Jump to content
Tuts 4 You

All Activity

This stream auto-updates     

  1. Past hour
  2. Today
  3. Gh05st

    Set a breakpoint for a visual element in x64dbg

    Another thing: You can use a spy utility like Winspector (mentioned earlier) to find the correct window handle BUT, also to get the WM message being used. The WM message might not be WM_COMMAND as it usually is, most developers that write code that they don't want analysed will perform various methods to make it as hard as possible for you to reverse their software. Or they will use 3rd party software to jummble the code and lots of other methods invented to detect and avoid debuggers. In this case you might find that the code you are looking is in weird places and started by windows messages other then the usual ones. If you had to add message breakpoints for every message type it would be frustrating AF. So open Winspector and find the correct handle using the "Click and drag" function. then right click and select 'Message' -> a new window will open. The idea is to get all the windows messages being sent by that particular handle to windows API's so you can track down which message is being used. These spy utilities are often glitchy and I ran into a problem as I was writing this article. I tried to get the messages being sent by notepad.exe and came up with no output. Turns out it was the architecture of the notepad executable being used by windows 10. I haven't don't the research on exactly why this is happening but using ...\system32\notepad.exe (which is supposed to be the x86 architecture) I got no output from a 64bit OS but got output from ...\SysWow64\notepad.exe (the x64 version). Anyway if I want to find the message that corresponds to typing the letter 'a' into the notepad editor, it will go something like this: 1.jpg: all messages displayed with no filter 2.jpg: after message filter was applied to capture the message for capturing a keydown event when I type something into the textbox ('a' key was pressed) I hope this helps you
  4. Gh05st

    Set a breakpoint for a visual element in x64dbg

    Also, here is a list of common windows messages https://wiki.winehq.org/List_Of_Windows_Messages I'm assuming you're using windows
  5. Gh05st

    Set a breakpoint for a visual element in x64dbg

    Here: https://x64dbg.com/blog/2017/07/07/messages-breakpoints-in-x64dbg.html This will probably be the best guide you can ask for
  6. Gh05st

    Set a breakpoint for a visual element in x64dbg

    Easiest way if the program was written in an event based programming language is to use a message breakpoint. In x64dbg go to the Handles tab and refresh, select the correct window Handle (use Winspector to get that info) for the element you want and then right click on it and set a memory breakpoint to trigger on that instance only and on the correct windows message. WM_LBUTTONUP/DOWN is a common event, others are WM_COMMAND etc. To test: select a textbox Handle and set a memory breakpoint for WM_KEYUP, the program should pause right after you release the key from keyboard. The program will break inside windows API code, chances are you will want to be in user code if the program isn't using anti anti-debug techniques To get inside user code from where the code breaks is as simple as using a shortcut Alt+F9 (Run to user code), that will drop you exactly where you want to be, or at least as close as you can get with a memory breakpoint
  7. BlackHat

    Unpack Challenge (Agile.NET)

    Lots of Love for Your Work. ❤️
  8. Yesterday
  9. GameHackerPM

    Unpack Challenge (Agile.NET)

    I still couldn't fix the delegates (Methods VM) , I sent you a message via Email, please check it.
  10. Hi, I have a problem with a CrackMe I'm working on After I click the button to verify code it works fine if the debugger doesn't break. When the debugger breaks on the WM_LBUTTONUP windows message the verification code doesn't run. So it doesn't give me the message box saying the code is invalid. The CrackMe was written in VB6 with some anti-debugging software being used (don't know which, VMProtect is suspected) Debugger being used is x64dbg with ScyllaHide I'm a bit stumped by the anti-debugging method being used... Any input or suggestions would be very much appreciated. Thnx
  11. N0P/ribthegreat99

    Unpack Challenge (Agile.NET)

    https://github.com/ribthegreat99OrN0P/Agile.NET-Deobfuscator @GameHackerPM @BlackHat To fix delegates, controlflow, and strings here yous go ive made a tool with many comments to help you understand!
  12. Defender is not a real AV, like any other free AV. May be the your issue is an update related issue.
  13. Last week
  14. Am4t3uR

    Offset Patcher problem c++

    @robocopip is possible to provide this specific Offset patcher's template as is (without changes)? Or even better the original link of the template? -Thanks!
  15. https://www.rizonesoft.com/downloads/rizonesoft-office/
  16. Hi deep, so I also thought too that WD would be fine for my tasks (more as normal user) specially when using Windows 10.So sometimes WD dosent react for 100% when I disable the realtime scanner for a while and WD still does say something / detect.Otherwise when WD moves any file in Q then its easy to restore it but the problem in this case is that sometimes just works for few days and then it gets detected again.I mean its not working for 100% to mark any file manually as clean or telling WD no more to say anything about that file XY.Not sure why. greetz
  17. WD is fine. Modern AV arent exactly very deterministic things. If you have a problem with a false positive, just disable it.
  18. https://github.com/mrexodia/NtPhp
  19. Hi guys, just have a small question about ffmpeg and using proxy IP address to bypass some GEO checkings etc.So in the doc of ffmpeg I can find the commandline arg called... -http_proxy <string> ED....... set HTTP proxy to tunnel through ....and was trying to use it but it always fails. -http_proxy "IP:port" ....anyhow it dosent seems to work.In debug log it does recognize the commandline command -http_proxy.... Reading option '-http_proxy' ... matched as AVOption 'http_proxy' with argument '12.345.345.55:1234'. .... .... Starting connection attempt to 3.333.33.333 port 443 ; <--- main address not proxy address Successfully connected to 3.333.33.333 port 443 [https @ 000001...] request: GET / ...etc .... [https @ 000001...] HTTP error 403 Forbidden ....so I dont see any infos about the connection to proxy.On the other hand I tried using youtube-dl with --proxy paramter and this works.So all in all I just wanted to know how to use the proxy paramter for ffmpeg for http & https proxy version.Does anyone know it?Or maybe ffmpeg dosent support it (would wonder if so).I tried all possible write styles... -http_proxy "12.345.345.55:1234" -http_proxy "http://12.345.345.55:1234" -http_proxy "https://12.345.345.55:1234" .....but I never see any info in debug log about any connection or sending request etc to this proxy address.It just dosent connect to it or tries to connect to it.Anyway, so maybe anyone of you know how to use this proxy command for ffmpeg correctly and can tell me to tell ffmpeg to use proxy. Thank you
  20. bruhware2811

    VMProtect v3.4.0.1155

    Hey can somebody teach me how to unpack vmprotect for .net? I would be really thankful.
  21. https://www.bleepingcomputer.com/news/security/net-core-vulnerability-lets-attackers-evade-malware-detection/ bonus medium.com/pcmag-access/former-intel-engineer-explains-why-apple-switched-to-arm-deba86e560b1 Hard Disk Hacking (2013) - spritesmods.com/?art=hddhack&page=1
  22. https://carolchen.me/blog/jits-intro/
  23. Hi guys, thanks for your feedbacks so far. Today I found a new strange behavior of WD!Right now I did started my PC and see that WD did update already a new def file see the version.. ....now I do the same as yesterday and did copy the BAD files from my rar package into a free folder.So remember, when I did this yesterday WD did prevent it because of alert etc but today oh wonder it does work and WD dosent say anything!=?So I got 2 diffrent file versions of the same file which got yesterday detected on my main OS but today all is fine.But I also see some diffrents.One file gets marked with that WD shield icon on icon (dont remember anymore what that means etc) but the other file dosent get that shileld icon on icon.Another diffrent to yesterday is that both files had missing entrys in the details tab (right mouse / details) but today all details are present!=?Whats this?How can this be?Do you have any clues about that?Yesterday all bad (main OS only) and today all fine.Hm.Maybe you are right atom0s with that scan thing there. So I am using same setting for WD in VM too.Just enabled realtime scan option and manipulution option.The other cloud stuff / sending examples I have disabled. So what app should I use in first place then? greetz
  24. Also Windows Defender might have options to do live cloud verification or other levels of threat verification like generic heuristics. Is the web connection enabled in the VM and all Windows Defender settings the same? Virustotal style hash checking and stuff are becoming more common in antivirus apps lately for having access to a more up to date and broader database that allows vendors to find viruses earlier as well. Could even be some random spyware setting in your Windows account profile usually under the title of "help Microsoft improve our products and user experience" type of option. Or Windows Defender is so smart that it knows when you are in a VM or sandbox probably you are studying the viruses and do not want to block them. But doubt it
  25. GameHackerPM

    Unpack Challenge (Agile.NET)

    Any ETA?
  26. Updates between Windows 10 machines are not always equal regardless of what date/version things say. They roll things out in batches and based on each devices hardware and other qualifying identifiers. Windows Defender symbols and definitions work in a similar manner. So both of your setups may show the same version of WD, but the definitions could be different as one of the machines probably hasn't gotten "permission" to obtain the latest stuff yet. That said, the detection difference could just be an updated difference in the definitions they pushed or that the way WD detected things was done in a different order. (Pretty sure their scanner does multi-threaded scans for performance purposes so one of the threads may have hit the other detection before another thread completed etc. and it just shows what was found first.)
  27. you shouldn't be using WD in first place.
  28. Hi guys, I found something strange today.I was checking some of my folders I did uncompress a while ago.Now on checking those folders via mouse I got a detected message by WDefender about found Virus xy bla bla.I thought ok, but why was it not detected before!?WDefender did removed some files now when I was checking some folders manually.Now I wanted to know what it is and got 2 diffrent names.... Trojan:Win32/Ymacco.AA41 Trojan:Win32/Ymacco.AA51 ...some trojan and I just did wonder and thought it would be maybe a false alert and to verfiy that I did started by VBox with Windows 10 x64 (same OS I also work as normal OS).I also updated WIndows 10 today to have same update status on my real OS & VM too = same Windows Defender updates status definitions files etc.All same now so far.Now I just did copy my "trojan files" detected by Windows Defender into my VM OS and did checked the files with Windows Defender too of course but surprise surprise Windows Defender tells me that everything is alright and nothing was detected.Hm!Pretty STRANGE!Now I did drag / drop the files back to my main OS but it wasnt possible because Windows Defender did stopped it and tells me that Trojan was found in the files I wanted to drag.Hm! Now the big question is.....WHAT THE HECK is going on!?How can this be possible?The same file get detected as trojan and also as clean using the same Windows Defender app which are both up2date!=?Of course I am pretty sure that its a false alert about those files but how can it be possible to get those diffrent results?Normaly I should get the same results of course because Windows Defender is up2date.Pretty strange.Has anyone any exlanation for that behavior? greetz
  1. Load more activity
×
×
  • Create New...