All Activity

How to unpack this target? Regards. sean.

Read the last sentence of my previous message again...

Hi guys, I was downloading some text file from internet and when I print it into static control etc then I got that not correctly wrong mixed symbols or letters etc I would like to prevent but how is the questions. By the way, I tried using that IsTextUnicode function but I can only use the RtlIsTextUnicode function and this does crash always inside... invoke RtlIsTextUnicode,addr STRINGBUFFER ,sizeof STRINGBUFFER, IS_TEXT_UNICODE_ASCII16 ....so I don't know about all those specific Text Symbol styles things whatever they called etc but it really sux and I just want to have & use some simple format / fix functions I can run over my textbuffer to make them OK. @adoxa Yes it seems I have to remove those HTML entities from text buffer to format them correctly but how? Is there no ready function already I could use? Otherwise I have to make it myself. How much HTML Entities are there I have to check for? Or what are the most common used? I made this quick function... Remove_HTML_Entities proc uses edi esi ebx _buffer:DWORD invoke szRep,_buffer,_buffer,chr$("&lt;"), chr$("<") invoke szRep,_buffer,_buffer,chr$("&gt;"), chr$(">") invoke szRep,_buffer,_buffer,chr$("&amp;"), chr$('&') invoke szRep,_buffer,_buffer,chr$("&quot;"), chr$('"') invoke szRep,_buffer,_buffer,chr$("&apos;"), chr$("'") invoke szRep,_buffer,_buffer,chr$("&cent;"), chr$("¢") invoke szRep,_buffer,_buffer,chr$("&pound;"),chr$("£") invoke szRep,_buffer,_buffer,chr$("&yen;"), chr$("¥") invoke szRep,_buffer,_buffer,chr$("&euro;"), chr$("€") invoke szRep,_buffer,_buffer,chr$("&copy;"), chr$("©") invoke szRep,_buffer,_buffer,chr$("&reg;"), chr$("®") Ret Remove_HTML_Entities endp ...to remove some of those Entities. Seems to work OK so far but NOW I found another problem. When the entitie &amp; was found and replaced with & and I do send that string buffer into my static control then the "&" is not displaying!=? Why? When I do messagebox that string buffer then the "&" gets displayed. So why is the & not showing when using it in a string? Also this fails... invoke SendMessage,STATIC_HANDLE,WM_SETTEXT,0,chr$("You & Me") = "You Me" and not "You & Me" Why? Is there any style I have to enable to make it work to display also the "&"? greetz

Hello everyone ! Having been in infosec for a few years now, particularly on the Red Team side, I'm keen to discover new things. I have some basic knowledge of reverse engineering, but nothing too crazy. As I'm about to start a new contract on the Blue Team side, I'd like to practice a bit before starting. So I'd like to know your opinion on an easy malware family to reverse for a beginner. Thank you.

@jackyjask maybe, we do not need it any more. @fjqisba how does this IDA plugin help to analyze the vmprotect virtual machine? I do not know how to use this. I will be really appreciated if you could explain about it. Many thanks in advance. Regards. sean.

@fjqisba is GhidraVmp.dll obsoleted and now one has to use Revampire.dll instead?

If you want to change "standard" (&<>) HTML entities it would be simplest to search and replace manually; not sure what the best approach would be if you want to convert unknown HTML to text. Dialog text uses & to underline the next character, so they should be replaced with && for a literal &.

I don't know where you are sourcing your text from, possibly you can check the BOM - if it exists. If the text is a reliable source you could try utilising the IsTextUnicode function... Ted.

Hi guys, so I got a little problem again with those UNICODE / SYMBOL chars in text / buffer I want to format to readable text and print that on a static control. So first I got some text issues showing me some strange symbol chars instead of text like this below... "Youâ€" is "You’ve" ...and I was then using the MultiByteToWideChar function with CodePage CP_UTF8 to change my ANSI text buffer to UNICODE. After that the text was displaying correctly using SetDlgItemTextW function. FIne so far I thought. Then I found another problem with a other symbol like this... Q&amp;A is Q&A ...and I tried to use the same function as above but in this case I got this results back... Qamp;A !? My question now is...when I have any unknown text in buffer as ASCII / ANSI style then I want to format / convert this text buffer into 100 % readable / Symbol buffer I want to use with SetDlgItemTextW (Unicode) function to display the text 100 % correctly as original etc. What is the right method for this? greetz

How to find the constant value when debugging an enigma protected application? no answer ???

@Priboi Many thanks for the video presentation. Now I get it. Your plugin would be helpful. Regards. sean.

I said program not plugin. Debugged program makes changes in code/data for example while unpacking and you are able to see where these changes are when using my plugin.

@Priboi when does the code/data change by your plugin? I did not use the feature of the ollydbg, also I did not know it is. Now I check it out in ollydbg. It is a good feature. In ollydbg, If I create backup, then I change some codes. by using view backup, I can view the backed up data. after it, again If I click view actual data, I can view the current modified code/data. But with your plugin, what should I do to check what is the backed up code/data and what is the current modified or actual code/data? Many thanks in advance. Regards. sean.

Can someone share MyAppSecured v1.00 Beta source? I dont have account here: https://forum.exetools.com/showthread.php?t=19316 EDIT: nevermind founded here:

You dont have to do changes on yourself its not the purpose of this plugin because you know what you have changed. The code/data should be changed by program itself.

+ password-protect-video.com

Now It works well but It takes some time to complete the job. Regards. sean.

Well, the project is still a demo. I updated the plugin and provided a program for my own testing，you can try that. https://github.com/fjqisba/VmpHelper/releases

I virtualized below part and tested it. 004010C2 6A 01 push 01 004010C4 53 push ebx 004010C5 FF15 1C614000 call dword ptr [0040611C] → USER32.dll!EndDialog 004010CB EB 09 jmp 004010D6 ↓ It is cahnged to thses codes. 00A810C2 | E9 27BA1800 | JMP win32gui.vmp.C0CAEE | 00A810C7 <win32gui | 57 | PUSH EDI | edi:EntryPoint 00A810C8 | C3 | RET | 00A810C9 <win32gui | 56 | PUSH ESI | esi:EntryPoint 00A810CA | C3 | RET | 00A810CB <win32gui | EB 09 | JMP win32gui.vmp.A810D6 | And I used your plugin by clicking the menu "VMP -> Show Graph" at the address of 00A810C2. then It hung. the IDA version is 8.3.23.0608.. Regards. sean.

For current plugin, it seems too early to analyze vmp oep, because vmp does a lot of operations at the beginning. Maybe you should try writing a small function, use vmp encryption, and then use plugin to analyze the begin of vmp function.

Win32GUI.vmp.zip Regards. sean.

What are the preconditions to start de-virting 3.5.0 x86? I'm hitting only this: sample https://workupload.com/file/bDGty7XBnfW sometimes it is crashing, eg: BTW, what IDA versions do you support?

Well, this is because it has not been fully developed yet. you can try sending samples to me so I can fix it.

An error!!! And for another example. Why does it just show one graph and no branches? but your github page shows like this. Regards. sean.