Reverse Engineering Articles
Share an interesting blog, news page or other RE related site...
344 topics in this forum
-
Windows API Hooking and DLL Injection
by whoknows- 2 followers
- 2 replies
- 7.2k views
https://dzone.com/articles/windows-api-hooking-and-dll-injection
-
Analysis of changes in .Net Reactor 6
by Kingmaker_oo7- 3 followers
- 2 replies
- 6.5k views
Necrobit To mess up the old de4dot implementation, the .Net reactor changed the P / Invoke methods, but for the unpack, you can use the SMD from Code Cracker, which will do an excellent job of this. Control Flow To break de4dot.blocks, ezriz added a number of instructions to the flow cases, which de4dot cannot process, it's easy to fix it, just repeat after me) Spoiler We are looking for a problematic instruction Go to IL Nop call and change brfalse to br.s As you can see, the cocoa is gone)) The whole thing can be automated with my favorite dnlib …
-
Flare-On 7 1 2 3 4
by kao- 7 followers
- 95 replies
- 64.4k views
Get your tools ready!
-
- 2 followers
- 18 replies
- 19.1k views
I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use Me…
-
Eziriz .NET Reactor 6.3 ( Request for Decompile Tools on it? )
by SkieHackerYT- 2 followers
- 0 replies
- 6.2k views
Does anyone knows how to decompile an Eziriz .NET Reactor ( Using Tools )
-
Little known obfuscation method C#
by PhoenixARC- 3 replies
- 6.3k views
Hello everyone, I am currently in the process of trying to deob a program that was obfuscated with Itami-Fujifuscator, i know it's just a ConfuserEx mod, but honestly i can't find anything about it anywhere, the program is nowhere to be found, and deobfuscation methods seem either vague or specific to the program at hand, if anyone can help out with deobfuscating Fujifuscation i would very much appreciate it
-
.Net Manual Deobfuscating
by gholam.illidan- 2 followers
- 19 replies
- 16.1k views
is there any tut or e-book for .net manual unpacking and deobfuscating? (google == nothing) and some e-book on .net DataStructure. my .net cracking skill is verywell but im sucks in deobfuscating. tnx
-
Fix Unpacked with Confuser has too many class and method
by zackmark29- 5 replies
- 5.8k views
Can anybody tell me how to fix this? I want to get the original strings i used confuser unpacker + de4dot
-
- 0 replies
- 4.8k views
Thursday, April 30, 16:00GMT. During this webinar we will cover some of the most useful techniques for reverse engineering malware. We will show how they can help with the analysis of real-world samples using IDA Pro and Ghidra. https://securelist.com/become-a-good-reverse-engineer/96743/
-
- 1 follower
- 0 replies
- 5k views
This Friday, free for all! I'm not sure how much she'll be able to cover in 4 hours - but I believe it's worth participating anyways.
-
Machine Learning and Reverse Engineering
by deepzero- 0 replies
- 5k views
Thought I might create a thread to collect articles/papers that bring machine learning to rce... https://medium.com/@alon.stern206/cnn-for-reverse-engineering-an-approach-for-function-identification-1c6af88bca43
-
- 8 replies
- 8.7k views
Hooking Nirvana - STEALTHY INSTRUMENTATION TECHNIQUES : (Old but an excellent refresher. Bonus is that techniques work on Windows 10) Full VIDEO of the talk available here (56 Mins) - from Recon 2015. WHAT THIS TALK IS ABOUT : All this is looked at from the perspective of Windows 10 and the changes in Windows 10 : OUTLINE : Relevant code can be found here .
-
IcedID Trojan Uses Steganographic Payloads
by Teddy Rogers- 0 replies
- 5.3k views
https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/ Ted.
-
Following the good old tradition, this thread will be dedicated to the annual Flare-On challenge. Who's going to participate this year?
-
Javascript Puzzle
by AzoresRCE- 1 follower
- 1 reply
- 5.9k views
Hi, so i was give a puzzle in which i was sent some javascript code in a text file and was told to get two words out of it. when running the js it outputs a pastebin link with the word apple now my challenge is finding the second word Thanks you puzzle.txt
-
1 Mexican Crackme
by whoknows- 0 replies
- 4.9k views
https://medium.com/syscall59/solved-solving-mexican-crackme-82d71a28e189
-
- 2 replies
- 6.3k views
i have noticed there are no real good information about how to get started with OSX reversing. i hope thats a little overview and will help any OSX reversing newbies. (im an OSX newbie myself) a few mac crackmes http://reverse.put.as/crackmes/ RCE for newbies on MAC http://reverse.put.as/2011/02/12/universes-best-and-legal-mac-os-x-reversing-tutorial-for-newbies-or-maybe-not/ (here is the text file on pastebin posted: http://pastebin.com/vqJBfDcX ) part I was removed because it contains a commercial program - maybe i can find it somewhere. Tools for OSX reversing http://reverse.put.as/tools/ (the page is holding local copies of the non commercial tools) …
-
Cannot debug program that's a py2exe
by Bidasci- 6 replies
- 5.8k views
I have renamed the program to ensure anonymity. Hello everyone. I am trying to debug this program that is compiled with py2exe (you can tell from the icon) But when I try to debug it (x64dbg and others) it does not show the text. When you first run the program it gives you 3 options. One is to start mining, 2nd is to Send coins, and 3rd is to Check balance or view your public key. What I expected is that when running in a debugger it would expose what server it connects to and other ways. I can tell that the program is created in python because when ran in a debugger it shows Py commands. I have tried a method known as unpy2exe to decompile it but when I…
-
Hancitor Packer Demystified...
by Teddy Rogers- 2 replies
- 4.9k views
https://www.uperesia.com/hancitor-packer-demystified Ted.
-
A Crash Course in Everything Cryptographic...
by Teddy Rogers- 0 replies
- 4.6k views
https://medium.com/@lduck11007/a-crash-course-in-everything-cryptographic-50daa0fda482 Ted.
-
Reversing WannaCry w/ Ghidra
by whoknows- 0 replies
- 5k views
https://youtu.be/Sv8yu12y5zM bonus - VSCodium - Binary releases of VS Code without MS branding/telemetry/licensing - hxxps://github.com/VSCodium/vscodium
-
Obfuscating Operations using Linear Algebra
by DefCon42- 1 reply
- 5.3k views
Hey all! I recently came across this neat paper here: https://tel.archives-ouvertes.fr/tel-01623849/document where they used what they called "Mixed-Boolean Arithmetic" to obfuscate arithmetic expressions, and then showed ways to deobfuscate them. Looking a the deobfuscation methods, they seemed largely either pattern-based or wouldn't work when bigger numbers were involved. So I thought to myself, "How can I mess with this?" Well, first things first, they have no concrete method there for creating these expressions. There are two pages total dedicated to the creation of these expressions, so I had to get creative to make it work. They describe using n…
-
slugsnacks reversing series by c0lo
by CodeExplorer- 0 replies
- 6.9k views
slugsnacks reversing series by c0lo: Link: https://kienmanowar.wordpress.com/slugsnacks-reversing-series-by-c0lo/slugsnacks-reversing-series-5/
-
Anti Debugging Protection Techniques With Examples
by CodeExplorer- 2 replies
- 6.2k views
Anti Debugging Protection Techniques With Examples: https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software
-
About Themida
by RYDB3RG- 11 replies
- 11.2k views
Lets assume we have this code: test_proc proc VM_EAGLE_BLACK_START add rax, rcx add rax, rdx add rax, rsi add rax, rdi ret VM_EAGLE_BLACK_END test_proc endp So we have a single basicblock with multiple inputs: RAX, RCX, RDX, RSI, RDI and a single output: RAX. The protected version of that has about 10.000.000 instructions (Themida 2.4.6.0 demo). Lets run it through Unicorn and connect instructions via their sideeffects. While we are at it, lets assume we have an unlimited number of registers so we can remove memory indirections and connect instructions directly. Out of the initial 10mio instructions, how many contribute directly or ind…