Leaderboard

Here is unpacked folder, all tools included. https://limewire.com/d/PWsfv#C32mVemS40 https://fileroy.com/2WVGr1E9zkx7/file https://zippyshare.day/YPGm89uDHMSpeoC/file Final unpacked exe is called drr_msil_Slayed2cleaned_.exe

Here we go, after the above step with slayer - Decrypt Methods unckecked; // Token: 0x0600081D RID: 2077 RVA: 0x0006E2E8 File Offset: 0x0006C4E8 [MethodImpl(MethodImplOptions.NoInlining)] internal unsafe static void qp1d5IbOJ() { Just fill at 006C4E8 with 062A so will change the body of method qp1d5IbOJ to a simple ret. after that we have a working file and we can deobfuscate with BabelDeobfuscator. Here is working unpacked file: https://workupload.com/file/3JqMck9ZtYR

Better late than never, my writeups are finally live: https://washi1337.github.io/ctf-writeups/writeups/flare-on/2025/

NETReactorSlayer-6.4.0.0_Fixed9.rar: https://workupload.com/file/9FgKGVGdEEY I completely restored NETReactorSlayer-6.4.0.0\NETReactorSlayer.Core\Helper\EncryptedResource.cs and just add trial Decrypter_v5. I've added ControlFlowReactor.cs for the new control flow and I've changed MethodDecrypter.cs to call it from "public void Run(IContext context)" in each Module.cctor method called.

https://limewire.com/d/ms51G#Mpzupr348q https://fileroy.com/M2BGwO2XGj40/file https://zippyshare.day/EbxBhxDZZZbrlIH/file

Very nice crackme Salin! Noticed couple of things and gave it a try,its using a recrusive function that looked like Fbonacci but with a twist - when n equals 8 it returns the first character of my input XORed with 0x78 instead of the normal Fibonacci value. Code computes fib(14) and compares it against specific values in a switch statement. I knew standard fib(14) is 377 which equals 0x179. Working backwards since fib(8) gets replaced with char[0] ^ 0x78 , i needed to figure out what value makes the sequance land on 377. Turns out fib(8) needs to be 21 for this to work. So char[0] ^ 0x78 = 21 which means char[0] = 21 ^ 0x78 = 0x6D = 'm' There's a loop that validates characters 3 through 9 using a table at byte_411BFC. The validation formula : fib(i+8) - fib(i+6) == byte_411BFC[i] ^ char[3+i] Just rearranged it to solve for each character and u get : a, m, b, i, q, u, e. Now characters 1 and 2 were trickier. Character 1 determines a value dl through another Fibonacci call and character 2 gets XORed with that. There's a secondary check involving fib(17) that needs to equal 1597. After some trial and error found that char[1] = 'o' gives the right Fibonacci value, and char[2] = 'z' satisfies the XOR constraint. And if we finally put it all together we get a valid serial for this amazing crackme which is : mozambique I ran it through checksum calculation and got 0x12D4. Some code where it compares : 0040134B | 893D 20434100 | mov dword ptr ds:[414320],edi | 00401351 | 81FF D4120000 | cmp edi,12D4 |

#include <stdint.h> #include <string.h> #include <stdio.h> #ifndef _WIN32 #define __stdcall #endif int __stdcall ted(uint8_t* input_buf, uint8_t* output_buf, uint8_t arg_8) { uint8_t permuted_input[10]; permuted_input[0] = input_buf[6]; // var_10 permuted_input[1] = input_buf[9]; // var_F permuted_input[2] = input_buf[1]; // var_E permuted_input[3] = input_buf[4]; // var_D permuted_input[4] = input_buf[8]; // var_C permuted_input[5] = input_buf[3]; // var_B permuted_input[6] = input_buf[7]; // var_A permuted_input[7] = input_buf[0]; // var_9 permuted_input[8] = input_buf[5]; // var_8 permuted_input[9] = input_buf[2]; // var_7 uint8_t var_24[4] = {0, 0, 0, 0}; uint8_t key_string[] = { 0x6F, 0x6D, 0x65, 0x64, 0x4F, 0x4D, 0x45, 0x44, 0x45, 0x44, 0x4F, 0x4D }; uint8_t var_1D = 0xEA; for (int i = 0; i < 10; i++) { uint8_t val = permuted_input[i]; uint16_t product1 = (i + 1) * val; uint8_t p1_low = (uint8_t)product1; var_24[0] += p1_low; var_24[1] -= p1_low; uint16_t product2 = (i + 0x38) * val; var_24[2] += (uint8_t)product2; } uint8_t al = var_24[0] * permuted_input[0]; uint8_t bl = var_24[1] ^ al; var_24[2] = ((bl + 1) ^ var_24[2]) & 3; uint8_t current_dl = var_1D; for (int i = 0; i < 12; i++) { uint8_t key_char = key_string[i]; - // The original assembly does: mov al, [ebp + key_char + var_10] // This reads outside the 'permuted_input' array. uint8_t magic_byte = *( (&permuted_input[0]) + key_char ); uint8_t calculated = magic_byte ^ current_dl; uint8_t add_val = (uint8_t)(i * 5); calculated += add_val; output_buf[i] = calculated; current_dl = calculated + 0x22; } uint8_t final_byte = ((arg_8 * 4) & 0x0C) | var_24[2]; output_buf[12] = final_byte; return 1; } int main() { uint8_t input[] = {0,1,2,3,4,5,6,7,8,9}; uint8_t output[13]; ted(input, output, 0x10); return 0; }

I've just fixed NETReactorSlayer to work with this protection: NETReactorSlayer-6.4.0.0_Fixed1: https://workupload.com/file/EU2AEkDCjSz Please test it and let me know;

Basically it works like this,your input gets hased and compared to stored hashed thats inside crackme. Stored hash is : 97328946466865e882e741277903962e7f1ca9cbb4e71948d740bbd38f702f3c <- crackmes hash. To patch application put bp on MessageBoxW and check the call stack. The address in my case is the second one on the call stack: 097044E3 - 8B CE - mov ecx,esi From this address scroll up and you will see : 097044A7 - 74 10 - je 097044B9 097044A9 - C6 05 744ED005 01 - mov byte ptr [05D04E74],01 { (0),1 } 097044B0 - 8B CE - mov ecx,esi 097044B2 - E8 CDE96500 - call 09D62E84 097044B7 - EB 2A - jmp 097044E3 097044B9 - C6 05 744ED005 00 - mov byte ptr [05D04E74],00 { (0),0 } Patch the first one 097044A7 - 74 10 - je 097044B9 to jne 097044B9 and that should be it.

Language : C/C++ Platform : Windows x32 OS Version : ( Windows 7,10) Packer / Protector : None Description : Goal : Find correct key. Enter key in textbox and click OK button then you see result . Screenshot : crackme_release.exe

@0X7C9 pls can u upload https://tut4u.com/hexorcist-reverse-engineering-course/ in your webdav server

Unpackers tools - source code C# My source code: https://gitlab.com/CodeCracker https://github.com/CodeCrackerSND https://bitbucket.org/CodeCrackerSND/ I will NOT share (anymore) the rest of my tools!

ty

import hashlib def generate_key(input_string): input_string = input_string.upper() salted_string = input_string + ':K3yS@lt2025' md5_hash = hashlib.md5(salted_string.encode()).hexdigest().upper() md5_hash = md5_hash[:16] formatted_hash = '-'.join([md5_hash[i:i+4] for i in range(0, len(md5_hash), 4)]) return formatted_hash input_string = input("Enter your string: ") key = generate_key(input_string) print("Generated serial:", key)

VMPLicenseProtector This is a recently developed recreational utility. I'm unsure which forum section is appropriate, so moderators please feel free to move it if necessary. The tool implements a combined The Enigma and VMProtect protection scheme and is designed for applying VMProtect to Win32/Win64 executables and DLLs without requiring source code. It is not compatible with .NET assemblies. The interface supports Chinese/English language switching. To function, VMProtect_Con.exe must be placed in the tool's directory. Note that the tool itself is incompatible with Windows 7 and requires the DirectX 11 runtime to be installed. Software protected with it remains compatible with Windows XP/7/10. Trial Version Limitations: Only the anti-hijacking feature is enabled. All other functions are disabled. Uses a fixed RSA key. Please do not use it to protect commercial software. While some features are disabled, the tool may be sufficient for users with modest needs if patched. The trial license expires after one month, but functionality can be extended through patching. Archive Password: View by double-clicking the RAR file in WinRAR (check comment) or use: tuts4you. File Information Submitter lengyue Submitted 12/26/2025 Category CrackMe View File

you really want then open a new challenge of unpack me. Will try to do it. Like a proper way.

Ok will prove it what will i get?

its not trial , its dng hvm enterprise 4.94 [ it can be run for 3 days ] , unpack it here x86 and x64 bit , Unpackme_64bit_3_days_time.zip UnpackMe_3_Days.zip

i am not asking about how did u dump jit code , saying about , can u little bit brief about => how did you Load assembly and RunModuleConstructor or load assembly from different Domain, this part => var asm = Assembly.LoadFrom(Filename); RuntimeHelpers.RunModuleConstructor(asm .ManifestModule.ModuleHandle);

@CodeExplorer Hello master, I followed your instructions for the new version of this application, but the code doesn't fully open and the executable still doesn't work. Could you please review it again? Your knowledge regarding this version of Reactor is very valuable to me. https://gofile.io/d/c1jG6d

It was interesting 😅 UnpackMe.Dumped.exe UnpackMe.Unpacked.exe

<font dir="auto" style="vertical-align: inherit;"><font dir="auto" style="vertical-align: inherit;">SEKeygen.rar</font></font>HWID hash: 83A5249484F096DB700F771CF0A5F51B Decoded value 8A357B71C2ECFA5F7FC3275B5DBF9F61D4F98CA089470FCF390DFC0BC125917C92D667ACA678A0D485F7566FBBA52233 Reg SOFTWARE\Classes\Interface\{19335D77-1E2D-1337-146B-19F5CABF57A8} KeySize: 1024 E: 65537 CPU MAC BIOS HDD HWID

The Enigma Protector x64 v7.4 (HWID Lock) Two simple Win x64 GUI applications protected using Enigma x64 v7.4. Challenge is to; bypass the hardware ID lock; unpack the application. Let us go together to solve this issue. File Information Submitter lovejoy226 Submitted 06/17/2024 Category UnPackMe View File

My previous video link is dead. Here below you can watch how to use my plugin.

😀😁 UnpackMe.Dumped.exe UnpackMe.Unpacked.exe

Found this last week when I was looking for gen9 bios/firmwares http://dl.mobinhost.com/Firmware/HP/iLO/ @kao Yes, gen10 is iLO5. It might be the same check on both generations, so maybe checking old iLO4 would also work... @Niutish Can the memory be programmed by soft or it can only be done via hw? Does CH341A works for this? PS: I have never reversed fw/bios, but I guess it can be backtraced from here? LDR R3, [R10,#0x10] MOV R2, R5 ADD R0, SP, #0x194+var_64 MOV R1, #0x40 ; '@' BL 0x3EEFFE0 LDR R2, [SP,#0x194+var_178] ADR R1, aMemoryModuleIs ; "Memory module is HP SmartMemory"EDIT: According to this pdf https://www.cpi.co.jp/wp/wp-content/uploads/2025/01/Understanding-DDR4-SPD-Table-by-CST.pdf bytes 0x143-0x144 are the manufacturing date. CRC should be at 0x17E-0x17F

To avoid blind guessing, I suggest you to get old iLO firmware packages and analyze them. See what conditions must be fulfilled in order to get the "SmartMemory" status. If my google-fu is working, Gen10 servers use iLO5, here is it's general spec: https://www.hpe.com/us/en/collaterals/collateral.c04154343.html, and here are the download links https://support.hpe.com/connect/s/softwaredetails?language=en_US&collectionId=MTX-2dc80c4ae4b943fa. It would appear that older firmware packages didn't use any encryption, just some (trivial) compression, making the job so much easier.

I wanted to devirtualize it manually so I made a disassembler for it using the new yara-x to locate the handlers and the bytecode. Probably going to turn it into a full devirtualizer from binaryshield bytecode straight to x86_64. I saw these values(the one in the cmp comment) put them as input since it was valid I didn't go further. You can find my work at https://github.com/xlatbx59/Bshld, the file with the disassembly is at https://github.com/xlatbx59/Bshld/blob/master/binshield.txt. It was fun to reverse

Hi! This is my first post on tuts4 you I hope that this is the right section, if not, please delete this post! Ok so... Few months ago I have made public my internal project called REDasm on GitHub. Basically it's a cross platform disassembler with an interactive listing (but it's still far, if compared to IDA's one) and it can be extended with its API in order to support new formats, assemblers and analyzers. Currently it supports: Portable Executable VB5/6 decompilation . It can detect Delphi executables, a decompiler is WIP. .NET support is WIP. Debug symbols are displayed, if available. ELF Executables Debug symbols are displayd, if available. DEX Executables Debug symbols are displayed, if available. x86 and x86_64 is supported. MIPS is supported and partially emulated. ARM support is implemented but still WIP. Dalvik assembler is supported. Most common assemblers are implemented by using Capstone library, Dalvik assembler is written manually and even the upcoming MSIL/CIL assembler will be implemented manually. The entire project is written in C++ and its UI is implemented with Qt5, internally, the disassembler is separated in two parts: LibREDasm and UI. LibREDasm doesn't contains any UI related dependencies, it's just pure C++, one day I will split it in two separate projects. Some links with source code, nightlies and wiki: Source Code: https://github.com/REDasmOrg/REDasm Nightly Builds (for Windows and Linux): https://github.com/REDasmOrg/REDasm-Builds Wiki: https://github.com/REDasmOrg/REDasm/wiki And some screenshots:

Someone please share zero 2 automated reversing course. Thank you.

@Teddy Rogers It is seen to be wider and smoother. Many thanks. Regards. sean.

@everyone Can you please write step by step guide tutorials if you solve these kind of problems, so other people get helped by your efforts. No meaning jobs, just showing off. But this is not obligation. your choice for helping others learn. Regards. sean.

@guily6669 Have you installed the keyboard driver of your windows's? Regards. sean.

cracked.mkv Cracked.mp4

@StarrySky How to do it? Regards. sean.

Regards. sean.

@boot Does your method work also to this? Your picture above is different from mine even though the RVA is same as yours. hashgen.vmp.hwid.lock.zip Regards. sean.

@boot Fantastic!!! How did you do it? Can you reveal your method? Regards. sean.

Hello, everyone. Try to do this bypass and runme challenge. If you do it successfully, post the screenshot please. VMProtect MY PC HWID LOCKED hashgen.vmp.zip Regards. sean.

hi, i am new to devirtualization topic and this challenge was very good for beginners and me. first, my goal was not just obtain the keys but devirtualize whole function automatically and recompile back to be able to patch it. i lifted handlers to LLVM IR and recompiled in a new binary to analyze it this is my final output i know its a little difficult to read, but at least you can see the correct keys clearly if you look at if statements. sadly, code crashes at runtime, i dont know why. it will probably take really long time to identify the problem. i dont think i will do that. maybe i might try VTIL instead of LLVM. i would like to see others approaches on fully devirtualizing this vm. great challange again.

https://www.youtube.com/watch?v=4G9jc5zD6K0

From context menu choose CreateBackup then "Make Snapshot" and run program then to see differences choose "Compare Snapshot". Before make new snaphot choose "Clear Snapshot" for cleaning changes that plugin made. For bigger targets and with many changes can be plugin laggy. CreateBackup.dp64