Leaderboard

https://dr4gan0x.github.io/dr4gan-portfolio/?post=prometheus-12-layers I hope this write up catches your interest

Threw this into Binary Ninja, turned out to be Rust-compiled ELF64 PIE not C as DiE claims, debug strings like src/main.rs src/vm/dispatcher.rs src/crypto/sbox.rs give it away, main at 0x41bea0 is just the lang_start trampoline real logic sits in sub_41a0c0 which drops into the verification orchestrator sub_418a10 running all 12 layers with bitwise AND accumulation no early exits, layers 1-3 are RDTSC delta and clock_gettime CLOCK_MONOTONIC anti-debug gates, 4-5-6 enforce the 28-char [A-Z0-9_] format with underscores pinned at positions 10/15/23 last 4 digits only and ASCII sum exactly 1901, identified the core hash at sub_433b80 as SipHash-2-4 from the init vectors 0x736f6d6570736575 0x646f72616e646f6d 0x6c7967656e657261 0x7465646279746573 aka "somepseudorandomlygeneratedbytes" with rotation constants 13/32/16/21/17/32 two rounds per block four at finalization, the actual crack comes from Layer 10 which splits the key into four 7-byte segments each hashed with independent k0/k1 pairs reducing the search space from 36^24 down to 4x36^6 roughly 2^33 which is the single architectural weakness in the design, brute-forced the last 4 digits first against Layer 6s YEARHASH/KEY01020 keys in 10K iterations got 2026 then segment 4 in 1.3K then segments 2 and 3 each in ~2.2B iterations then segment 1 with sum-constraint pruning total 55 seconds single core, validated against all remaining layers including the full-key SipHash triplet layers 7/8/9 with three different key pairs and the polynomial evaluation through MurmurHash3 fmix64 at five prime evaluation points all passed clean, key is PR0M3TH3U5_F1R3_ST34L3R_2026, I have a full writeup sitting around too lazy to format it properly but if anyone wants I can publish it

I was not able to download your firmware completely (Catbox seems to be having problems today) but I can give you some tips anyway. Step 1: It's unlikely that you've encountered a very unique hardware that has no existing tooling or documentation. Also a lot of hardware is made by the same OEM manufacturer in China and just sold under different brand names. So, use Google. Seriously. :) First few kilobytes of your firmware contain plenty of interesting and unique strings. Search for each one separately, or some combination of them. You're basically looking for the information about your hardware - CPU and system board manufacturer, addon boards, sensor information, and so on. You'll be amazed how much information a single search can provide. You could also search for the hardware make/model (which unfortunately you didn't tell us) or FCC ID. Step 2: Once you know the basic hardware information, use Google again. Look for tools and SDKs for the specific manufacturer/CPU. Use Google Translate to browse Chinese and Russian sites - they are a goldmine when it comes to hardware hacking and documentation. You should be able to find this github project. too. I didn't run the tool but a quick look at the source code tells me it should unpack your firmware with little to no modifications. Step 3: Load the unpacked firmware in Ghidra/IDA and start the actual reverse engineering process. :)

The crackmes.one CTF is officially live, built by the RE community, for the RE community. https://crackmesone.ctfd.io/ Start at: Sat 14 February 2026 00:00:00 UTC Enter the matrix and prove your skills. See you there!

Hello. I have organised it in two different formats. I also added the modified solver.c file as an extra. Thank you. Link: drive

This one is an interesting sample. Code is really small, so it was stolen completely, thus it's hard to tell app code from protector code. Functional code is quite simple, just MessageBoxA. And that's it, it does nothing more. After showing the message box it starts freeing memory that definitely isn't app code. But for the sake of completeness let's get to the bottom of this. We have 8 more code bytes. And we have 1 reloc pointing there, meaning ExitProcess should perfectly fit in. Unpacked file attached with code, import and relocs restored and sections cut. unpacked.exe

(1) I never accused you of lying (2) I don't care about your "tools" My point is crystal clear: this site will continue to die if we allow such "solutions" (which are 9/10 just people using public tooling and therefore can't provide any novel contributions). Go ahead, feel free to discuss the "internals", which was arguably the bare minimum you should have provided in the original response to this challenge.

Wow, very helpful 🙄 Every "solution" on this site is the most Cleo like response ever. I swear in almost every challenge, someone throws the .exe into public tooling, uploads the output, and provides zero explanation -- likely with the hope that people view them in awe. In my opinion, such solutions should result in consequences for the poster. This site will continue to die if people continue with these dull answers. For those interested in tackling such protection schemes, I would recommend: (1) https://github.com/NaC-L/Mergen (2) https://github.com/Colton1skees/Dna (3) https://whereisr0da.github.io/blog/posts/2021-02-16-vmp-3 (4) https://secret.club/2021/09/08/vmprotect-llvm-lifting-1.html

Here my unpacked. CFF Explorer_unprotected.7z

Thank you very much, appreciate the PDF copy and extras! Ted.

Bypassed the license check but unpack is too complicated. The imports are very heavy wrapped. Can do it but few hours manual work will need.

Thank you very much for detailing the solution and method/s taken to solve. Would it be possible to get a PDF copy please? Ted.

I would appreciate a full writeup! Also, please consider publishing your solve to crackmes.one, where the author cross-posted this challenge.

issue resolved by adding private readonly DataEncryption _encrypt = new DataEncryption();

I also thought that was fornicationed up.

Interesting 🌝 this is reminded me to the old days, is it possible to create a tutorial video I don't see good unpacking tutorials theses days

Themida v3.1.4 (x32 & x64) - Impossible Two files are protected with an old version Themida (3.1.4) Entry Point is virtualized Just find and restore OEP, recover the IAT and unpack if it possible Virustotal detects it as a virus, but my AV software is not File Information Submitter fReestYler Submitted 05/10/2025 Category UnPackMe View File

This one is quite easy or easy protection options were chosen. Import isn't redirected. EP code is restored, sections are cut, resources rebuilt. Had to cut it in 2 parts. unpacked.part1.rar And part 2. unpacked.part2.rar

VMPLicenseProtector This is a recently developed recreational utility. I'm unsure which forum section is appropriate, so moderators please feel free to move it if necessary. The tool implements a combined The Enigma and VMProtect protection scheme and is designed for applying VMProtect to Win32/Win64 executables and DLLs without requiring source code. It is not compatible with .NET assemblies. The interface supports Chinese/English language switching. To function, VMProtect_Con.exe must be placed in the tool's directory. Note that the tool itself is incompatible with Windows 7 and requires the DirectX 11 runtime to be installed. Software protected with it remains compatible with Windows XP/7/10. Trial Version Limitations: Only the anti-hijacking feature is enabled. All other functions are disabled. Uses a fixed RSA key. Please do not use it to protect commercial software. While some features are disabled, the tool may be sufficient for users with modest needs if patched. The trial license expires after one month, but functionality can be extended through patching. Archive Password: View by double-clicking the RAR file in WinRAR (check archive comment) or use: tuts4you. File Information Submitter lengyue Submitted 12/26/2025 Category CrackMe View File

Hello everyone I have been developing my own EXE protection and encryption system for a long time Taking inspiration from solutions like VMProtect and Themida I am trying to build a structure that includes various security layers such as packer encryption obfuscation anti dump and more To test this work and identify its shortcomings I prepared a small test EXE The application is a simple program that asks for a license key and your goal is to crack this application and gain access I encrypted and protected this test application using the protection system I developed Download link https://dosya.co/x5e4xyewg94d/CrackMe.exe.html VirusTotal analysis https://www.virustotal.com/gui/url-analysis/u-a65e75a253a80ae0a2ef0e23a218db163333faf2ce84401f76168cb764444c2a-a6822794 I kindly ask you to analyze it using reverse engineering techniques and try to break it and if possible share with me The parts you found difficult The weaknesses you found easy The strong and weak points of the protection My goal is purely to learn see my mistakes and make the system more robust For experienced experts it may be a simple application please excuse that in advance I hope it will be an educational exercise for beginners and intermediate level users Thank you in advance to everyone who participates Good luck to all

It seems that although the executable looks protected, no real encryption or obfuscation has actually been applied. There is also a possibility that I accidentally tested the original executable file. I will review my program and fix any shortcomings in the protection pipeline. Thank you for your feedback. Would you like me to open a new thread after I make the corrections?

There is absolutely nothing encrypted, virtualized, or obfuscated in the exe. private void BtnCheck_Click([Nullable(2)] object sender, EventArgs e) { if (this.txtLicenseKey.Text.Trim() == "QUJU-329D-4936-GSBW-AVSK-U8") { base.Hide(); new SuccessForm().Show(); return; } MessageBox.Show("Invalid License Key!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Hand); }

I guess nobody wants to help

@cTrI the site will not disappear, bcoz the webdav server configured connection to single only no parallel connections allowed, if u use multiple winscp clients from the same location(ip) then u may abuse...

i copied this the function name CalculateAuthorizationCode() from Eaton.SSE.Security.Authorize.dll and i addedd the prefence to some dll which functions are used inside this main function here is my function code string CalculateAuthorizationCode(string registrationCode, AccessLevel accessLevel, uint numberOfDays, IEnumerable<string> allowedEquipmentList) { if (string.IsNullOrEmpty(registrationCode)) { throw new EatonException("Bad Authorization Code Request (RegistrationCode is empty)."); } if (!AccessLevelHelper.IsValidUserAccessLevel(accessLevel, CommonUtils.ProductType, false)) { throw new EatonException("Bad Authorization Code Request (Access level invalid)."); } bool flag = numberOfDays < 1U || numberOfDays > 730U; if (flag) { throw new EatonException("Bad Authorization Code Request (Number of days value is out of range)."); } if (allowedEquipmentList == null || allowedEquipmentList.Count<string>() <= 0) { throw new EatonException("Bad Authorization Code Request (Allowed Equipment List is Empty)."); } try { StringBuilder stringBuilder = new StringBuilder(); stringBuilder.Append(registrationCode); stringBuilder.Append("!"); stringBuilder.Append(accessLevel.ToString()); stringBuilder.Append("!"); stringBuilder.Append(numberOfDays.ToString()); stringBuilder.Append("!"); foreach (string text in allowedEquipmentList) { stringBuilder.Append(text); stringBuilder.Append(","); } if (stringBuilder.Length > 1) { stringBuilder.Remove(stringBuilder.Length - 1, 1); } byte[] array = _encrypt.EncryptTextToBytes(stringBuilder.ToString(), CryptoKey.Registration); LoggerInterface.WriteLine(LogLevel.Information, string.Format("Authorize.CalculateAuthorizationCode (), Code is {0}.", stringBuilder), LogControl.Encrypt); return CommonParse.BytesToString(array, FormatType.Hexadecimal); } catch (Exception ex) { LoggerInterface.WriteLine(LogLevel.Exception, ex.ToString()); } return string.Empty; } } i have compile error at this line byte[] array = _encrypt.EncryptTextToBytes(stringBuilder.ToString(), CryptoKey.Registration); An object reference is required for the non-static field, method, or property 'Program._encrypt please can some one guide me here i uploaded my csharp project https://we.tl/t-kLfapytJBX

Unpacked CFF Explorer_protected_unp_cl.7z

judging by the error u posted you have to instantiate the _encrypt variable... Somewhere in app writes for example : Tesdsfasdft _encrypt so to instantiate you write : _encrypt = new Tesdsfasdft then u call any method.. if you continue have any problem PM @CodeExplorer , dont bump the thread

No pressure; anyone can enjoy doing CTF challenges here. Old-day masters no longer exist

ArmDot .NET v2026.1 File protected with Hide strings Obfuscate control flow Obfuscate names Obfuscate namespaces and some virtualization accepted solution - unpack OR tell what is doing. File Information Submitter whoknows Submitted 01/30/2026 Category UnPackMe (.NET) View File

Sorry, I'm really short on time for tutorials. Besides it won't be much of use, as mostly custom tools are used. But I could try to answer some questions.

Though this one is quite old, I didn't see it solved, so decided to unpack winenum version. It's relatively easy compared to other protectors: a couple of OEP bytes stolen, light import redirection and that's it. Unpacked attached, OEP restored, import rebuilt, sections cut. unpacked.exe

Very exciting! Themida 3.x seems to be a difficult point. If we can't restore the virtualized code, unpacking will become meaningless. Virtualization may be a good protection method, but there is too little discussion on this aspect. Once again, kudos!

Could you please upload it again? Thank you.

DotFix NiceProtect x32 v7.1 A Delphi file is protected with an old version DotFix NiceProtect (7.1) Original Entry Point is encrypted Just find and restore OEP, recover the IAT and unpack it File Information Submitter fReestYler Submitted 10/06/2025 Category UnPackMe View File

Could you share more technical details

Like I said, only my own tools were used and they have no external public code. I'm not expecting anything, I just posted the result. The only thing I hope is that I get corrected, if I'm wrong. If you have proof I used public tools and lied-you're free to show them. I can answer some questions about internals, if you're interested. But if you expect me to open source a couple of years work just because some random guy from the Internet suspected and accused me of something, not gonna happen, sorry.

It's hard to describe it in a single post. It's a generic deobfuscator, not VMProtect-only, based on classic optimization techniques, nothing fancy like AI or patterns. Written completely from scratch, nothing LLVM-based or something. It's still a work in-progress, but getting into stable beta-stage, so I decided to give it additional testing. Devirt should be correct, at least I tested the exe with this code and it works. The one thing I can mess a little is an intermediate representation->asm translation since it's done partially manually.

Great work if correct!! But you should aim to share knowledge on this site for it isn't very fruitful to pointlessly upload an answer like this.

Didn't see it as solved, so decided to give it a try. VMProtect version is quite easy, devirted code: 00B91EEE 837D EC 0F CMP DWORD PTR SS:[EBP-14],0F 00B91EF2 76 05 JBE SHORT hashgen_.00B91EF9 00B91EF4 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28] 00B91EF7 EB 03 JMP SHORT hashgen_.00B91EFC 00B91EF9 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28] 00B91EFC 6A 03 PUSH 3 00B91EFE 50 PUSH EAX 00B91EFF 8D8D 9CFCFFFF LEA ECX,DWORD PTR SS:[EBP-364] 00B91F05 51 PUSH ECX 00B91F06 8D8D 98FCFFFF LEA ECX,DWORD PTR SS:[EBP-368] 00B91F0C 8F01 POP DWORD PTR DS:[ECX] 00B91F0E E8 DD170000 CALL hashgen_.00B936F0 00B91F13 8D85 90FCFFFF LEA EAX,DWORD PTR SS:[EBP-370] 00B91F19 50 PUSH EAX 00B91F1A C645 FC 17 MOV BYTE PTR SS:[EBP-4],17 00B91F1E 68 ED030000 PUSH 3ED 00B91F23 8B8D 94FCFFFF MOV ECX,DWORD PTR SS:[EBP-36C] 00B91F29 8BF9 MOV EDI,ECX 00B91F2B FF15 A892B900 CALL DWORD PTR DS:[<&mfc140u.#5427>] ; mfc140u.5E0C82B0 00B91F31 90 NOP 00B91F32 90 NOP 00B91F33 90 NOP 00B91F34 90 NOP 00B91F35 90 NOP 00B91F36 90 NOP 00B91F37 90 NOP 00B91F38 90 NOP 00B91F39 90 NOP 00B91F3A 90 NOP 00B91F3B 90 NOP 00B91F3C 90 NOP 00B91F3D 90 NOP 00B91F3E 90 NOPAnd a code for a name 123456 is e10adc3949ba59abbe56e057f20f883e

<font style="vertical-align: inherit;"><font style="vertical-align: inherit;">version.dpr</font></font>

Should I download all the necessary courses now? They are truly amazing, but from what I know, WebDAV isn't very stable. I'm honestly worried that the site might disappear...but I'm worried that downloading (too much) might put too much strain on the server.

I don't know how to create exe with PyInstaller. Also I didn't finished my updates yet.

Use version.ASM to load your dll. compile with fasm.