Reverse Engineering Articles
Share an interesting blog, news page or other RE related site...
340 topics in this forum
-
- 1 follower
- 4 replies
- 1.5k views
hi folks, got an issue while using rsatool2 v 1.7 for testing a 2048bit key. it starts well and when it goes about 30 minutes exits without any error and no result is getting back. can u advice some solutions ?
-
CSL Course - Cracking Software Legally (CSL) & CSP Course - Cracking Software Practicals (CSP)
by usarmy- 2 followers
- 4 replies
- 6.3k views
CSL Course - Cracking Software Legally (CSL) & CSP Course - Cracking Software Practicals (CSP) Instructor :- Paul Chin More info :- crackinglessons.com/learn CSL Course: Link :- https://drive.google.com/drive/folders/1hOOQvXmL8w5TrVG0kLyTI815ochuupJ4 or https://juarewa-my.sharepoint.com/:f:/g/personal/adriancjz_luvedme_xyz/Eot4GoQ-6b9AjINvldZ2da0BTlo-26S7QwcMUphGia9b1Q?e=bbIWoH CSP Course Part 1 Link :- https://drive.google.com/drive/folders/1OHrg5Vycfcxg1uRVjsEWLrCPSbfzk917 or https://mega.nz/folder/KwADgara#kA1zVAa8CjT_MuagmUb9Fw Part 2 Link :- https://drive.google.com/drive/fo…
-
Site for reverse engineering tutorials 1 2
by R4ndom- 35 replies
- 30.8k views
My name is Random and I have been in the reversing community for a long time. I have started a site offering what I hope to be a long list of tutorials on reverse engineering. I have been doing this quite a while and I really just felt like I owed it to all the people who helped me learn what I know to give something back. I know, I know, "Another site for cracking tutorials", ...great. But hey, I'm just trying to be more active in the community. Anyway, the site is http://www.TheLegendOfRandom.com/blog/ The first several tuts are done.
-
- 9 followers
- 117 replies
- 21k views
Fasten your seatbelts; Flare-On 9 starts on September 30! https://www.mandiant.com/resources/blog/announcing-ninth-flareon-challenge
-
The Import Address Table is Now Write-Protected...
by Teddy Rogers- 3 followers
- 3 replies
- 1.3k views
...and what that means for rogue patching. https://devblogs.microsoft.com/oldnewthing/20221006-07/?p=107257 Ted.
-
- 2 followers
- 7 replies
- 7.2k views
A Complete Research Paper: https://ieeexplore.ieee.org/document/9139515 I seriously wonder when this tool will get in the hands of public, its gonna be the doomsday for vmpsoft.
-
Can you crack the code on this 50-cent coin?
by Teddy Rogers- 1 follower
- 0 replies
- 1.4k views
https://www.asd.gov.au/75th-anniversary/events/commemorative-coin-challenge#no-back Ted.
-
- 1 follower
- 8 replies
- 6.5k views
MALDEV2 (Malware Development 2: Advanced Injection and API Hooking) This course is about more advanced techniques in Malware Development. This course builds on what you have learned in Malware Development and Reverse Engineering 1: The Basics, by extending your development skills with: advanced function obfuscation by implementing customized API calls more advanced code injection techniques advanced DLL injection techniques understanding how reflective binaries work and building custom reflective DLLs hijacking and camouflaging trojan shellcodes inside legitimate running processes memory hooking to subvert the normal flow of a running pr…
-
The Windows 2000 Device Driver Book...
by Teddy Rogers- 3 replies
- 4.6k views
http://rapidshare.com/files/48828169/The.Win2000.Driver.rar Ted.
-
- 0 replies
- 2.5k views
Language : C#. Protections: control flow/ string encry / vm Difficulty : 5/10 - idk Goal : Full unpack VirusTotal : https://www.virustotal.com/gui/file/2115c3b027f2c69dca837f976e74fa44932875ac68c0826c5010d55eb421f4b3 (8/66) UnpackMe-s.exe
-
- 1 follower
- 0 replies
- 4.1k views
MALDEV1 (Malware Development 1: The Basics) Description Many malware analysts perform reverse engineering on malware without knowing the why’s. They only know the how’s. To fill that knowledge gap, I have created this course. You will learn first-hand from a Malware Developers’ perspective what windows API functions are commonly used in malware and finally understand why you need to trace them when reversing malware. Learning Methodology: Build programs that simulate Windows Trojans and Reverse Engineer them. This will make you a better Reverse Engineer and Malware Analyst and also Penetration Tester. The best way to understand malware is to b…
-
Malwarebytes CrackMe (Capture-The-Flag)
by Teddy Rogers- 1 follower
- 1 reply
- 3.9k views
Not to be outdone by Flare-On-8, Malwarebytes have released their own CrackMe challenge... https://blog.malwarebytes.com/threat-intelligence/2021/10/the-return-of-the-malwarebytes-crackme/ Ted, MBCrackme.zip
-
- 16 followers
- 178 replies
- 52.2k views
Get ready! Source: http://www.fireeye.com/blog/threat-research/2021/08/announcing-the-eighth-annual-flare-on-challenge.html
-
ARTeam: Primer on Reverse Engineering Symbian 3rd Applications v10
by Shub-Nigurrath- 12 replies
- 11.5k views
Hi all this time argv is releasing an interesting huge primer on reversing symbian s60 3rd edition applications. This was something missing from the collection of our tutorials, which I am proud to announce! The tutorial is quite huge (41Mb archive). It includes reversing of 15 applications, plus the original SIS files (so you can train yourself) and two hacking methods you can use to hack your phone. Hacking your phone means hack the system so as applications are allowed to access protected system folders, this was one of the protections added to s60 3rd symbian). Reversers need to hack their phones to ease the reversing process, users of patched apps do not need this st…
-
V2m 1.0 problem fix with IDA Pro
by r0ger- 1 follower
- 1 reply
- 3.5k views
Yeah, today i've discovered it when most of tPORt releases, even with v2m's in it (with libv2 1.0 mostly), don't work on Vista and higher, so if u wanna test these releases/having some experience with them but ur just lazy too open them up in XP (or simply you don't have it), here's how i did it : I firstly opened one of tPORt's releases with v2m in it i have in my collection with IDA pro , then i've analyzed the whole EXE file . The v2m initialization must start with DirectSoundCreate function most of it , from which it was called from this : sub_406E82 proc near ; CODE XREF: sub_403DEA+38^p PS_____:00406E82 PS_____:00406E82 var_9C = d…
-
- 1 follower
- 0 replies
- 3.8k views
A Complete Research Paper: https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9312198 Summary of anti-VM and anti-DBI techniques used in commercial protectors. It is a great read, also it'd be awesome to see the techniques mentioned in this paper in action video by the fellow reversers
-
- 4 followers
- 8 replies
- 8k views
A Complete Article - https://back.engineering/17/05/2021/ Download Link - https://githacks.org/vmp2 Author - https://githacks.org/_xeroxz Spoiler
-
- 1 reply
- 4.1k views
https://www.blackhat.com/us-21/briefings/schedule/index.html#greybox-program-synthesis-a-new-approach-to-attack-dataflow-obfuscation-22930 code: https://github.com/quarkslab/qsynthesis documentation: https://quarkslab.github.io/qsynthesis/ demo: https://www.youtube.com/watch?v=AwZs56YajJw slides: https://i.blackhat.com/USA21/Wednesday-Handouts/US-21-David-Greybox-Program-Synthesis.pdf whitepaper: https://i.blackhat.com/USA21/Wednesday-Handouts/US-21-David-Greybox-Program-Synthesis.pdf
-
VMPROTECT vs. LLVM
by RYDB3RG- 4 replies
- 15.2k views
Hi, I made a tool that interprets a vmp rsi-stream, it records the handlers (or vm instructions) and connects them via their data dependencies. This is how a JCC looks like The edges in this graph represent data dependencies. Sequences of nodes with one input and one output are collapsed into blocks. Green nodes are constant nodes. They do not depend on external values (such as CPU registers), unlike red nodes. The hex number left of a node is a step number, the right number is its result. Only const nodes (green) can have a result. The graph contains all nodes that directly or indirectly contribute to the lower right "loadcc" instruction. CMP/…
-
- 1 follower
- 2 replies
- 5.3k views
Hi, I want to start a thread to collect root-cause-analysis of vulnerabilities. I am aiming for detailed writeups of real vulnerabilities in real software, preferably in native code. This first post is going to be a bit of a mess, and I will include a bunch of interesting posts that are not technically root-cause-analysis, but I will be more clean in the future. Of course everyone is invited to join in. First a few famous blogarchives full of good content: A whole BUNCH of rootcause analysis by google project zero: https://googleprojectzero.github.io/0days-in-the-wild/rca.html same for ssd-disclosure https://ssd-di…
-
Learn to devirtualize x86 code
by Munroc- 1 follower
- 4 replies
- 6.7k views
Hello everybody, this is my first post in this forum... I have been trying to learn devirtualization for protectors like VMProtect or Themida. But I coudn't find much information. I was hoping someone here can point me to the right direction, recommend me any book or literature. Thanks in advance.
-
Windows API Hooking and DLL Injection
by whoknows- 2 followers
- 2 replies
- 6.9k views
https://dzone.com/articles/windows-api-hooking-and-dll-injection
-
Analysis of changes in .Net Reactor 6
by Kingmaker_oo7- 3 followers
- 2 replies
- 6.3k views
Necrobit To mess up the old de4dot implementation, the .Net reactor changed the P / Invoke methods, but for the unpack, you can use the SMD from Code Cracker, which will do an excellent job of this. Control Flow To break de4dot.blocks, ezriz added a number of instructions to the flow cases, which de4dot cannot process, it's easy to fix it, just repeat after me) Spoiler We are looking for a problematic instruction Go to IL Nop call and change brfalse to br.s As you can see, the cocoa is gone)) The whole thing can be automated with my favorite dnlib …
-
Flare-On 7 1 2 3 4
by kao- 7 followers
- 95 replies
- 63.4k views
Get your tools ready!
-
- 2 followers
- 18 replies
- 18.4k views
I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use Me…
