Reverse Engineering Articles

344 topics in this forum

1. 

   Windows API Hooking and DLL Injection

   August 2, 2020 by whoknows

   • 2 followers
   • 2 replies
   • 7.2k views

   https://dzone.com/articles/windows-api-hooking-and-dll-injection

   

   Last reply by Kuranes, March 21, 2021

   • 
   • 
2. 

   Analysis of changes in .Net Reactor 6

   January 25, 2021 by Kingmaker_oo7

   • 3 followers
   • 2 replies
   • 6.5k views

   Necrobit To mess up the old de4dot implementation, the .Net reactor changed the P / Invoke methods, but for the unpack, you can use the SMD from Code Cracker, which will do an excellent job of this. Control Flow To break de4dot.blocks, ezriz added a number of instructions to the flow cases, which de4dot cannot process, it's easy to fix it, just repeat after me) Spoiler We are looking for a problematic instruction Go to IL Nop call and change brfalse to br.s As you can see, the cocoa is gone)) The whole thing can be automated with my favorite dnlib …

   

   Last reply by ZyrroX, February 2, 2021

   • 
3. 

   Flare-On 7 1 2 3 4

   July 29, 2020 by kao

   • 7 followers
   • 95 replies
   • 64.4k views

   Get your tools ready!

   

   Last reply by Geryon, November 29, 2020

   • 
   • 
   • 
4. 

   A better way to dump .NET assembly packed by a native stub

   June 23, 2019 by wwh1004

   • 2 followers
   • 18 replies
   • 19.1k views

   I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use Me…

   

   Last reply by goro1988, November 24, 2020

   • 
   • 
5. 

   Eziriz .NET Reactor 6.3 ( Request for Decompile Tools on it? )

   October 26, 2020 by SkieHackerYT

   • 2 followers
   • 0 replies
   • 6.2k views

   Does anyone knows how to decompile an Eziriz .NET Reactor ( Using Tools )

   

   Last reply by SkieHackerYT, October 26, 2020
6. 

   Little known obfuscation method C#

   May 29, 2020 by PhoenixARC

   • 3 replies
   • 6.3k views

   Hello everyone, I am currently in the process of trying to deob a program that was obfuscated with Itami-Fujifuscator, i know it's just a ConfuserEx mod, but honestly i can't find anything about it anywhere, the program is nowhere to be found, and deobfuscation methods seem either vague or specific to the program at hand, if anyone can help out with deobfuscating Fujifuscation i would very much appreciate it

   

   Last reply by Rhotav, May 31, 2020
7. 

   .Net Manual Deobfuscating

   June 10, 2015 by gholam.illidan

   • 2 followers
   • 19 replies
   • 16.1k views

   is there any tut or e-book for .net manual unpacking and deobfuscating? (google == nothing) and some e-book on .net DataStructure. my .net cracking skill is verywell but im sucks in deobfuscating. tnx

   

   Last reply by Kurapica, May 19, 2020

   • 
8. 

   Fix Unpacked with Confuser has too many class and method

   April 30, 2020 by zackmark29

   • 5 replies
   • 5.8k views

   Can anybody tell me how to fix this? I want to get the original strings i used confuser unpacker + de4dot

   

   Last reply by 0x59, April 30, 2020
9. 

   Webinar Static binary analysis: the essentials

   April 22, 2020 by kao

   • 0 replies
   • 4.8k views

   Thursday, April 30, 16:00GMT. During this webinar we will cover some of the most useful techniques for reverse engineering malware. We will show how they can help with the analysis of real-world samples using IDA Pro and Ghidra. https://securelist.com/become-a-good-reverse-engineer/96743/

   

   Last reply by kao, April 22, 2020

   • 
   • 
10. 

    Android App Reverse Engineering workshop

    April 21, 2020 by kao

    • 1 follower
    • 0 replies
    • 5k views

    This Friday, free for all! I'm not sure how much she'll be able to cover in 4 hours - but I believe it's worth participating anyways.

    

    Last reply by kao, April 21, 2020

    • 
    • 
11. 

    Machine Learning and Reverse Engineering

    April 14, 2020 by deepzero

    • 0 replies
    • 5k views

    Thought I might create a thread to collect articles/papers that bring machine learning to rce... https://medium.com/@alon.stern206/cnn-for-reverse-engineering-an-approach-for-function-identification-1c6af88bca43

    

    Last reply by deepzero, April 14, 2020

    • 
12. 

    Advanced Windows Hooking Techniques (STEALTHY INSTRUMENTATION TECHNIQUES)

    October 26, 2016 by Techlord

    • 8 replies
    • 8.7k views

    Hooking Nirvana - STEALTHY INSTRUMENTATION TECHNIQUES : (Old but an excellent refresher. Bonus is that techniques work on Windows 10) Full VIDEO of the talk available here (56 Mins) - from Recon 2015. WHAT THIS TALK IS ABOUT : All this is looked at from the perspective of Windows 10 and the changes in Windows 10 : OUTLINE : Relevant code can be found here .

    

    Last reply by Taitor, April 12, 2020

    • 
13. 

    IcedID Trojan Uses Steganographic Payloads

    December 5, 2019 by Teddy Rogers

    • 0 replies
    • 5.3k views

    https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/ Ted.

    

    Last reply by Teddy Rogers, December 5, 2019
14. 

    Flare On 6 1 2 3 4 8

    June 17, 2019 by kao

    • 188 replies
    • 48.8k views

    Following the good old tradition, this thread will be dedicated to the annual Flare-On challenge. Who's going to participate this year?

    

    Last reply by Kurapica, November 27, 2019

    • 
15. 

    Javascript Puzzle

    November 16, 2019 by AzoresRCE

    • 1 follower
    • 1 reply
    • 5.9k views

    Hi, so i was give a puzzle in which i was sent some javascript code in a text file and was told to get two words out of it. when running the js it outputs a pastebin link with the word apple now my challenge is finding the second word Thanks you puzzle.txt

    

    Last reply by MulaB, November 18, 2019
16. 

    1 Mexican Crackme

    November 8, 2019 by whoknows

    • 0 replies
    • 4.9k views

    https://medium.com/syscall59/solved-solving-mexican-crackme-82d71a28e189

    

    Last reply by whoknows, November 8, 2019
17. 

    Some tutorials and other information about reversing MAC OS Reversing

    September 15, 2013 by Artic

    • 2 replies
    • 6.3k views

    i have noticed there are no real good information about how to get started with OSX reversing. i hope thats a little overview and will help any OSX reversing newbies. (im an OSX newbie myself) a few mac crackmes http://reverse.put.as/crackmes/ RCE for newbies on MAC http://reverse.put.as/2011/02/12/universes-best-and-legal-mac-os-x-reversing-tutorial-for-newbies-or-maybe-not/ (here is the text file on pastebin posted: http://pastebin.com/vqJBfDcX ) part I was removed because it contains a commercial program - maybe i can find it somewhere. Tools for OSX reversing http://reverse.put.as/tools/ (the page is holding local copies of the non commercial tools) …

    

    Last reply by LilCe, July 2, 2019

    • 
18. 

    Cannot debug program that's a py2exe

    June 29, 2019 by Bidasci

    • 6 replies
    • 5.8k views

    I have renamed the program to ensure anonymity. Hello everyone. I am trying to debug this program that is compiled with py2exe (you can tell from the icon) But when I try to debug it (x64dbg and others) it does not show the text. When you first run the program it gives you 3 options. One is to start mining, 2nd is to Send coins, and 3rd is to Check balance or view your public key. What I expected is that when running in a debugger it would expose what server it connects to and other ways. I can tell that the program is created in python because when ran in a debugger it shows Py commands. I have tried a method known as unpy2exe to decompile it but when I…

    

    Last reply by Cursedzx, June 30, 2019

    • 
    • 
19. 

    Hancitor Packer Demystified...

    April 28, 2019 by Teddy Rogers

    • 2 replies
    • 4.9k views

    https://www.uperesia.com/hancitor-packer-demystified Ted.

    

    Last reply by Samz, June 29, 2019

    • 
20. 

    A Crash Course in Everything Cryptographic...

    April 26, 2019 by Teddy Rogers

    • 0 replies
    • 4.6k views

    https://medium.com/@lduck11007/a-crash-course-in-everything-cryptographic-50daa0fda482 Ted.

    

    Last reply by Teddy Rogers, April 26, 2019

    • 
21. 

    Reversing WannaCry w/ Ghidra

    April 13, 2019 by whoknows

    • 0 replies
    • 5k views

    https://youtu.be/Sv8yu12y5zM bonus - VSCodium - Binary releases of VS Code without MS branding/telemetry/licensing - hxxps://github.com/VSCodium/vscodium

    

    Last reply by whoknows, April 13, 2019

    • 
    • 
22. 

    Obfuscating Operations using Linear Algebra

    April 1, 2019 by DefCon42

    • 1 reply
    • 5.3k views

    Hey all! I recently came across this neat paper here: https://tel.archives-ouvertes.fr/tel-01623849/document where they used what they called "Mixed-Boolean Arithmetic" to obfuscate arithmetic expressions, and then showed ways to deobfuscate them. Looking a the deobfuscation methods, they seemed largely either pattern-based or wouldn't work when bigger numbers were involved. So I thought to myself, "How can I mess with this?" Well, first things first, they have no concrete method there for creating these expressions. There are two pages total dedicated to the creation of these expressions, so I had to get creative to make it work. They describe using n…

    

    Last reply by XenocodeRCE, April 2, 2019

    • 
23. 

    slugsnacks reversing series by c0lo

    February 12, 2019 by CodeExplorer

    • 0 replies
    • 6.9k views

    slugsnacks reversing series by c0lo: Link: https://kienmanowar.wordpress.com/slugsnacks-reversing-series-by-c0lo/slugsnacks-reversing-series-5/

    

    Last reply by CodeExplorer, February 12, 2019

    • 
24. 

    Anti Debugging Protection Techniques With Examples

    January 29, 2019 by CodeExplorer

    • 2 replies
    • 6.2k views

    Anti Debugging Protection Techniques With Examples: https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software

    

    Last reply by deepzero, January 31, 2019

    • 
25. 

    About Themida

    December 21, 2018 by RYDB3RG

    • 11 replies
    • 11.2k views

    Lets assume we have this code: test_proc proc VM_EAGLE_BLACK_START add rax, rcx add rax, rdx add rax, rsi add rax, rdi ret VM_EAGLE_BLACK_END test_proc endp So we have a single basicblock with multiple inputs: RAX, RCX, RDX, RSI, RDI and a single output: RAX. The protected version of that has about 10.000.000 instructions (Themida 2.4.6.0 demo). Lets run it through Unicorn and connect instructions via their sideeffects. While we are at it, lets assume we have an unlimited number of registers so we can remove memory indirections and connect instructions directly. Out of the initial 10mio instructions, how many contribute directly or ind…

    

    Last reply by RYDB3RG, December 27, 2018

    • 
    •