Jump to content
Tuts 4 You

All Activity

This stream auto-updates     

  1. Today
  2. Yesterday
  3. To my luck the 1st program I want to use with X64BDG has issues. It seems that the program cannot open without also opening an INI setting file which might be the reason it does not run from within the program. I am new to it so I am not sure what I am doing. I tried attaching a process and DLL and a process to get it to open but with no luck. Please find below the link to the small program. https://www.sordum.org/7941/askadmin-v1-6/ Please assist.
  4. I was debugging an application that loads many DLLs Trying to search for a pattern pops up this dialog after 2 or 3 seconds I'm using this snapshot : snapshot_2019-11-13_01-33
  5. dudeme

    x64dbg crashing randomly when running a script

    mrexodia, thanks for fixing it and for making this wonderful tool! Now I'm using the new memcpy command! :)
  6. mrexodia

    x64dbg crashing randomly when running a script

    Thanks for your great reproduction steps! The issue has been fixed and a new snapshot should be out soon.
  7. Last week
  8. Hi, I made a simple x64dbg script that copies DWORD values from source to a destination buffer. The problem is that it crashes the debugger with EXCEPTION_ACCESS_VIOLATION. It doesn't happen all the times though, but it's pretty often. If I debug the script (using TABs) the crash does not occur. Increasing the size of the buffer seems to increase the probability of occuring the problem. Anybody else having the same problem? More infos below. Script: ; HOWTO: Open any target in the debugger, open this script, and run it. ; Repeat this process many times to ensure it's (not) working. ; I used cip as the src, but the problem happens with any other inputs too. src = cip size = 900 alloc size dest = $result offset = 0 LB_COPY: cmp offset, size jge LB_COPY_END [dest + offset] = [src + offset] add offset, 4 jmp LB_COPY LB_COPY_END: log "Finished free dest ret Exception info: Platform info: x64dbg (32bit), Windows 7 x64 Snapshot: snapshot_2019-11-11_22-25. The problem seems to be present in older versions too. EXCEPTION_DEBUG_INFO: Module Name: x32dbg.dll dwFirstChance: 1 ExceptionCode: C0000005 (EXCEPTION_ACCESS_VIOLATION) ExceptionFlags: 00000000 ExceptionAddress: 722A4B65 x32dbg.722A4B65 (offset: 00074b65) NumberParameters: 2 ExceptionInformation[00]: 00000000 Read ExceptionInformation[01]: 0000000C Inaccessible Address First chance exception on 722A4B65 (C0000005, EXCEPTION_ACCESS_VIOLATION)! Disassembly code where the exception occurs: ; The exception occurs inside x32dbg.dll on the "rep movsd" instruction, which is located at the address 722A4B6 below: 722A4AC | 55 | push ebp | 722A4AC | 8BEC | mov ebp,esp | 722A4AC | 6A FF | push FFFFFFFF | 722A4AC | 68 A86E2F72 | push <x32dbg.sub_722F6EA8> | 722A4AC | 64:A1 00000000 | mov eax,dword ptr fs:[0] | 722A4AD | 50 | push eax | 722A4AD | 83EC 08 | sub esp,8 | 722A4AD | 53 | push ebx | 722A4AD | 56 | push esi | 722A4AD | 57 | push edi | 722A4AD | A1 74CC3672 | mov eax,dword ptr ds:[7236CC74] | 722A4AD | 33C5 | xor eax,ebp | 722A4AD | 50 | push eax | 722A4AD | 8D45 F4 | lea eax,dword ptr ss:[ebp-C] | 722A4AE | 64:A3 00000000 | mov dword ptr fs:[0],eax | 722A4AE | 803D A1643872 00 | cmp byte ptr ds:[723864A1],0 | 722A4AE | 8B1D ACD12F72 | mov ebx,dword ptr ds:[<&GetCurrentThreadId>] | 722A4AF | 74 17 | je x32dbg.722A4B0E | 722A4AF | FFD3 | call ebx | 722A4AF | 3905 F0643872 | cmp dword ptr ds:[723864F0],eax | 722A4AF | 74 18 | je x32dbg.722A4B19 | 722A4B0 | 68 FC653872 | push x32dbg.723865FC | 722A4B0 | FF15 046A3872 | call dword ptr ds:[<&RtlAcquireSRWLockShared>] | 722A4B0 | EB 0B | jmp x32dbg.722A4B19 | 722A4B0 | 68 48673872 | push x32dbg.72386748 | 722A4B1 | FF15 A8D12F72 | call dword ptr ds:[<&RtlEnterCriticalSection>] | 722A4B1 | C645 F3 01 | mov byte ptr ss:[ebp-D],1 | 722A4B1 | 8B4D 0C | mov ecx,dword ptr ss:[ebp+C] | 722A4B2 | 8B55 08 | mov edx,dword ptr ss:[ebp+8] | 722A4B2 | C745 FC 00000000 | mov dword ptr ss:[ebp-4],0 | 722A4B2 | 85C9 | test ecx,ecx | 722A4B2 | 74 10 | je x32dbg.722A4B3E | 722A4B2 | 6905 585D3872 08010000 | imul eax,dword ptr ds:[72385D58],108 | 722A4B3 | 8901 | mov dword ptr ds:[ecx],eax | 722A4B3 | 85D2 | test edx,edx | 722A4B3 | 74 4D | je x32dbg.722A4B8B | 722A4B3 | A1 545D3872 | mov eax,dword ptr ds:[72385D54] | 722A4B4 | 8945 EC | mov dword ptr ss:[ebp-14],eax | 722A4B4 | 8B18 | mov ebx,dword ptr ds:[eax] | 722A4B4 | 3BD8 | cmp ebx,eax | 722A4B4 | 74 39 | je x32dbg.722A4B85 | 722A4B4 | 8D8A 00010000 | lea ecx,dword ptr ds:[edx+100] | 722A4B5 | 894D 0C | mov dword ptr ss:[ebp+C],ecx | 722A4B5 | 8D43 0C | lea eax,dword ptr ds:[ebx+C] | 722A4B5 | 8DB9 00FFFFFF | lea edi,dword ptr ds:[ecx-100] | 722A4B5 | 8BF0 | mov esi,eax | 722A4B6 | B9 42000000 | mov ecx,42 | 42:'B' 722A4B6 | F3:A5 | rep movsd | << Exception occurs here! >> 722A4B6 | 50 | push eax | 722A4B6 | E8 8373FFFF | call <x32dbg.sub_7229BEF0> | 722A4B6 | 8B4D 0C | mov ecx,dword ptr ss:[ebp+C] | 722A4B7 | 83C4 04 | add esp,4 | 722A4B7 | 0101 | add dword ptr ds:[ecx],eax | 722A4B7 | 81C1 08010000 | add ecx,108 | 722A4B7 | 8B1B | mov ebx,dword ptr ds:[ebx] | 722A4B7 | 894D 0C | mov dword ptr ss:[ebp+C],ecx | 722A4B8 | 3B5D EC | cmp ebx,dword ptr ss:[ebp-14] | 722A4B8 | 75 D0 | jne x32dbg.722A4B55 | 722A4B8 | 8B1D ACD12F72 | mov ebx,dword ptr ds:[<&GetCurrentThreadId>] | 722A4B8 | 803D A1643872 00 | cmp byte ptr ds:[723864A1],0 | 722A4B9 | C745 FC FFFFFFFF | mov dword ptr ss:[ebp-4],FFFFFFFF | 722A4B9 | 74 29 | je x32dbg.722A4BC4 | 722A4B9 | FFD3 | call ebx | 722A4B9 | 3905 F0643872 | cmp dword ptr ds:[723864F0],eax | 722A4BA | 74 2A | je x32dbg.722A4BCF | 722A4BA | 68 FC653872 | push x32dbg.723865FC | 722A4BA | FF15 0C6A3872 | call dword ptr ds:[<&RtlReleaseSRWLockShared>] | 722A4BB | B0 01 | mov al,1 | 722A4BB | 8B4D F4 | mov ecx,dword ptr ss:[ebp-C] | 722A4BB | 64:890D 00000000 | mov dword ptr fs:[0],ecx | 722A4BB | 59 | pop ecx | 722A4BB | 5F | pop edi | 722A4BB | 5E | pop esi | 722A4BB | 5B | pop ebx | 722A4BC | 8BE5 | mov esp,ebp | 722A4BC | 5D | pop ebp | 722A4BC | C3 | ret | 722A4BC | 68 48673872 | push x32dbg.72386748 | 722A4BC | FF15 A4D12F72 | call dword ptr ds:[<&RtlLeaveCriticalSection>] | 722A4BC | B0 01 | mov al,1 | 722A4BD | 8B4D F4 | mov ecx,dword ptr ss:[ebp-C] | 722A4BD | 64:890D 00000000 | mov dword ptr fs:[0],ecx | 722A4BD | 59 | pop ecx | 722A4BD | 5F | pop edi | 722A4BD | 5E | pop esi | 722A4BD | 5B | pop ebx | 722A4BD | 8BE5 | mov esp,ebp | 722A4BE | 5D | pop ebp | 722A4BE | C3 | ret | copy-crash-script.txt
  9. N0P/ribthegreat99

    Unpack Challenge (Agile.NET)

  10. Hi all: Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86) and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server. By the way, the VC runtime library and .NET framework 2&4 are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet. Can anyone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, thks a lot... The password of the sample zip package is "infected". Do not run or debug on the real machine! ANY.RUN report (PC-side access): https://app.any.run/tasks/2be96389-5c11-4541-b3b2-bb027f445add/ Hybrid Analysis report: https://www.hybrid-analysis.com/sample/0e0a3f5fa2d7e092dbb9e31b55e8f1dc6879673d9af92735577522dc504e7af9?environmentId=120 VB_Injector_password_infected.zip
  11. CodeExplorer

    Cuda force use mad.lo.u32 for ROTATE_LEFT

    This optimization won't work: https://docs.nvidia.com/gameworks/content/developertools/desktop/analysis/report/cudaexperiments/kernellevel/achievediops.htm ADD Weighted sum of all executed integer additions (IADD). The default weight is 1. MUL Weighted sum of all executed integer multiplications (IMUL). The default weight is 1. MAD Weighted sum of all executed integer multiply-add (IMAD) instructions. The default weight is 2. 1(add)+1(mul) = 2 (mad) so there is no speed improvement.
  12. Cuda force use mad.lo.u32 for ROTATE_LEFT ??? Compute Capability 1.2 __global__ void fun(unsigned int * mem) { int a = 3; int b = 5; int c = 6; int d; asm("mad.lo.u32 %0, %1, %2, %3;": "=r"(d) : "r"(a), "r"(b), "r"(c) : ); // d = a*b+c *mem = d; } This produce good result, anyway when I define (try): #define ROTATE_LEFT2(x, n) (int)x*(1>>(32-n))+(x<<(int)n) there is no mad instruction. References: https://www.openwall.com/lists/john-dev/2012/03/22/7 https://devtalk.nvidia.com/default/topic/489750/ptx-assembly-help-33-/ https://devtalk.nvidia.com/default/topic/478578/integer-mad-instruction/ https://www.blackhat.com/presentations/bh-usa-09/BEVAND/BHUSA09-Bevand-MD5-SLIDES.pdf
  13. ElektroKill

    Unpack Challenge (Agile.NET)

    Could you provide a download for JitDumper ? I can’t find it any where
  14. N0P/ribthegreat99

    Unpack Challenge (Agile.NET)

    I have unpacked most of the protections just need someone to complete the last part of it, the calls/delegates!! Instructions: 1. Jit-dump the executable with JitDumper3/4 enable the checkbox (Dump MD). 2. Clean the (String And Flow) with SimpleAssemblyExplorer(SAE) checking the checkbox (Delegates} as well. 3. De4dot. Files.rar
  15. h4sh3m

    My first CrackMe (Very Hard)

  16. SuperKungsMan

    My first CrackMe (Very Hard)

    Language : Delphi Platform : Windows OS Version : Windows 7,8,8.1,10 Packer / Protector : VM Description A Simple CrackMe Solve the missing key. The key is just a number. After you done it, post a simple write-up plz. I upload the file to my github because of the file size. Good Luck XD KungsCrackMe.exe (7.68MB)
  17. notARedTeamer

    C# is there App for replacing IL Instructions?

    I think ILSpy + Reflexil can do it too.
  18. hi bro you can give me it source code
  19. mrexodia

    Rebuild x64dbg

    Yara has been removed from x64dbg quite a while ago, but for yara I used: https://github.com/mrexodia/yara_vs13 to compile with VS2013.
  20. whoknows

    1 Mexican Crackme

  21. CodeExplorer

    DNGuard HVM - Enterprise

    @@CreateAndInject : That post was hidden from view (only moderators can see it). There is another Drin post where he only posted unpacked exe with no explanation at all so it was removed from view!
  22. mamo434376

    DNGuard HVM - Enterprise

    dnguard so good :))
  23. Earlier
  24. CreateAndInject

    DNGuard HVM - Enterprise

    @CodeExplorer : There's only one post by @Drin in July 21, so where did you see his post in July 17?
  25. Cricri

    Beds Protector 4.5

    hello, I apologize if it has nothing to do with this post, I'm decompressing with ManagedJiterFr4.exe but I get the following errors why? how can i solve?
  26. Hi guys, I have another new question and cant find a working command for ffmpeg.The question is whether there is any command I can use to aboard ffmpeg when no datas are comming anymore or something failed etc? Example: When I watch any HLS stream and the stream isnt working anymore (need to update) then ffmpeg dosent stop for a longer while and I see the info "Last messages repeated" X times running go on and does increase the counter.So is there any command to limit the repeating times to any value like 5 and then ffmpeg should aboard etc?I tried already the command -max_reload 5 and also -timeout 5 but without full success.Also in cases of diffrent response errors like Bad Gateway 502 it seems trying to reconnect (in description I can read that reconnect is disabled in default mode) X times and just see again this "Last message repeated X times" info and need to stop this manually via ctrl+c key combo what I want to prevent when ffmpeg runs in hidden mode and just seeing the player (pipe to VLC).In such cases it also dosent work to press the stop button on player = no effect and need to quit vlc & ffmpeg manually from taskmanager.Maybe anyone knows some ffmpeg commands I could use to limit the repeating times etc. greetz
  27. Cricri

    [Easy] UnpackMe DotNetProtector

    hello, I apologize if it has nothing to do with this post, I'm decompressing with ManagedJiterFr4.exe but I get the following errors why? how can i solve? this if i try with unpackme
  28. LCF-AT

    WinSock problem

    Hi guys, after long time of checking my internet stuff I still have a little issue to stuck in a function for a long time also with setting a timeout. Problem 1: I do stuck a longer time in the select function before it returns = Why? Problem 2: I do stuck a longer time in the SSL_write function before it returns = Why?Also if I send less bytes.I thought it would also aboard if the timelimit has reached but no. Those problems happens anyhow randomly more or less.I wrote a realtime logger before accessing any function and to see where it stucks for a longer time and mostly its just the select & SSL_write function.My question now are how to prevent this stuck process in those function and to force a aboard?One time it did stuck on SSL_write forever without to return anymore and I had to quit my app.Just wanna prevent such problems if possible.I am using the ioctlsocket & ioctlsocket & select method to set a timeout on write postet before by evlncrn8.Below a example code I am using similar (MASM style). bool connect(char *host,int port, int timeout) { TIMEVAL Timeout; Timeout.tv_sec = timeout; Timeout.tv_usec = 0; struct sockaddr_in address; /* the libc network address data structure */ sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); address.sin_addr.s_addr = inet_addr(host); /* assign the address */ address.sin_port = htons(port); /* translate int2port num */ address.sin_family = AF_INET; //set the socket in non-blocking unsigned long iMode = 1; int iResult = ioctlsocket(sock, FIONBIO, &iMode); if (iResult != NO_ERROR) { printf("ioctlsocket failed with error: %ld\n", iResult); } if(connect(sock,(struct sockaddr *)&address,sizeof(address))==false) { return false; } // restart the socket mode iMode = 0; iResult = ioctlsocket(sock, FIONBIO, &iMode); if (iResult != NO_ERROR) { printf("ioctlsocket failed with error: %ld\n", iResult); } fd_set Write, Err; FD_ZERO(&Write); FD_ZERO(&Err); FD_SET(sock, &Write); FD_SET(sock, &Err); // check if the socket is ready select(0,NULL,&Write,&Err,&Timeout); if(FD_ISSET(sock, &Write)) <----- How is this check working? { return true; } return false; } In my case I do check for eax = 0 what means timeout expired,and checking for SOCKET_ERROR (-1).When the return in eax after calling select function is else = success.In my case its 1 for the count of the socket so I am just using one only.Ok so far.In the code above comes a check with the macro FD_ISSET on write fd_set struct.So what does it check there?Does it check whether the socket handle is still in this struct present I did moved before into?Or does it check the count value etc?Not sure about that yet.I tried to produce a manually error in select function to see what happens in this struct but nothing happens there and the values I did set before in this write struct are still same and wasnt zero-d or something.I also tried to fill the Err fd_set struct with count 1 & same socket handle and in this only the count value gets zero-d.Maybe anyone can tell me how to check this correctly in ASM / MASM or just telling simple.I just wanna produce a code with timeout (always using it) which works for 100% without to hang anywhere for a long time or forever you know. AddOn question: So if I see it right then I can set a timeout for send / SSL_write = write fd_set struct & recv / SSL_read = read fd_set struct and this Error fd_set struct.What about a connection timeout for connect function?Also doable or needed?Just asking.Would be nice if anyone could help a little with that whole timeout issues and how to make it correctly for 100% to prevent hangs anywhere. Thank you
  29. Hi again, The original repositry is not for VS2013 or above it seems, the fix below works very well for me [at the expense of throwing away XP compatibility]. LonghronShen Forked Scylla I hope this help others like me, it makes me wonder why tuts4you never got to mention it anywhere. If someone finds this useful, please don't forget to give a reaction to this post. Regards, Ben
  1. Load more activity
  • Create New...