Jump to content
Tuts 4 You

All Activity

This stream auto-updates     

  1. Today
  2. 2 downloads

    This dissertation shows that integration of dynamic and static information aids the performance of reverse engineering tasks. An experimental environment called Shimba has been built to support reverse engineering of Java software systems. The static information is extracted from Java byte code [118]. It can be viewed and analyzed with the Rigi reverse engineering tool [74]. The dynamic event trace information is generated automatically as a result of running the target system under a customized Java Development Kit (JDK) debugger. Information about the dynamic control flow of selected objects or methods can also be extracted. The event trace can then be viewed and analyzed with the SCED tool. To support model comprehension, the models built can be used to modify and improve each other by means of information exchange, model slicing, and building abstractions.
  3. Teddy Rogers

    Notes on Reversing Java (1-3)

    1 download

    Notes on Reversing Java - Part 1 Notes on Reversing Java - Part 2 Notes on Reversing Java - Part 3
  4. Teddy Rogers

    Javascript Obfuscation Reversing

    1 download

    Imagine a JavaScript encoding method that produces files that contain no alphanumeric characters, only symbols such as ‘$’, ‘_’, and ‘+’. It would be difficult to imagine how it could possibly work, but unfortunately one such encoder exists. It is called ‘JJEncode’. A demonstration version is freely available from the author’s website, and has already been used in malware. This article provides a detailed description of how it works.
  5. Teddy Rogers

    Java Reversing

    1 download

    The following is a sample tutorial on Java reversing. The reader must know the architecture and Java JVM asm, however I will report some essentials during the article.
  6. Teddy Rogers

    Reversing Java Programs (1-2)

    1 download

    This tutorial is supposed to be an easy tutorial since cracking JAVA is easy - of course with proper tools. Is not like when we unpack Themida .NET. In this tutorial I've posted links to homepage of some JAVA obfuscators and Java to exe convertors, you may use these programs to protect some jars and see what these protections do.
  7. 2 downloads

    Java programs distributed through Internet are now suffering from program theft. It is because Java programs can be easily decomposed into reusable class files even decompiled into source code by program users. In this paper we propose a practical method discourages program theft by embedding Java programs with a digital watermark. Embedding a program developers copyright notation as a watermark in Java class files will ensure the legal ownership of class files. Our embedding method is indiscernible by program users, yet enables us to identify an illegal program that contains stolen class files. The result of the experiment to evaluate our method showed most of the watermarks (20 out of 23) embedded in class files survived two kinds of attacks that attempt to erase watermarks: an obfuscactor attack, and a decompile-recompile attack.
  8. hi all can some one please tell me what does this code do? private boolean d(String paramString) { boolean bool = false; byte[] arrayOfByte = paramString.getBytes(); if (arrayOfByte.length == 26) { byte b1 = 0; byte b2 = 0; while (b1 < 24) { b2 = (byte)(b2 ^ arrayOfByte[b1]); b1++; } if ((b2 & 0xF) == -65 + arrayOfByte[25] && (0xF & b2 >> 4) == -65 + arrayOfByte[24]) bool = true; } return bool; }
  9. Yesterday
  10. Teddy Rogers

    Adding Imports by Hand

    1 download

    Building up all the imports information and adding imports (both by hand).
  11. 0 downloads

    Tutorial explaining the methods involved in rebuilding the IAT of an ASProtect packed and protected target.
  12. 0 downloads

    An example of fixing ASPR 2.11 SKE IAT with code injection.
  13. 0 downloads

    In this article I'm going to explane the IT's protection: Emulate standard system function, on a TASM\MASM software.
  14. 1 download

    The new ASPR has come into scene and some new tricks (based in old onces) have been seen in that packer.The most sophisticated one is IAT destruction and how aspr resolves the IAT addresses in the exe.
  15. 0 downloads

    When your writing a crypter/packer it is a necessary that you crypt/compress the Import Table and have some mechanism from which you change the Directory entry to point to your own Import Directory. The Import Directory is a must in PEs cause the image wont run if there is no Import Directory, Win2k = nothing and XP = fault (i think), so this tutorial is about this process, still intrested?
  16. 0 downloads

    In this tutorial I will show you how does ImpRec works when it tries to find and validate the Imports from three specific protectors; ASProtect, Yodas Crypter and teLock.
  17. 1 download

    Let's imagine we could redirect the thoroughfare of the imported function's entrances into our especial routines by manipulating the import table thunks, it could be possible to filter the demands of the importations through our routines. Furthermore, we could settle our appropriate routine by this performance, which is done by the professional Portable Executable (PE) Protectors, additionally some sort of rootkits employ this approach to embed its malicious code inside the victim by a troy horse. In reverse engineering world, we describe it as API redirection technique, nevertheless I am not going to accompany all viewpoints in this area by source code, this article merely represents a brief aspect of this technique by a simple code. I will describe other issues in the absence of the source code; I could not release the code which is related to the commercial projects or intended to the malicious motivation, however I think this article could be used as an introduction into this topic.
  18. 0 downloads

    Well i wrote this essay because i was working on a process dumper, when I saw that many compressors/encrypters make the Import table unusable, and then, the dumped executables needed to have their import table rebuilt. I saw no essay about this on common win32asm sites, so here is a little help if you are interested in.
  19. 1 download

    This article demonstrates a couple of steps to rebuild the whole IAT table and to inject your DLL in a portable executable file without having to recompile the source code.
  20. 2 downloads

    For a Reverse Engineer, rebuilding a large Import Address Table (IAT) can be a very time-consuming and tedious process. When the IAT has been sufficiently hashed or munged and current IAT rebuilders fail to resolve any of the calls, there is little other choice than to rebuild it by hand. Depending on the size, it can take days or even weeks. Also, doing anything by hand is prone to mistakes. QuietRIATT is an IDA Pro plug-in which automates the process of rebuilding the IAT when it can't be done by current IAT tools. Not only can it greatly reduce the amount of time spent rebuilding by hand, it also removes the element of human error.
  21. 0 downloads

    There are various documents around explaining PE, but I decided to write about the import table in detail as it is usually an interest to crackers.
  22. 1 download

    This tutorial should explain how to add imports to a PE file. I hope I can explain it understandable without forgetting important details. The tutorial structure is following : Part one: some theoretical words about adding imports manually Part two: we'll have a look at our simple file I've coded for this tut, then we'll add imports to it. Bonus Part: we'll inject some code which uses our new imports
  23. 2 downloads

    After having finally understood the section table of a PE, I started to look at the Import Table. In the Import Table is stored which functions from which DLLs are used by the prog. So it's quite interesting but much more complicated than the section table because we have to use RVAs quite often. I will say some words about them before really starting examining the Import Table. Tool needed is a hex editor (I use Hex WorkShop). I will describe Import Tables in general and after that we will test our knowledge with an example. You should also have some knowledge about PE file-format. I'm also a beginner so don't blame me if not everything is absolutely right. I just want to help other newbies in understanding the PE file-format. Instead I would be happy if someone would tell me what is wrong! Last word here: Sorry for my bad English, it's not my mother tongue! Ok, lets start.
  24. 2 downloads

    With 64-bit packers and protectors being released, there is presently a growing need to create new tools to facilitate the manual unpacking process and to make it as trivial as it is now for protected 32-bit executables. I'm proposing two brand-new tools: CHimpREC and CHimpREC-64, allowing the spirit of ImpREC to live on under the best possible compatibility with all the x64 versions of the Windows operating system. This talk is about explaining the inner-workings of coding a 32-bit imports rebuilder and the problems encountered due to the WoW64 environment and Address Space Layout Randomization. Next, is an overview of the differences between the PE and PE32+ formats and their impact on porting CHimpREC to 64-bit. Finally, 2 or 3 short live unpacking sessions with different examples of 64-bit packers and how trivial it has become to deal with them with the help of CHimpREC-64.
  25. 2 downloads

    Import Libraries are dlls that an executable image are bound to. Much of windows core functionailty is found in Dlls that MS provides and is how applications interact with the base windows services. Function addresses in the binary file of a dll are not static, as new versions come out they are destined to change, so applications cannot be built using a hardcoded function address. When an executable is first loaded, the Windows loader is responsible for reading in the files PE structure and loading the executable image into memory. One of the other steps it takes is to load all of the dlls that the application uses and map them into the process address space. The executable also lists all of the functions it will require from each dll. Because the function addresses are not static a mechanism had to be developed that allowed for the these variables to be changed without needing to alter all of the compiled code at runtime. This was accomplished through the use of an import address table. This is a table of function pointers filled in by the windows loader as the dlls are loaded.
  26. 1 download

    It has been a little while since I have made tutes because of work problems that I am experiencing, all they know is that perhaps it will speed up soon and until then find new work. It’s probable that this is my last tute. Before not being able to write for a while, until I return back to work, therefore the idea is to make a simple tute, because the truth is I am quite despondent, but I hope to help someone with this, someone that doesn’t have a clear vision of Import tables and their value.Of course what I learned of Import Tables I owe it to Yates and his tutes so if you want to read Yates’ tutes of course go read them. They are very good and will be the best logically.
  27. Teddy Rogers

    ActiveMARK 6.xx (Inline Patching)


    ActiveMARK 6.xx (Inline Patching) Part 1 ActiveMARK 6.xx (Inline Patching) Part 2 ActiveMARK 6.2 (Inline Patching)
  1. Load more activity
  • Create New...