Leaderboard

Hi all, this is my analysis of GanDiao.sys, an ancient kernel driver based malware. It only works in WinXP as it is unsigned. This driver was used by various malware families and it allowed any userland application to kill other protected processes. This doc also includes a custom userland app source code to use GanDiao and test its capabilities. ENGLiSH VERSiON: http://lucadamico.dev/papers/malware_analysis/GanDiao.pdf iTALiAN VERSiON: https://www.lucadamico.dev/papers/malware_analysis/GanDiao_ITA.pdf As usual, I'm also attaching both PDF files here, just in case. Enjoy. GanDiao.pdf GanDiao_ITA.pdf

Since @Washi provided the solution first, you may mark his answer as solved. However, I’d like to share my approach as well for reference. 1) Polynomial Coefficients and Matrix 1. Username - Polynomial Coeffs The code has a function that folds ASCII values into 8 coefficients ( size = 7 ). For "CHESSKING" , we take each character's ASCII and add it to slot in the array. 2. Matrix Build We then build 5 x 5 integer matrix from these 7 coefficients. Each entry is computed via this formula : mat(r,c) = ( coeffs ( r mod 7 ) x ( c + 1)) + ( r + 1 ) ---> All in paranthesses from start has to be to the power of 2. 3. Determinant ( mod 65521 ) We do a row-reduction to find the matrix's determinant, and then take /bmod 65521. 2) Toy Elliptic-Curve Step The code defines a small curve: y2 ≡ x3 +Ax+B (modp), p=1201, A=1,B =1. ( x3 here is actually x to the power of 3 ) We have a base point G = ( 5,116 ) this goes : finalPoint= ECSM (G,detMod) That is, we "add" G to itself ( detMod ) times in elliptic-curve arithmetic. The result is ( X , Y ) . Then we define it with this formula : curveSecret= X+ (Y≪16) 3) LFSR Shuffle We take 64 bits (lowest bits) from curveSecret and feed them into a Linear Feedback Shift Register for 64 rounds, producing a new 64-bit integer lfsrOutput. This step effectively scrambles the bits further. 4) BFS-Based Knight Path The code starts at square E5 on a 10×10 board labeled A..J (files) and 1..10 (ranks). Internally, E5 is (4,4) in 0-based coordinates. For each character in the username, we do: steps= (ASCII of char) mod 5 , then run a BFS for that many expansions. The BFS uses Knight moves (like (2,1), (1,2), etc.) with wrapping if we go off the board. We capture the last enqueued square after those BFS expansions, add that to our path, and repeat for the next character in the username. 5) “Check to the King” There is a King placed on G10 → (6,9) in 0-based coordinates. We look at the final square in our BFS path. If that final square is one knight’s move away from (6,9), we do an extra step: lfsrOutput  =  lfsrOutput⊕0xA5A5A5A5 For "CHESSKING" , the BFS path’s last square does or does not cause this XOR. In our run, it does cause the XOR (i.e., it’s in position to “check the King”). 6) Nibble → Weird SAN Moves We take the final integer (lfsrOutput) and break it into 12 consecutive 4-bit nibbles. For each nibble, we pick a “weird” standard algebraic notation (SAN) chess move from the code’s move table. This yields moves like e2e4, Na3xb5, Qd1h5, etc. 7) Final Serial Part A: The BFS squares (space-separated). A dash ( - ) Part B: The 12 SAN moves from the nibble-based table. Verifying everythin we gathered so far : For "CHESSKING" : E5 I3 C1 A7 G4 C1 C1 I8 E5 G4 After the code determines the King is in check, it XORs the LFSR output with 0xA5A5A5A5 Extract 12 nibbles → map to the weird SAN table. They all turned out to be mostly e2e4, with a couple of different ones in the middle (Bf1c4, d2d4) My final answer which is my Username and Serial Key is :

i may banter a lil in the opening, but that is how i was taught when i was in highschool learning ASM from the ukranians and russians, bootkits from the chinese You give a short shoutout or point to be made and ya write and code Here, i use the LCRN (LCG) from the GiantBlack Book of Viruses (Physicist Dr. Mark Ludwig) and his 16-bit many hoops and recreated it for x86 (32 bit) VXWriteUp.pdf

Among the anti-debug techniques, there's an interesting one worth noting. A dummy thread is created and then it calls Sleep(0x32). (The goal is for the created thread to be detected by tools like x64dbg.) Then, it calls NtQueryObject with the ObjectBasicInformation class using the thread handle. If the returned HandleCount is greater than 1, it determines that debugging is in progress. void dummy() { Sleep(8000); } bool CheckCreateThreadHandleCount() { HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)dummy, NULL, 0, NULL); if (hThread == NULL) { return false; } Sleep(0x32); PUBLIC_OBJECT_BASIC_INFORMATION objInfo; NTSTATUS status = NtQueryObject(hThread, ObjectBasicInformation, &objInfo, sizeof(objInfo), NULL); if (!NT_SUCCESS(status)) { CloseHandle(hThread); return false; } std::cout << "Handle Count: " << objInfo.HandleCount << std::endl; if (objInfo.HandleCount > 1) { CloseHandle(hThread); return true; } CloseHandle(hThread); return false; }

My server is working, i just migrated to docker. (Its WebDav , https) https://eddynet.cz:9865 File list is in attached files. content_250414.7z

I have a question, I want to ask you guys. I want to create a license for a small software in C# language. I want to use VMP Potech to define a license to call HWID! But use the external KeyGen format as shown in the image above. What should I start with? Thank you.

LOL, my cracked 🤣. You want source code ?

this is copy of old 3.5.1 nothing new

you have 4,5tb free space to copy my whole share?

No need In the past,it was very slow upload in mediafire is only the one solution possible. One by one.

Dear friends Berkeley Mono Font face is updated to version2. They included ligatures (nerd glyphs) directly in this build. The font face is 75$ for developer use only (no commercial use.) I have included this fontface so you can try them. Enjoy! Homepage hxxps://usgraphics[.]com/products/berkeley-mono Archive Pass: Download tx-02-berkeley-mono-pass=SCT.7z

Hi @LCF-AT it appears you are stuck in js world 😀 ? So you still have problems with innerHTML, outerHTML,right ? Ok i will try to explane all ✍ ; The difference between innerHTML, outerHTML, and directly working with DOM elements (without these properties) can be confusing at first. Let me give you a clear explanation and show you some examples. 1. innerHTML What It Does: innerHTML allows you to get or set the HTML content inside an element. It includes all child elements, text, and HTML tags within the selected element. Use Case: When you need to modify or retrieve the content inside an element. Example: Using innerHTML // Example HTML: <div id="exampleDiv">Hello, <b>World</b>!</div> const div = document.getElementById("exampleDiv"); // Get the inner HTML content console.log(div.innerHTML); // Outputs: "Hello, <b>World</b>!" // Set new inner HTML content div.innerHTML = "New <i>Content</i>"; // Resulting HTML: <div id="exampleDiv">New <i>Content</i></div> Key Notes: Setting innerHTML replaces all the existing content inside the element. You can include raw HTML tags in the string (e.g., <i>), which will be parsed and rendered. 2. outerHTML What It Does: outerHTML allows you to get or replace the entire element itself, including its opening and closing tags, along with its content. Use Case: When you want to replace or retrieve the entire element, not just its inner content. Example: Using outerHTML // Example HTML: <div id="exampleDiv">Hello, <b>World</b>!</div> const div = document.getElementById("exampleDiv"); // Get the outer HTML (the entire element) console.log(div.outerHTML); // Outputs: "<div id="exampleDiv">Hello, <b>World</b>!</div>" // Replace the entire element with new content div.outerHTML = '<p id="newElement">This is a new paragraph!</p>'; // Resulting HTML: <p id="newElement">This is a new paragraph!</p> Key Notes: Unlike innerHTML, setting outerHTML replaces the selected element itself in the DOM. After replacing an element using outerHTML, any reference to that original element becomes invalid because it no longer exists in the DOM. Let me know if you'd like further clarification! 😊

Hi For lightweight, portable editors for JavaScript development you can try 1 Sublime Text: A fast, lightweight editor with excellent support for JavaScript. It allows you to install plugins (like JsFormat and SublimeLinter) to enhance your coding experience2. Portable versions are available online.(just googling 😉) 2 Atom: Open-source and cross-platform, Atom is customizable and comes with smart code completion2. Lightweight compared to larger IDEs like Visual Studio Code. ------ For a complete reference of JavaScript's built-in functions, methods, and APIs, you can use the following resources: MDN Web Docs:: https://developer.mozilla.org/en-US/docs/Web/JavaScript https://developer.mozilla.org/en-US/docs/Web/API https://www.w3schools.com/js/ (for learning javascript online) ------- Placing Elements Relative to Existing HTML Elements: To place your dynamically created buttons relative to an existing HTML element (e.g., a video player), you can use DOM manipulation methods like appendChild, insertBefore, or CSS positioning. - Placing Below or Inside (Using appendChild) If you want to place the button inside the player element (e.g., below it): const player = document.getElementById("player"); // Assume "player" is the ID of the video player const button = document.createElement("button"); button.textContent = "My Button"; player.appendChild(button); // Places the button as the last child inside the player - Placing Above (Using insertBefore) If you want to place the button above the player element: const player = document.getElementById("player"); const button = document.createElement("button"); button.textContent = "My Button"; // Insert the button before the player element in its parent container player.parentNode.insertBefore(button, player); Using CSS for Precise Positioning You can use CSS styles for absolute or relative positioning: const player = document.getElementById("player"); const button = document.createElement("button"); button.textContent = "My Button"; button.style.position = "absolute"; // Position relative to its nearest positioned ancestor button.style.top = `${player.offsetTop - 50}px`; // Place above the player button.style.left = `${player.offsetLeft}px`; // Align horizontally with the player document.body.appendChild(button); ------ return button ? The return statement outputs the fully prepared button element from the function. Without return, the function would execute but not give you access to the created element outside of its scope. By returning button, you can store it in a variable (let BUTTON_1 = createButton(...)) and manipulate or append it later. Why Use const? Declaring button as const ensures that its reference cannot be reassigned (e.g., pointing it to a different object). However, you can still modify its properties (e.g., .type, .value, .style) because objects are "mutable". So the return statement allows a function to output a value (like a DOM element), enabling reuse and flexibility in your code. Greetz

Thanks again but I would like using IDM with my file name instead of using browser download itself. Just bad that its not possible so far. Anyway, I will try to continue testing the code. Thanks for helping @Kanes, I'm pretty sure next questions will come soon. greetz

From what I see it's not possible because IDM captures the download at the network level. you can try using fetch with a Blob to prevent IDM from intercepting <!DOCTYPE html> <html> <body> <script> let link_to_DL = "https://www.w3schools.com/html/mov_bbb.mp4"; let title = "Test Title.mp4"; let input = document.createElement("input"); input.type = "button"; input.value = link_to_DL; input.onclick = () => download(link_to_DL, title); document.body.appendChild(input).style.cursor = "pointer"; function download(fileURL, fileName) { fetch(fileURL) .then(res => res.blob()) .then(blob => { const a = document.createElement('a'); a.href = URL.createObjectURL(blob); a.download = fileName; a.click(); URL.revokeObjectURL(a.href); }) .catch(err => alert("Download error: " + err)); } </script> </body> </html>

Your code is actually correct, the issue isn't in the implementation itself but in the server's security policy. you're trying to download a resource from a different origin (cross-origin), and the server you're requesting it from has CORS restrictions or does not allow forced downloads via the Content-Disposition header Try Here: https://www.w3schools.com/js/tryit.asp?filename=tryjs_intro_inner_html <!DOCTYPE html> <html> <body> <script> let link_to_DL = "https://www.w3schools.com/html/mov_bbb.mp4"; let title = "Test Title.mp4" let input=document.createElement("input"); input.type="button"; input.value=link_to_DL; input.onclick = () => download(link_to_DL, title); document.body.appendChild(input).style.cursor = "pointer"; function download(URL, TITLE) { const a = document.createElement('a'); a.href = URL; a.download = TITLE; a.click(); } </script> </body> </html>

@LCF-AT You can use the <a> download attribute <a href="/images/myw3schoolsimage.jpg" download="w3logo"> <button onclick="download()">Download</button> <script> function download() { const a = document.createElement('a'); a.href = "https://www.w3schools.com/images/myw3schoolsimage.jpg"; a.download = "Anystring.jpg"; a.click(); } </script> <source id="file123" src="https://www.w3schools.com/html/mov_bbb.mp4"> <button onclick="download()">Download</button> <script> function download() { const a = document.createElement('a'); a.href = document.getElementById('file123').src; a.download = "Anystring.mp4"; a.click(); } </script> https://www.w3schools.com/tags//att_a_download.asp

ZwOpenSection/ZwQuerySection eg

Yeah, it is not a "clean" process termination. The process will just crash. It is more an "instant crash" at the next ntdll memory access. Your code using ZwTerminateProcess is a much cleaner approach. After finishing this paper, I was wondering if such a driver can still be loaded on recent NT using a "bring your own vulnerable driver" attack. I don't have time to test it in one of my VMs right now... @boot may ask you a favor? Since you (apparently) are form China, can you confirm that my translation of the word "GanDiao" is actually accurate? ("Get rid of" / "Kill it"). Many thanks.

Except for using MmUnmapViewOfSection to cause other processes to crash. We can also use ZwTerminateProcess to kill a specified process, which may still be effective in some versions of Win10... e.g. Code snippets taken from an old project NTSTATUS ZwKillProcess(HANDLE pid) { HANDLE hProcess = NULL; CLIENT_ID ClientId; OBJECT_ATTRIBUTES oa; NTSTATUS status; ClientId.UniqueProcess = pid; ClientId.UniqueThread = 0; oa.Length = sizeof(oa); oa.RootDirectory = 0; oa.ObjectName = 0; oa.Attributes = 0; oa.SecurityDescriptor = 0; oa.SecurityQualityOfService = 0; status = ZwOpenProcess(&hProcess, 1, &oa, &ClientId); if (NT_SUCCESS(status)) { DbgPrint("OpenProcess success,pid: %d", hProcess); ZwTerminateProcess(hProcess, 0); ZwClose(hProcess); return status; }; DbgPrint("OpenProcess failed,pid: %d", hProcess); return FALSE; }

Hi, thanks for checking. I have big differences using Brave / Chromium and Firefox with my script. I tried this now. I disabled uBO completely from both browsers and then I disabled all cookies (Firefox settings) for that specific website and in Brave too. In case of Firefox my script does not create a button but in Brave it does. Why this? If I allow cookies on that website in Firefox then it works and my script does create the button. Really strange behaving. Do you have any explanation for this? Brave: Block All Cookies | no uBO | My Script | = Working to create button Firefox: Block All Cookies | no uBO | My Script | = Failed to create button (Uncaught TypeError: document.getElementById(...) is null) It does not get the element by ID in FF. By the way, the does not work better or at all. It does not work if I use it instead of "load". Somehow pretty frustrating right now not getting it work for both browser yet. No idea how to deal with that. EDIT: I see problem when using... window.addEventListener('load', (event) => { ...my code... }); ...so sometimes it works sometimes not, its like 50/50. Now I was looking for some sleep function I could place at the top in my script and found just this one... // sleep time expects milliseconds function sleep (time) { return new Promise((resolve) => setTimeout(resolve, time)); } // Usage! sleep(500).then(() => { // Do something after the sleep! }); ....and if I se this function with sleep of 1 seconds and let execute my code inside then it works! So the problem is that I need to wait a while longer in Firefox (not in Brave) to find that element as you did mention already. Seems I have to work with sleep functions etc. Question: Is there also a method to sleep at any line I want (like in coding you call sleep function with time X and in this time all stops before next code get executed / no threads)? The problem is I have to put all my code inside of this sleep function but I would prefer to stop right there. Otherwise if you have any other and better ideas how to tell JS to sleep or how to continue after website and all components are fully loaded then tell me. Thanks. greetz

Your examples work fine. I guess the issue is that you have ublock set too strictly, blocking even javascript. just add an exception for the page or disable javascript blocking in the settings. Testing in a restrictive environment probably isn’t the best way to practice. and for "document.getElementById(...) is null", that's normal if the element isn't found. So the issue could be related to timing for example, if the element is loaded dynamically and the check happens before it has been created. You could try using 'DOMContentLoaded' instead of 'load'.

@LCF-AT If you want window.open() to work, you need to run the code in an unrestricted environment. The web is full of restrictions to prevent security vulnerabilities between the browser and the client because the browser itself acts as a sandbox. In this case, I don’t think there’s a conventional way to solve it, since a malicious JavaScript script using alert() could be used to compromise a machine and steal session cookies from the site where it's executed. For this and other reasons, browsers block pop-up by default. also since you're running the code inside an <iframe> there's another issue you need explicit permission to allow popups in that context To test this, you can inspect and modify the HTML on MDN Play by adding the allow-popups permission inside the <iframe>. If the browser isn’t blocking popups globally your code should work. (If not, then it's another block from the browser itself) You just reminded me of an interesting topic related to this, which is covered on this channel. They have great content: www . youtube.com/watch?v=lG7U3fuNw3A

OK thanks for that info @Kanes. So I did notice another NEW problem today. Somehow the window.open("URL") function does not work always! Why this? Somehow it happens nothing when calling that function but the console log function works inside that function. Could it be that window.open get blocked without to get any error / info about it? let url = "https://forum.tuts4you.com"; var input=document.createElement("input"); input.type="button"; input.value=url; input.onclick = () => showAlert(url); document.body.appendChild(input).style.cursor = "pointer"; function showAlert(text) { window.open(text); console.log(text); } When I try this code above on https://developer.mozilla.org/de/play then it tells me "InvalidAccessError: A parameter or an operation is not supported by the underlying object" error. In my test script it works just partial not for all websites I have test. Somehow strange. How to make it work always? The console.log(text) function inside showAlert function works always but not the window.open function. Do you know what the reason could be? greetz EDIT: By the way, I have test my script in Firefox and its not working / showing any buttons there etc as it does in Brave browser! Uhm! GREAT! Another problem I need to find out what the reason for this is.

@LCF-AT oh you are right >>> input.onclick = copyToClipboard(something); In this case copyToClipboard(something) is executed immediately, and the returned value (undefined) is what gets assigned to onclick >>> input.onclick = () => copyToClipboard(something); Here, instead, you're assigning an anonymous function, a function that doesn't run right away You're assigning the entire function to the onclick event. So, only when the user clicks, copyToClipboard(something) will be executed https://www.javascripttutorial.net/javascript-anonymous-functions/ https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/Arrow_functions

@LCF-AT In that case it's because it's running inside an iframe with restrictions. It should work fine in a regular HTML page or in a browser extension with special permissions, but following your example you can do this in the playground function CopyClipBoard(text) { let tempInput = document.body.appendChild(document.createElement("input")); tempInput.value = text; tempInput.select(); document.execCommand("copy"); tempInput.remove(); } function createCopyButton(text) { let button = document.body.appendChild(document.createElement("button")); button.textContent = `Copy: ${text}`; button.onclick = () => CopyClipBoard(text); } // String example createCopyButton("String example");

hi The link doesn't allow downloading. Is there a way to download it?

Could you upload it to mediafire, mega or google drive? i am not from china and i have not been able to download your examples. If you can upload the plugin and the protected example would be great, thank you.

I have also released a simple demo WL plugin. This is a protected example. https://forum.tuts4you.com/topic/45492-detector64-winlicense-plugin/

again! https://workupload.com/file/rMmVTneRBaP

You may want to revise your keygenme challenge, the challenge is trivial to solve (5 minutes work) Here are some working serials: Explanation:

Does anyone have a link to the whole collection? The one OP posted doesn’t seem to work for me. Thank you.

@Teddy Rogers This is getting out of hand, isn’t it?

how did you do this share that video also please can you make by pass this exe

View File ByUndefined Protector v2 ByUndefined Protector Anti Debugger Anti Dump Anti Tamper Anti Memory Anti Dll Inject Anti ILDasm Resources Compress String Encrypt ControlFlow Virtualization Renamer Merge Dll Add Task: Unpack Submitter Leopar36 Submitted 03/23/2025 Category UnPackMe (.NET)  

time to add new anti-dbg trick into ScyllaHide plugin !?!?

You are wonderful.

Not a debugger? Regards. sean.

link can't download

View File .NET KeyGenMe by Freddy #1 Hey there! I made this KeyGenMe because I enjoy playing chess. This challenge is written in .NET and involves some mathematical operations, mixed with a few chess-related twists. Your task is to figure out the logic behind generating a valid serial key based on the username you enter. But be warned—it’s not as simple as just moving a pawn forward ( maybe a hint ) Protection used : None. Goals : 1. Provide valid combination for Username - Serial Key ( Bronze ) 2. Fully KeyGen it - every username with different serial key algorithm ( Silver ) 3. Full KeyGen plus EXPLANATION on what u did and how you figured out everything ( Gold ) Good luck! Submitter freddy Submitted 03/17/2025 Category KeygenMe  

I recommand the people to use this protection because it's very good. The protection is advanced like Pelock but very good. Only a real reserver can do it But it needs much times to be able handle it. UnpackMe.Obsidium.1.69b1.x86_unprotect.rar

I don't see any solution here fits the requirements ✍️

PEP - Private exe protector is closed commercial project but i decided to share it's source code ( I purchased it about 2300 USD long time ago ) Add star to repo if you like https://github.com/NIKJOO/PEP

Can't wait