COPY_END [dest + offset] = [src + offset] add offset, 4 jmp LB_COPY LB_COPY_END: log "Finished free dest ret Exception info: Platform info: x64dbg (32bit), Windows 7 x64 Snapshot: snapshot_2019-11-11_22-25. The problem seems to be present in older versions too. EXCEPTION_DEBUG_INFO: Module Name: x32dbg.dll dwFirstChance: 1 ExceptionCode: C0000005 (EXCEPTION_ACCESS_VIOLATION) ExceptionFlags: 00000000 ExceptionAddress: 722A4B65 x32dbg.722A4B65 (offset: 00074b65) NumberParameters: 2 ExceptionInformation[00]: 00000000 Read ExceptionInformation[01]: 0000000C Inaccessible Address First chance exception on 722A4B65 (C0000005, EXCEPTION_ACCESS_VIOLATION)! Disassembly code where the exception occurs: ; The exception occurs inside x32dbg.dll on the "rep movsd" instruction, which is located at the address 722A4B6 below: 722A4AC | 55 | push ebp | 722A4AC | 8BEC | mov ebp,esp | 722A4AC | 6A FF | push FFFFFFFF | 722A4AC | 68 A86E2F72 | push <x32dbg.sub_722F6EA8> | 722A4AC | 64:A1 00000000 | mov eax,dword ptr fs:[0] | 722A4AD | 50 | push eax | 722A4AD | 83EC 08 | sub esp,8 | 722A4AD | 53 | push ebx | 722A4AD | 56 | push esi | 722A4AD | 57 | push edi | 722A4AD | A1 74CC3672 | mov eax,dword ptr ds:[7236CC74] | 722A4AD | 33C5 | xor eax,ebp | 722A4AD | 50 | push eax | 722A4AD | 8D45 F4 | lea eax,dword ptr ss:[ebp-C] | 722A4AE | 64:A3 00000000 | mov dword ptr fs:[0],eax | 722A4AE | 803D A1643872 00 | cmp byte ptr ds:[723864A1],0 | 722A4AE | 8B1D ACD12F72 | mov ebx,dword ptr ds:[<&GetCurrentThreadId>] | 722A4AF | 74 17 | je x32dbg.722A4B0E | 722A4AF | FFD3 | call ebx | 722A4AF | 3905 F0643872 | cmp dword ptr ds:[723864F0],eax | 722A4AF | 74 18 | je x32dbg.722A4B19 | 722A4B0 | 68 FC653872 | push x32dbg.723865FC | 722A4B0 | FF15 046A3872 | call dword ptr ds:[<&RtlAcquireSRWLockShared>] | 722A4B0 | EB 0B | jmp x32dbg.722A4B19 | 722A4B0 | 68 48673872 | push x32dbg.72386748 | 722A4B1 | FF15 A8D12F72 | call dword ptr ds:[<&RtlEnterCriticalSection>] | 722A4B1 | C645 F3 01 | mov byte ptr ss:[ebp-D],1 | 722A4B1 | 8B4D 0C | mov ecx,dword ptr ss:[ebp+C] | 722A4B2 | 8B55 08 | mov edx,dword ptr ss:[ebp+8] | 722A4B2 | C745 FC 00000000 | mov dword ptr ss:[ebp-4],0 | 722A4B2 | 85C9 | test ecx,ecx | 722A4B2 | 74 10 | je x32dbg.722A4B3E | 722A4B2 | 6905 585D3872 08010000 | imul eax,dword ptr ds:[72385D58],108 | 722A4B3 | 8901 | mov dword ptr ds:[ecx],eax | 722A4B3 | 85D2 | test edx,edx | 722A4B3 | 74 4D | je x32dbg.722A4B8B | 722A4B3 | A1 545D3872 | mov eax,dword ptr ds:[72385D54] | 722A4B4 | 8945 EC | mov dword ptr ss:[ebp-14],eax | 722A4B4 | 8B18 | mov ebx,dword ptr ds:[eax] | 722A4B4 | 3BD8 | cmp ebx,eax | 722A4B4 | 74 39 | je x32dbg.722A4B85 | 722A4B4 | 8D8A 00010000 | lea ecx,dword ptr ds:[edx+100] | 722A4B5 | 894D 0C | mov dword ptr ss:[ebp+C],ecx | 722A4B5 | 8D43 0C | lea eax,dword ptr ds:[ebx+C] | 722A4B5 | 8DB9 00FFFFFF | lea edi,dword ptr ds:[ecx-100] | 722A4B5 | 8BF0 | mov esi,eax | 722A4B6 | B9 42000000 | mov ecx,42 | 42:'B' 722A4B6 | F3:A5 | rep movsd | << Exception occurs here! >> 722A4B6 | 50 | push eax | 722A4B6 | E8 8373FFFF | call <x32dbg.sub_7229BEF0> | 722A4B6 | 8B4D 0C | mov ecx,dword ptr ss:[ebp+C] | 722A4B7 | 83C4 04 | add esp,4 | 722A4B7 | 0101 | add dword ptr ds:[ecx],eax | 722A4B7 | 81C1 08010000 | add ecx,108 | 722A4B7 | 8B1B | mov ebx,dword ptr ds:[ebx] | 722A4B7 | 894D 0C | mov dword ptr ss:[ebp+C],ecx | 722A4B8 | 3B5D EC | cmp ebx,dword ptr ss:[ebp-14] | 722A4B8 | 75 D0 | jne x32dbg.722A4B55 | 722A4B8 | 8B1D ACD12F72 | mov ebx,dword ptr ds:[<&GetCurrentThreadId>] | 722A4B8 | 803D A1643872 00 | cmp byte ptr ds:[723864A1],0 | 722A4B9 | C745 FC FFFFFFFF | mov dword ptr ss:[ebp-4],FFFFFFFF | 722A4B9 | 74 29 | je x32dbg.722A4BC4 | 722A4B9 | FFD3 | call ebx | 722A4B9 | 3905 F0643872 | cmp dword ptr ds:[723864F0],eax | 722A4BA | 74 2A | je x32dbg.722A4BCF | 722A4BA | 68 FC653872 | push x32dbg.723865FC | 722A4BA | FF15 0C6A3872 | call dword ptr ds:[<&RtlReleaseSRWLockShared>] | 722A4BB | B0 01 | mov al,1 | 722A4BB | 8B4D F4 | mov ecx,dword ptr ss:[ebp-C] | 722A4BB | 64:890D 00000000 | mov dword ptr fs:[0],ecx | 722A4BB | 59 | pop ecx | 722A4BB | 5F | pop edi | 722A4BB | 5E | pop esi | 722A4BB | 5B | pop ebx | 722A4BC | 8BE5 | mov esp,ebp | 722A4BC | 5D | pop ebp | 722A4BC | C3 | ret | 722A4BC | 68 48673872 | push x32dbg.72386748 | 722A4BC | FF15 A4D12F72 | call dword ptr ds:[<&RtlLeaveCriticalSection>] | 722A4BC | B0 01 | mov al,1 | 722A4BD | 8B4D F4 | mov ecx,dword ptr ss:[ebp-C] | 722A4BD | 64:890D 00000000 | mov dword ptr fs:[0],ecx | 722A4BD | 59 | pop ecx | 722A4BD | 5F | pop edi | 722A4BD | 5E | pop esi | 722A4BD | 5B | pop ebx | 722A4BD | 8BE5 | mov esp,ebp | 722A4BE | 5D | pop ebp | 722A4BE | C3 | ret | copy-crash-script.txt
-
AlisaCodeDragon changed their profile photo
-
Unpack Challenge (Agile.NET)
N0P/ribthegreat99 replied to </DarkCod3r> (IRAN)'s question in UnPackMe (.NET)
JitDumperv4.rar -
Strange VB injector sample, no injection behavior on physical/virtual machine
UniqueLegend posted a topic in Malware Reverse Engineering
Hi all: Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86) and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server. By the way, the VC runtime library and .NET framework 2&4 are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet. Can anyone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, thks a lot... The password of the sample zip package is "infected". Do not run or debug on the real machine! ANY.RUN report (PC-side access): https://app.any.run/tasks/2be96389-5c11-4541-b3b2-bb027f445add/ Hybrid Analysis report: https://www.hybrid-analysis.com/sample/0e0a3f5fa2d7e092dbb9e31b55e8f1dc6879673d9af92735577522dc504e7af9?environmentId=120 VB_Injector_password_infected.zip -
Cuda force use mad.lo.u32 for ROTATE_LEFT
CodeExplorer replied to CodeExplorer's topic in Programming and Coding
This optimization won't work: https://docs.nvidia.com/gameworks/content/developertools/desktop/analysis/report/cudaexperiments/kernellevel/achievediops.htm ADD Weighted sum of all executed integer additions (IADD). The default weight is 1. MUL Weighted sum of all executed integer multiplications (IMUL). The default weight is 1. MAD Weighted sum of all executed integer multiply-add (IMAD) instructions. The default weight is 2. 1(add)+1(mul) = 2 (mad) so there is no speed improvement. -
Cuda force use mad.lo.u32 for ROTATE_LEFT ??? Compute Capability 1.2 __global__ void fun(unsigned int * mem) { int a = 3; int b = 5; int c = 6; int d; asm("mad.lo.u32 %0, %1, %2, %3;": "=r"(d) : "r"(a), "r"(b), "r"(c) : ); // d = a*b+c *mem = d; } This produce good result, anyway when I define (try): #define ROTATE_LEFT2(x, n) (int)x*(1>>(32-n))+(x<<(int)n) there is no mad instruction. References: https://www.openwall.com/lists/john-dev/2012/03/22/7 https://devtalk.nvidia.com/default/topic/489750/ptx-assembly-help-33-/ https://devtalk.nvidia.com/default/topic/478578/integer-mad-instruction/ https://www.blackhat.com/presentations/bh-usa-09/BEVAND/BHUSA09-Bevand-MD5-SLIDES.pdf
-
Unpack Challenge (Agile.NET)
ElektroKill replied to </DarkCod3r> (IRAN)'s question in UnPackMe (.NET)
Could you provide a download for JitDumper ? I can’t find it any where -
Unpack Challenge (Agile.NET)
N0P/ribthegreat99 replied to </DarkCod3r> (IRAN)'s question in UnPackMe (.NET)
I have unpacked most of the protections just need someone to complete the last part of it, the calls/delegates!! Instructions: 1. Jit-dump the executable with JitDumper3/4 enable the checkbox (Dump MD). 2. Clean the (String And Flow) with SimpleAssemblyExplorer(SAE) checking the checkbox (Delegates} as well. 3. De4dot. Files.rar -
https://www.virustotal.com/gui/file/279a3b9c15611f6198122c6d346a4560788760829e9e7fda224097156cf55639/detection
-
Language : Delphi Platform : Windows OS Version : Windows 7,8,8.1,10 Packer / Protector : VM Description A Simple CrackMe Solve the missing key. The key is just a number. After you done it, post a simple write-up plz. I upload the file to my github because of the file size. Good Luck XD KungsCrackMe.exe (7.68MB)
-
C# is there App for replacing IL Instructions?
notARedTeamer replied to ewwink's topic in Programming and Coding
I think ILSpy + Reflexil can do it too. -
How to find First window of newly created process
necroxia replied to GautamGreat's topic in Programming and Coding
hi bro you can give me it source code -
Yara has been removed from x64dbg quite a while ago, but for yara I used: https://github.com/mrexodia/yara_vs13 to compile with VS2013.
-
https://medium.com/syscall59/solved-solving-mexican-crackme-82d71a28e189
-
@@CreateAndInject : That post was hidden from view (only moderators can see it). There is another Drin post where he only posted unpacked exe with no explanation at all so it was removed from view!
-
dnguard so good :))
- Earlier
-
@CodeExplorer : There's only one post by @Drin in July 21, so where did you see his post in July 17?
-
hello, I apologize if it has nothing to do with this post, I'm decompressing with ManagedJiterFr4.exe but I get the following errors why? how can i solve?
-
FFmpeg - Audio bitrate not same
LCF-AT replied to LCF-AT's topic in General Discussions and Off Topic
Hi guys, I have another new question and cant find a working command for ffmpeg.The question is whether there is any command I can use to aboard ffmpeg when no datas are comming anymore or something failed etc? Example: When I watch any HLS stream and the stream isnt working anymore (need to update) then ffmpeg dosent stop for a longer while and I see the info "Last messages repeated" X times running go on and does increase the counter.So is there any command to limit the repeating times to any value like 5 and then ffmpeg should aboard etc?I tried already the command -max_reload 5 and also -timeout 5 but without full success.Also in cases of diffrent response errors like Bad Gateway 502 it seems trying to reconnect (in description I can read that reconnect is disabled in default mode) X times and just see again this "Last message repeated X times" info and need to stop this manually via ctrl+c key combo what I want to prevent when ffmpeg runs in hidden mode and just seeing the player (pipe to VLC).In such cases it also dosent work to press the stop button on player = no effect and need to quit vlc & ffmpeg manually from taskmanager.Maybe anyone knows some ffmpeg commands I could use to limit the repeating times etc. greetz -
hello, I apologize if it has nothing to do with this post, I'm decompressing with ManagedJiterFr4.exe but I get the following errors why? how can i solve? this if i try with unpackme
-
Hi guys, after long time of checking my internet stuff I still have a little issue to stuck in a function for a long time also with setting a timeout. Problem 1: I do stuck a longer time in the select function before it returns = Why? Problem 2: I do stuck a longer time in the SSL_write function before it returns = Why?Also if I send less bytes.I thought it would also aboard if the timelimit has reached but no. Those problems happens anyhow randomly more or less.I wrote a realtime logger before accessing any function and to see where it stucks for a longer time and mostly its just the select & SSL_write function.My question now are how to prevent this stuck process in those function and to force a aboard?One time it did stuck on SSL_write forever without to return anymore and I had to quit my app.Just wanna prevent such problems if possible.I am using the ioctlsocket & ioctlsocket & select method to set a timeout on write postet before by evlncrn8.Below a example code I am using similar (MASM style). bool connect(char *host,int port, int timeout) { TIMEVAL Timeout; Timeout.tv_sec = timeout; Timeout.tv_usec = 0; struct sockaddr_in address; /* the libc network address data structure */ sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); address.sin_addr.s_addr = inet_addr(host); /* assign the address */ address.sin_port = htons(port); /* translate int2port num */ address.sin_family = AF_INET; //set the socket in non-blocking unsigned long iMode = 1; int iResult = ioctlsocket(sock, FIONBIO, &iMode); if (iResult != NO_ERROR) { printf("ioctlsocket failed with error: %ld\n", iResult); } if(connect(sock,(struct sockaddr *)&address,sizeof(address))==false) { return false; } // restart the socket mode iMode = 0; iResult = ioctlsocket(sock, FIONBIO, &iMode); if (iResult != NO_ERROR) { printf("ioctlsocket failed with error: %ld\n", iResult); } fd_set Write, Err; FD_ZERO(&Write); FD_ZERO(&Err); FD_SET(sock, &Write); FD_SET(sock, &Err); // check if the socket is ready select(0,NULL,&Write,&Err,&Timeout); if(FD_ISSET(sock, &Write)) <----- How is this check working? { return true; } return false; } In my case I do check for eax = 0 what means timeout expired,and checking for SOCKET_ERROR (-1).When the return in eax after calling select function is else = success.In my case its 1 for the count of the socket so I am just using one only.Ok so far.In the code above comes a check with the macro FD_ISSET on write fd_set struct.So what does it check there?Does it check whether the socket handle is still in this struct present I did moved before into?Or does it check the count value etc?Not sure about that yet.I tried to produce a manually error in select function to see what happens in this struct but nothing happens there and the values I did set before in this write struct are still same and wasnt zero-d or something.I also tried to fill the Err fd_set struct with count 1 & same socket handle and in this only the count value gets zero-d.Maybe anyone can tell me how to check this correctly in ASM / MASM or just telling simple.I just wanna produce a code with timeout (always using it) which works for 100% without to hang anywhere for a long time or forever you know. AddOn question: So if I see it right then I can set a timeout for send / SSL_write = write fd_set struct & recv / SSL_read = read fd_set struct and this Error fd_set struct.What about a connection timeout for connect function?Also doable or needed?Just asking.Would be nice if anyone could help a little with that whole timeout issues and how to make it correctly for 100% to prevent hangs anywhere. Thank you
-
[Help] Build Scylla Source with Visual Studio 2013
Benten replied to Benten's topic in Scylla Imports Reconstruction
Hi again, The original repositry is not for VS2013 or above it seems, the fix below works very well for me [at the expense of throwing away XP compatibility]. LonghronShen Forked Scylla I hope this help others like me, it makes me wonder why tuts4you never got to mention it anywhere. If someone finds this useful, please don't forget to give a reaction to this post. Regards, Ben- 1 reply
-
- 1
-
