Reverse Engineering Articles
Share an interesting blog, news page or other RE related site...
350 topics in this forum
-
V2m 1.0 problem fix with IDA Pro
by r0ger- 1 follower
- 1 reply
- 5.6k views
Yeah, today i've discovered it when most of tPORt releases, even with v2m's in it (with libv2 1.0 mostly), don't work on Vista and higher, so if u wanna test these releases/having some experience with them but ur just lazy too open them up in XP (or simply you don't have it), here's how i did it : I firstly opened one of tPORt's releases with v2m in it i have in my collection with IDA pro , then i've analyzed the whole EXE file . The v2m initialization must start with DirectSoundCreate function most of it , from which it was called from this : sub_406E82 proc near ; CODE XREF: sub_403DEA+38^p PS_____:00406E82 PS_____:00406E82 var_9C = d…
-
- 1 follower
- 0 replies
- 6.1k views
A Complete Research Paper: https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9312198 Summary of anti-VM and anti-DBI techniques used in commercial protectors. It is a great read, also it'd be awesome to see the techniques mentioned in this paper in action video by the fellow reversers
-
- 5 followers
- 8 replies
- 11.3k views
A Complete Article - https://back.engineering/17/05/2021/ Download Link - https://githacks.org/vmp2 Author - https://githacks.org/_xeroxz Spoiler
-
- 1 reply
- 5.3k views
https://www.blackhat.com/us-21/briefings/schedule/index.html#greybox-program-synthesis-a-new-approach-to-attack-dataflow-obfuscation-22930 code: https://github.com/quarkslab/qsynthesis documentation: https://quarkslab.github.io/qsynthesis/ demo: https://www.youtube.com/watch?v=AwZs56YajJw slides: https://i.blackhat.com/USA21/Wednesday-Handouts/US-21-David-Greybox-Program-Synthesis.pdf whitepaper: https://i.blackhat.com/USA21/Wednesday-Handouts/US-21-David-Greybox-Program-Synthesis.pdf
-
VMPROTECT vs. LLVM
by RYDB3RG- 1 follower
- 4 replies
- 29.6k views
Hi, I made a tool that interprets a vmp rsi-stream, it records the handlers (or vm instructions) and connects them via their data dependencies. This is how a JCC looks like The edges in this graph represent data dependencies. Sequences of nodes with one input and one output are collapsed into blocks. Green nodes are constant nodes. They do not depend on external values (such as CPU registers), unlike red nodes. The hex number left of a node is a step number, the right number is its result. Only const nodes (green) can have a result. The graph contains all nodes that directly or indirectly contribute to the lower right "loadcc" instruction. CMP/…
-
- 1 follower
- 2 replies
- 6.7k views
Hi, I want to start a thread to collect root-cause-analysis of vulnerabilities. I am aiming for detailed writeups of real vulnerabilities in real software, preferably in native code. This first post is going to be a bit of a mess, and I will include a bunch of interesting posts that are not technically root-cause-analysis, but I will be more clean in the future. Of course everyone is invited to join in. First a few famous blogarchives full of good content: A whole BUNCH of rootcause analysis by google project zero: https://googleprojectzero.github.io/0days-in-the-wild/rca.html same for ssd-disclosure https://ssd-di…
-
Learn to devirtualize x86 code
by Munroc- 1 follower
- 4 replies
- 9.3k views
Hello everybody, this is my first post in this forum... I have been trying to learn devirtualization for protectors like VMProtect or Themida. But I coudn't find much information. I was hoping someone here can point me to the right direction, recommend me any book or literature. Thanks in advance.
-
Analysis of changes in .Net Reactor 6
by Kingmaker_oo7- 3 followers
- 2 replies
- 7.6k views
Necrobit To mess up the old de4dot implementation, the .Net reactor changed the P / Invoke methods, but for the unpack, you can use the SMD from Code Cracker, which will do an excellent job of this. Control Flow To break de4dot.blocks, ezriz added a number of instructions to the flow cases, which de4dot cannot process, it's easy to fix it, just repeat after me) Spoiler We are looking for a problematic instruction Go to IL Nop call and change brfalse to br.s As you can see, the cocoa is gone)) The whole thing can be automated with my favorite dnlib …
-
Flare-On 7 1 2 3 4
by kao- 8 followers
- 95 replies
- 68.8k views
Get your tools ready!
-
Eziriz .NET Reactor 6.3 ( Request for Decompile Tools on it? )
by SkieHackerYT- 2 followers
- 0 replies
- 7.3k views
Does anyone knows how to decompile an Eziriz .NET Reactor ( Using Tools )
-
Little known obfuscation method C#
by PhoenixARC- 3 replies
- 7.2k views
Hello everyone, I am currently in the process of trying to deob a program that was obfuscated with Itami-Fujifuscator, i know it's just a ConfuserEx mod, but honestly i can't find anything about it anywhere, the program is nowhere to be found, and deobfuscation methods seem either vague or specific to the program at hand, if anyone can help out with deobfuscating Fujifuscation i would very much appreciate it
-
.Net Manual Deobfuscating
by gholam.illidan- 2 followers
- 19 replies
- 18.1k views
is there any tut or e-book for .net manual unpacking and deobfuscating? (google == nothing) and some e-book on .net DataStructure. my .net cracking skill is verywell but im sucks in deobfuscating. tnx
-
Fix Unpacked with Confuser has too many class and method
by zackmark29- 5 replies
- 6.8k views
Can anybody tell me how to fix this? I want to get the original strings i used confuser unpacker + de4dot
-
- 0 replies
- 5.6k views
Thursday, April 30, 16:00GMT. During this webinar we will cover some of the most useful techniques for reverse engineering malware. We will show how they can help with the analysis of real-world samples using IDA Pro and Ghidra. https://securelist.com/become-a-good-reverse-engineer/96743/
-
- 1 follower
- 0 replies
- 5.9k views
This Friday, free for all! I'm not sure how much she'll be able to cover in 4 hours - but I believe it's worth participating anyways.
-
Machine Learning and Reverse Engineering
by deepzero- 0 replies
- 5.9k views
Thought I might create a thread to collect articles/papers that bring machine learning to rce... https://medium.com/@alon.stern206/cnn-for-reverse-engineering-an-approach-for-function-identification-1c6af88bca43
-
- 8 replies
- 9.8k views
Hooking Nirvana - STEALTHY INSTRUMENTATION TECHNIQUES : (Old but an excellent refresher. Bonus is that techniques work on Windows 10) Full VIDEO of the talk available here (56 Mins) - from Recon 2015. WHAT THIS TALK IS ABOUT : All this is looked at from the perspective of Windows 10 and the changes in Windows 10 : OUTLINE : Relevant code can be found here .
-
IcedID Trojan Uses Steganographic Payloads
by Teddy Rogers- 0 replies
- 6k views
https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/ Ted.
-
Following the good old tradition, this thread will be dedicated to the annual Flare-On challenge. Who's going to participate this year?
-
Javascript Puzzle
by AzoresRCE- 1 follower
- 1 reply
- 7.7k views
Hi, so i was give a puzzle in which i was sent some javascript code in a text file and was told to get two words out of it. when running the js it outputs a pastebin link with the word apple now my challenge is finding the second word Thanks you puzzle.txt
-
1 Mexican Crackme
by whoknows- 0 replies
- 6.5k views
https://medium.com/syscall59/solved-solving-mexican-crackme-82d71a28e189
-
- 2 replies
- 7.4k views
i have noticed there are no real good information about how to get started with OSX reversing. i hope thats a little overview and will help any OSX reversing newbies. (im an OSX newbie myself) a few mac crackmes http://reverse.put.as/crackmes/ RCE for newbies on MAC http://reverse.put.as/2011/02/12/universes-best-and-legal-mac-os-x-reversing-tutorial-for-newbies-or-maybe-not/ (here is the text file on pastebin posted: http://pastebin.com/vqJBfDcX ) part I was removed because it contains a commercial program - maybe i can find it somewhere. Tools for OSX reversing http://reverse.put.as/tools/ (the page is holding local copies of the non commercial tools) …
-
Cannot debug program that's a py2exe
by Bidasci- 6 replies
- 7.1k views
I have renamed the program to ensure anonymity. Hello everyone. I am trying to debug this program that is compiled with py2exe (you can tell from the icon) But when I try to debug it (x64dbg and others) it does not show the text. When you first run the program it gives you 3 options. One is to start mining, 2nd is to Send coins, and 3rd is to Check balance or view your public key. What I expected is that when running in a debugger it would expose what server it connects to and other ways. I can tell that the program is created in python because when ran in a debugger it shows Py commands. I have tried a method known as unpy2exe to decompile it but when I…
-
Hancitor Packer Demystified...
by Teddy Rogers- 2 replies
- 5.9k views
https://www.uperesia.com/hancitor-packer-demystified Ted.
-
A Crash Course in Everything Cryptographic...
by Teddy Rogers- 0 replies
- 5.4k views
https://medium.com/@lduck11007/a-crash-course-in-everything-cryptographic-50daa0fda482 Ted.