Leaderboard
-
CodeExplorer
Team Member61Points4,569Posts -
Price
Full Member24Points34Posts -
Stingered
Full Member22Points129Posts -
LCF-AT
Full Member+21Points6,228Posts
Popular Content
Showing content with the highest reputation since 02/09/2026 in all areas
-
I was not able to download your firmware completely (Catbox seems to be having problems today) but I can give you some tips anyway. Step 1: It's unlikely that you've encountered a very unique hardware that has no existing tooling or documentation. Also a lot of hardware is made by the same OEM manufacturer in China and just sold under different brand names. So, use Google. Seriously. :) First few kilobytes of your firmware contain plenty of interesting and unique strings. Search for each one separately, or some combination of them. You're basically looking for the information about your hardware - CPU and system board manufacturer, addon boards, sensor information, and so on. You'll be amazed how much information a single search can provide. You could also search for the hardware make/model (which unfortunately you didn't tell us) or FCC ID. Step 2: Once you know the basic hardware information, use Google again. Look for tools and SDKs for the specific manufacturer/CPU. Use Google Translate to browse Chinese and Russian sites - they are a goldmine when it comes to hardware hacking and documentation. You should be able to find this github project. too. I didn't run the tool but a quick look at the source code tells me it should unpack your firmware with little to no modifications. Step 3: Load the unpacked firmware in Ghidra/IDA and start the actual reverse engineering process. :)4 points -
4 pointsHello. I have organised it in two different formats. I also added the modified solver.c file as an extra. Thank you. Link: drive4 points -
4 pointshttps://dr4gan0x.github.io/dr4gan-portfolio/?post=prometheus-12-layers I hope this write up catches your interest4 points
-
3 pointsYou Chinese are showing off again. Hurry up and upload the patch3 points -
3 pointsThrew this into Binary Ninja, turned out to be Rust-compiled ELF64 PIE not C as DiE claims, debug strings like src/main.rs src/vm/dispatcher.rs src/crypto/sbox.rs give it away, main at 0x41bea0 is just the lang_start trampoline real logic sits in sub_41a0c0 which drops into the verification orchestrator sub_418a10 running all 12 layers with bitwise AND accumulation no early exits, layers 1-3 are RDTSC delta and clock_gettime CLOCK_MONOTONIC anti-debug gates, 4-5-6 enforce the 28-char [A-Z0-9_] format with underscores pinned at positions 10/15/23 last 4 digits only and ASCII sum exactly 1901, identified the core hash at sub_433b80 as SipHash-2-4 from the init vectors 0x736f6d6570736575 0x646f72616e646f6d 0x6c7967656e657261 0x7465646279746573 aka "somepseudorandomlygeneratedbytes" with rotation constants 13/32/16/21/17/32 two rounds per block four at finalization, the actual crack comes from Layer 10 which splits the key into four 7-byte segments each hashed with independent k0/k1 pairs reducing the search space from 36^24 down to 4x36^6 roughly 2^33 which is the single architectural weakness in the design, brute-forced the last 4 digits first against Layer 6s YEARHASH/KEY01020 keys in 10K iterations got 2026 then segment 4 in 1.3K then segments 2 and 3 each in ~2.2B iterations then segment 1 with sum-constraint pruning total 55 seconds single core, validated against all remaining layers including the full-key SipHash triplet layers 7/8/9 with three different key pairs and the polynomial evaluation through MurmurHash3 fmix64 at five prime evaluation points all passed clean, key is PR0M3TH3U5_F1R3_ST34L3R_2026, I have a full writeup sitting around too lazy to format it properly but if anyone wants I can publish it3 points
-
2 pointsI found the way I have define that struct in MASM64: MODULEINFO STRUCT lpBaseOfDll DQ ? ; Base address of module SizeOfImage DQ ? ; Size of the module in bytes EntryPoint DQ ? ; Entry point of the module MODULEINFO ENDS GetModuleInformation return proper value.2 points
-
2 points -
2 pointsThank you very much, appreciate the PDF copy and extras! Ted.2 points -
Bypassed the license check but unpack is too complicated. The imports are very heavy wrapped. Can do it but few hours manual work will need.
2 points -
2 pointsThe crackmes.one CTF is officially live, built by the RE community, for the RE community. https://crackmesone.ctfd.io/ Start at: Sat 14 February 2026 00:00:00 UTC Enter the matrix and prove your skills. See you there!2 points -
1 point -
1 pointThis is what I thought at first; anyway declarated like this doesn't works; SizeOfImage has to be also a qword.1 point
-
1 point -
Just wanted to post my solution here for anyone who might stumble upon this thread. GitHubGitHub - hekliet/tsrh-kgm: Keygen for TSRh TeaM Trial Key...Keygen for TSRh TeaM Trial KeygenMe #1. Contribute to hekliet/tsrh-kgm development by creating an account on GitHub.The 'keygen' provided in this repo is a simple command line program that takes a line of input (the username) from stdin and prints a regcode. It should compile anywhere. MSVC users might have to substitute getline with gets or something, I don't know. A keygen that looks pretty and plays music can be found here: https://hekliet.nekoweb.org/tsrh-kgm/tsrh-kgm1-keygen.zip It's a Win32 executable that also works in Windows x64 and was coded on Linux using MinGW. No video, sorry.1 point -
1 point
-
1 pointHi Codexplorer, First of all, I wanted to say a huge thank you for your work on the Unlicense project and for sharing your compiled version/updates. It’s an incredible resource for the community. I've been testing the tool on some specific WinLicense 3.x protected targets (specifically 32-bit/x86 binaries). While the tool works great on many samples, I encountered a few hurdles with recent Python/LIEF environments and x86 targets that might be worth looking into for a future improvement: LIEF Compatibility: Recent versions of LIEF (0.17+) seem to have changed some attributes (like MACHINE_TYPES moving to Header.MACHINE_TYPES) and now return section names as bytes instead of strings, causing TypeErrors in dump_utils.py. Frida RPC Stability on x86: I've noticed frequent TypeError: not a function errors during the setupOepTracing or enumerateModuleRanges calls when targeting x86 apps on Windows 10/11. This often leads to AccessViolation because the IAT resolution gets interrupted or fails to map correctly. Forced IAT/OEP: On some complex targets, adding a more robust "forced mode" for OEP and IAT (bypassing the Frida instrumentation if the user already knows the addresses) helped me get further, but a native implementation in your branch would be amazing. If you have any plans to optimize the x86 engine or update the dependencies handling for the newer LIEF versions, that would be a game-changer for those of us working on older automotive or industrial software. Thanks again for the hard work and for keeping this project alive! @CodeExplorer Hi Codexplorer, First of all, I wanted to say a huge thank you for your work on the Unlicense project and for sharing your compiled version/updates. It’s an incredible resource for the community. I've been testing the tool on some specific WinLicense 3.x protected targets (specifically 32-bit/x86 binaries). While the tool works great on many samples, I encountered a few hurdles with recent Python/LIEF environments and x86 targets that might be worth looking into for a future improvement: LIEF Compatibility: Recent versions of LIEF (0.17+) seem to have changed some attributes (like MACHINE_TYPES moving to Header.MACHINE_TYPES) and now return section names as bytes instead of strings, causing TypeErrors in dump_utils.py. Frida RPC Stability on x86: I've noticed frequent TypeError: not a function errors during the setupOepTracing or enumerateModuleRanges calls when targeting x86 apps on Windows 10/11. This often leads to AccessViolation because the IAT resolution gets interrupted or fails to map correctly. Forced IAT/OEP: On some complex targets, adding a more robust "forced mode" for OEP and IAT (bypassing the Frida instrumentation if the user already knows the addresses) helped me get further, but a native implementation in your branch would be amazing. If you have any plans to optimize the x86 engine or update the dependencies handling for the newer LIEF versions, that would be a game-changer for those of us working on older automotive or industrial software. Thanks again for the hard work and for keeping this project alive! @CodeExplorer1 point
-
hello everyone! first post here :D im somewhat new to reverse engineering xiot firmware binaries, so please forgive my ignorance as i learn. ive been working on this one embedded linux binary, but ive been having trouble. using binwalk, it cant seem to fully decompile it, only return a .lzo file. based on entropy analysis of given lzo file, it appears encrypted with partial plaintext for bootloader (high entropy/low variance, please correct me if im wrong). im not sure how exactly to go about decryption or further analysis. i thought maybe xor encryption algorithm, so i tested the binary against all possible xor encryption keys, with no results. https://files.catbox.moe/cnre9d.bin if anyone has the time to help out, pls do so!! ive linked a copy of the binary, if you make progress, pls let me know what you did so i can learn from it too. thank you! ^^1 point -
1 point1 point
Prometheus (12 Layers of Insanity) A recruitment challenge for those who see what others cannot. The binary guards an encrypted message. To reveal it, you must provide the correct 28-character key. There is no backdoor, no shortcut, no unintended solution—only the key. The verification process spans twelve interconnected layers. Each depends on others. Disrupting one cascades through all. The binary knows its own shape and will notice if you change it. Some defenses are apparent through static analysis. Others manifest only at runtime. A few exist in the liminal space between instruction and execution—observable only through their effects, never their implementation. Difficulty 6/6 ## Rules - Standard crackme rules apply - The solution is the 28-character key - Picture of the solved challenge to be posted only 48h after completion. - No external services or network required - Linux x86_64 The reward prize and job offer will terminate in 24 hours. File Information Submitter Prometheus Submitted 01/21/2026 Category CrackMe View File
1 point
Hello @boot, bad news, your tool & driver can't kill the python process too like all those other tools. ☹️ Really sad. It can kill other running processes but not that specific one. I really would like to know why it is impossible to exit this process. Ever heard something about that a process really can't get terminated and the only way to get a rid of it is to reboot the system? Do you have another ideas? Remember, in this thread you could see my video I did post where it happens when using ComfyUI Portable (even outside of Sandbox) which used a embedded Python file which also makes that trouble I can't terminate at the end when this problem occurs by random etc. https://forum.tuts4you.com/topic/45702-how-to-terminate-a-process-which-is-denied-to-terminate/#findComment-226957 greetz1 point
Thank you very much for detailing the solution and method/s taken to solve. Would it be possible to get a PDF copy please? Ted.1 point
Yes, please post crackme's in the correct area, read the description at the top of the category in the link below, thank you... https://forum.tuts4you.com/forum/146-challenge-of-reverse-engineering/ Ted.1 point
I would appreciate a full writeup! Also, please consider publishing your solve to crackmes.one, where the author cross-posted this challenge.1 point
1 point
============================ AT4RE Power Loader v0.1 (Release Date: 26/03/2025) ============================ [+] Console interface [+] Loader Coded in C++ with CRT (big Size: 85 KB when compressed about 190 KB uncompressed). [+] Supports patching single or multiple Relative Virtual Addresses (RVAs). Root Folder Contents: [+] ATPL.EXE (AT4RE Power Loader) [+] Version History.txt ============================ AT4RE Power Loader v0.2 (Release Date: 16/04/2025) ============================ The most powerful loader against strong and hard protectors. It also works with medium-level protectors, packers, compressors, and even unprotected executable files. Main Features: [+] GUI Coded in Borland Delphi 7 [+] From the GUI, you can browse to select the target file (maximum filename length is 255 characters). [+] You can also copy and paste the file name into the input field. [+] Choose between x32 and x64 loader versions. [+] Loader data can be entered only in the format shown in filed or in the screenshot. [+] Set a base timeout in milliseconds (Minimum: 00, Maximum: 9999 — i.e., 9.99 seconds). [+] Set 1-byte opcodes in the Opcode field using HEX characters (Opcode is the Original First Byte of RVA1). [+] Configure Opcode Timeout in milliseconds (Minimum: 00, Maximum: 9999 — i.e., 9.99 seconds). [+] Set the Loader Timer Delay in microseconds (Min: 00, Max: 9,999,999 — i.e., 9.99 seconds). [+] Configure the loader to start as Administrator. [+] Directly pack the loader with UPX. [+] Generate Loader.exe [+] Save or open projects for future use from File menu. [+] Set the GUI to "most on top" from the View menu. [+] Access the official website, report bugs, and find more information via about in the Help menu. Loader Details: [+] Coded in C++ using the Windows Pure API. [+] Loader size is 10 KB uncompressed, and 5 KB when compressed. [+] Supports Windows 7, 8, 10, and 11 (both x32 and x64). Features include: [+] Anti-ASLR [+] Anti-Anti-Debug [+] Anti-CRC Check [+] Automatically detects the base address. [+] Detects when the protector unpacks code into memory. [+] Can apply temporary patches after a specified delay in microseconds (Patch and restor original bytes). [+] Can apply permanent patches only with 00 Flag [+] Supports patching single or multiple Relative Virtual Addresses (RVAs). [+] Capable of patching up to 2048 bytes. [+] Can run as Administrator or Normal user mode. Root Folder Contents: [+] Project folder (Save or open projects for future use) [+] UPX folder (includes upx32.exe and upx64.exe) [+] ATPL.EXE (AT4RE Power Loader) [+] Version History.txt ============================ AT4RE Power Loader v0.3 (Release Date: 10/05/2025) ============================ The most powerful loader against strong and hard protectors. It also works with medium-level protectors, packers, compressors, and even unprotected executable files. Main Features: [+] Added Support Patching DLLs (Only DLLs Loaded by Target.exe). [+] Added Drag Drop Feature: For .EXE, .REG, .ICO Files. [+] Added Insert Loader Data feature (For Respect the Correct Format). [+] Added Registry Keys Manager (Max size: 1 KB / 1024 characters). [+] Added Delete Files feature (Max size: 1 KB / 1024 characters). [+] Added Icon Changer. [+] Added New Project option from File menu (Clears all fields). [+] Added Commands Shortcut Ctrl+N, Ctrl+O, Ctrl+S in File menu. [+] Added Contact Us section from Help menu. [+] Updated About from Help menu from box to a form. [+] Updated display fonts for Loader Data, Registry, and Files. [-] Removed "My Target run as admin". Loader Details: [+] Size is now 17 KB uncompressed, 7 KB when compressed. [+] Loader now Support Patching DLLs (Only DLLs Loaded by Target.exe). [+] Loader can now add or delete registry keys. [+] Loader can delete files. [+] Automatically requests Run as Administrator when needed (e.g.,Target need administrator privilege, modifying registry or deleting files from protected folders). [+] Icon support added. Root Folder Contents: [+] Icons folder (includes 5 icons). [+] Lib folder (includes bass.dll). [+] Project folder (Save or open projects for future use). [+] ResH folder (includes ResHacker.exe). [+] UPX folder (includes upx32.exe and upx64.exe). [+] ATPL.EXE (AT4RE Power Loader). [+] Version History.txt ============================ AT4RE Power Loader v0.4 (Release Date: 16/05/2025) ============================ The most powerful loader against strong and hard protectors. It also works with medium-level protectors, packers, compressors, and even unprotected executable files. Main Features: [+] Added Import menu. [+] Added Support .1337 patch files exported by x64dbg. [+] Set Opcode automatically when Load .1337 file. [+] Added OpenDialog when Double Click on: - Target Name field. - Loader Data field. - Registry field. - Custom icon field. Loader Details: [+] Fixed bug with registry feature. [+] Default icon changed. [+] Compressed Loader with Default icon 8 KB. Root Folder Contents: [+] Icons folder (includes 5 icons). [+] Lib folder (includes bass.dll). [+] Project folder (Save or open projects for future use). [+] ResH folder (includes ResHacker.exe). [+] UPX folder (includes upx32.exe and upx64.exe). [+] ATPL.EXE (AT4RE Power Loader). [+] Version History.txt1 point
This one uses the built-in license system of the ArmDot .NET.. Provide a serial or an unpacked or a patched variant that accepts a serial.1 point
ArmDot .NET v2026.1 (Built-in License System) This one uses the built-in license system of the ArmDot .NET.. Provide a serial or an unpacked or a patched variant that accepts a serial. File Information Submitter whoknows Submitted 01/31/2026 Category KeygenMe View File
1 point
1 point
File protected with Hide strings Obfuscate control flow Obfuscate names Obfuscate namespaces and some virtualization accepted solution - unpack OR tell what is doing.1 point
1 pointArmDot .NET v2026.1 File protected with Hide strings Obfuscate control flow Obfuscate names Obfuscate namespaces and some virtualization accepted solution - unpack OR tell what is doing. File Information Submitter whoknows Submitted 01/30/2026 Category UnPackMe (.NET) View File
1 point
This one is an interesting sample. Code is really small, so it was stolen completely, thus it's hard to tell app code from protector code. Functional code is quite simple, just MessageBoxA. And that's it, it does nothing more. After showing the message box it starts freeing memory that definitely isn't app code. But for the sake of completeness let's get to the bottom of this. We have 8 more code bytes. And we have 1 reloc pointing there, meaning ExitProcess should perfectly fit in. Unpacked file attached with code, import and relocs restored and sections cut. unpacked.exe1 point
1 pointThis one is quite easy or easy protection options were chosen. Import isn't redirected. EP code is restored, sections are cut, resources rebuilt. Had to cut it in 2 parts. unpacked.part1.rar And part 2. unpacked.part2.rar1 point
@0X7C9 pls can u upload https://tut4u.com/hexorcist-reverse-engineering-course/ in your webdav server1 point
1 point
1 pointuse Net gaured Cflow Cleaner This doesn’t fully clean the control flow but after using it you will need to use a SizeOf fixer. After that, you can use the constant decrypter by CuredSheep. SizeOf-Fixer-master.zipnetguard controlflow.rar1 point
1 point
1 pointHere compiled unlicense with codeexplorer's fixes: unlicense compiled With pyton 3.09 and 3.11 versions.1 point
1 point
You can provide Another link & And solve this problem
1 point
Server is up , woth better uplink !Use webdav client. like WinSCP host : https://eddynet.cz:9865 u: learn p: 4EKS9umUYme3WAZrC1 point
1 point
Someone please share zero 2 automated reversing course. Thank you.1 point
I added 64 bit support and generic extraction HydraDragonAntivirus/MegaDumper: Fixed 2025 version of Mega Dumper1 point
some old tools to dump LTPs (199x, 200x) https://workupload.com/file/DarwJdWpGR81 point
Today I release an unpacker script for Enigma Protector. Maybe you know that I created another unpacker script for Enigma in the past which no-longer works for protected Enigma files greater than 3.70+ and this is the reason why I wrote a new script, Enigma Alternativ Unpacker 1.0. So what is new in this script? This script will unpack your Enigma protected files and dump the used outer virtual machine. This means you do not need to use the DV / Enigma plugin which is used in my other script. Of course the virtual machine will be still virtualized but your unpacked files will work. It is not the best solution but for the moment it is a good "alternativ" and a working solution. Features of the script: ( 1.) Unpacking of ENIGMA 1.90 - 3.130+ ( 2.) RegSheme Bypass & HWID Changer ( 3.) Enigma CheckUp Killer ( 4.) VirtualMemory Dumper 1.90 - 3.x+ & SC Fixer M1 ( 5.) UIF Tool Necessary Sometimes! ( 6.) Enigma Intern Export & VM Scan + Log ( 7.) Improved Import Emulation Fixer ( 8.) Supports Exe & Dll Files [dll at EP!] This new script again covers almost all the protection features of Enigma Protector like my other script but it has been improved and I have added some extra things that you will see when you get to use it. I have created four video tutorials for you where you can see what you have to do in some of the different situations you may experience. Be sure that you "watch the videos" before you use the script to prevent some unnecessary questions where you can already find the answers if you watch them and then read my added text files. I also made an UnpackMe set with six different protected files (watch videos how to unpack all of them). If something does not work for you or if you get any trouble or have any questions then just post a reply on the topic (linked above) to get an answer.1 point
1 point
When new malware are discovered, it is important for researchers to analyze and understand them as quickly as possible. This task has been made more difficult in recent years as researchers have seen an increasing use of virtualization-obfuscated malware code. These programs are difficult to comprehend and reverse engineer, since they are resistant to both static and dynamic analysis tech-techniques. Current approaches to dealing with such code first reverse-engineer the byte code interpreter, then use this to work out the logic of the byte code program. This outside-in approach produces good results when the structure of the interpreter is known, but cannot be applied to all cases. This paper proposes a different approach to the problem that focuses on identifying instructions that affect the observable behaviour of the obfuscated code. This inside-out approach requires fewer assumptions, and aims to complement existing techniques by broadening the domain of obfuscated programs eligible for automated analysis. Results from a prototype tool on real-world malicious code are encouraging.1 point
0 pointsHi, Can someone provide MODULEINFO structure in MASM64? invoke GetModuleInformation, hProcess, qword ptr [rax], addr modInfo, sizeof MODULEINFO I realized that MODULEINFO structure is not defined anywhere!0 points
