Jump to content
Tuts 4 You


  1. Teddy Rogers

    Teddy Rogers


    • Points


    • Content Count


  2. CodeExplorer



    • Points


    • Content Count


  3. Kurapica


    Full Member

    • Points


    • Content Count


  4. kao


    Full Member+

    • Points


    • Content Count


Popular Content

Showing content with the highest reputation since 04/28/2020 in all areas

  1. 6 points
  2. 5 points
    What's the point of this? You ran my file under de4dot and repost it? i can recognise my file ya know, i intentionally left this out (i haven't finished local types yet but i manually set the third local to int32) + i added 9 locals when only 3 get used
  3. 5 points
    It might have a few weird instructions since i'm new to this Crackme-cleaned-Devirtualized2.zip Info: This is the first version of eaz that i analyze so i can't say how 2019.x is different from 2020.1 but its definitely not uncrackable Steps i took (as i should have included since the beginning): 1 Learn how CIL works / CIL fundamentals (there are some nice ebooks that i can't link here ) 2 Learn how the assembly reader/writer of your choice works (dnlib for example) 3 Learn how a simple VM works ( https://github.com/TobitoFatitoNulled/MemeVM (the original creator of this vm left so this is a fork to keep the project alive)) 4 https://github.com/saneki/eazdevirt See how the previous devirt was made (and you could also check previous eazvm protected executables) 5 Practice your skills trying to make MemeVM Devirt, you can message me if you have any issues with this step (You can always disable renaming on memevm to make the process easier to understand). 6 Start renaming a EazVM test assembly (you can make your own with trial) with all the knowledge you got from the previous steps (and find how crypto streams are initialized, where opcodes are located & how they are connected to the handlers etc etc etc, things that you would find in a vm) Editing saneki's eazdevirt might be a good idea, though i was more comfortable making my own base.
  4. 3 points
    New features, interesting. File correct? ggggg_cleaned.zip
  5. 3 points
    BinaryNinja has announced the new prices, and with no surprise are slowly also pushing themselves away from many users. https://binary.ninja/2020/05/11/decompiler-stable-release.html A personal (named) license is now $299 with the only 'new' thing being the not-so-exciting decompiler as seen above. They are starting to push themselves closer to IDA pricing, which is just plain stupid on their part. Ghidra's decompiler can be made to run anywhere, and thus, why would anyone pick BinaryNinja over IDA when it comes down to features? I don't feel like they are branding themselves well at all and are trying to target the wrong setups/situations. Their new blog post mentions things like: "Support for MacOS, Linux, and Windows. You’re not buying each platform separately." - Sorry but people that generally use this kind of software are users that stick to one primary OS for the most part. At most, people spin up a VM if they 'must' use a secondary OS for anything. This is not a selling point in my opinion at all. "Decompiler for all architectures." - Again, the decompiler is not impressive so far. Ghidra's can be made to run in BinaryNinja and IDA (along with anywhere else) and is 100% free. The value for this being a new reason to increase the price of BinaryNinja is just not there, at all. And sadly, like most other software companies, they still have this mindset that everyone is a student and consider their software "openly available for everyone" because they offer student pricing. Really wish companies would just stop with this nonsense. Price yourself better in general, don't selectively single out 1 small demographic. I'd wager most people in the RE scene are hobbyists, not students and are not directly in a career path that includes the use of these kinds of tools directly. The only thing BNinja has going for it that most people praise it for is a good API. Outside of that, you don't really hear anything else good/interesting about it. So this price jump is honestly a stupid move in my opinion.
  6. 3 points
    Hi , A disassembler is a software that coverts machine code (Hex) into assembly language mnemonic ex ( mov al,1) . A debugger is a program that allow you to detect and correct errors in other computer programs. A decompiler is a software which try to reverse the process of compilation to attempt to get the source code from a compiled executable . PS : try to use the google and the search button . Regards
  7. 2 points
    Is this a hidden feature of the protection or does the app just not work?
  8. 2 points
    Here's the old content of Ubbelol.
  9. 2 points
    Who are you to say that it's shit? Have you made an unpacker for it? If you do, you are free to correct me but if you don't you shouldn't make these silly comments, in my opinion.
  10. 2 points
    View File Example CrackMe - Debug Blocker x64 This is an example for submitting a CrackMe in the Downloads section of the site. You can download the file and run Debug Blocker x64. Nothing too exciting will happen! The challenge here would be to patch the debug-blocker function so that it does not spawn a second process. Submitter Teddy Rogers Submitted 02/23/2020 Category CrackMe  
  11. 2 points
    This is a notification of intent to cease and close the Blogs section of the site in a months time. The reasons for the change are; lack of use, activity and popularity, and for the most part the forum categories have been and are more than capable to host similar blog like content in the future. This notification gives you the opportunity to copy any information from Blogs that you wish to retain and/ or repost in the appropriate forum... Ted.
  12. 2 points
    CCtor => 0x06000034 => Clean the antitamper => Clean cflow => clean string encryption and that's it Most cleans are done by tweaking some public cleaners. The right key is "Youdidit!"
  13. 2 points
    Hi it's because of your assembly code ! read about used instruction here(repne scasb) : https://c9x.me/x86/html/file_module_x86_id_287.html Fixed code : procedure TForm1.BitBtn1Click(Sender: TObject); var pointer_check, pointer_dummy: pointer; label bp_found, bp_not_found; begin pointer_check := @check_credentials; pointer_dummy := @Dummy; asm cld mov edi,pointer_check mov ecx,pointer_dummy sub ecx, pointer_check mov al,$CC repne scasb jz bp_found jmp bp_not_found end; bp_found: application.terminate; exit; //you will findout why you should use this bp_not_found: check_credentials('user', 'pass'); end; BR, h4sh3m
  14. 2 points
    Hi Finding start point of function is easy, you just need do something like this : var StartAddr : Pointer; begin StartAddr := @check_credentials; But for finding end of function, there is several ways: 1) search for "RET" instruction (C3, C2 xx) but if you're using "try/finally/except" statement your function will have several "RET(C3)" instruction. 2) You can define dummy function right after your function and get it's start address as end of your function ! function check_credentials(user : string; pass : string):boolean; begin if (user <> 'User') and (pass <> 'S3cret') then begin showmessage('Wrong Credentials'); end else showmessage('Congratulations'); result := true; end; procedure Dummy; assembler; asm end; procedure TForm1.BitBtn1Click(Sender: TObject); var StartAddr, EndAddr : Pointer; begin StartAddr := @check_credentials; EndAddr := @Dummy; Caption := IntToHex(NativeUInt(EndAddr) - NativeUInt(StartAddr)); //will get size of your function in byte (+1 byte for Dummy function) end; BR, h4sh3m
  15. 2 points
    There are jobs like security analyst out there too but they are generally protocol oriented with background in cryptography and mathematics. Government agencies in all countries also recruit top talent. Otherwise, as a career choice unless as a malware analyst or software protection analyst or something it's too much of a niche to talk about. I got into RE because I enjoyed the challenge, and liked learning at lower levels or under the hood of how things work. Having a deeper understanding is my style for everything. That shadowy world lurks out there too but it's as organized and controlled as anything. It is a whole package deal to take that route, a lifestyle even. And even then you cant lose sight of what is right and what is wrong and where the laws draw the boundary. Fortunately merely toying around with some RE stuff is not really an issue. Software businesses and RE community have an interesting relationship but it's mostly been win-win despite occasional spats. Best hobby you can have though IMO
  16. 2 points
    If the only reason you want to learn RE is to have a unique skill for your resume/job application, you're very mistaken. Don't even try that. Anyone can learn to write (crappy) JavaScript/PHP/CSS in a few weeks and call himself/herself a "freelance web developer". Not everyone can become a reverse engineer - it requires a specific mindset and dedication. As for job positions, it really depends where you live and what your area of expertise would be. Analyzing malware requires a totally different skillset than finding bugs in hardware chips. Entry level positions usually are paid similarly to entry level developer positions. However, as a developer, you will have a pretty well-defined career path. As a reverse engineer, the path is less defined and really depends on your talent and dedication. It is possible to freelance and make a good living out of it - but again, it depends on your area of expertise. One of the best recent examples that come to mind, is Azeria (https://twitter.com/Fox0x01) - her ARM reverse engineering skills are superb. And there are freelancers who make $100k/year on HackerOne - but that's quite an extreme example. And then there is "dark side" - reverse engineers that work on not-exactly-legit tasks. For example, the entire game hacking industry is based on those. If you're a superstar, the customers will wait in line and the money is great. If you're just starting, you won't be able to make more than few hundred bucks a month - as you'll be competing with hundreds of Indians, Filipinos and Vietnamese in a very crowded market. First step would be to define the area you want to explore. As I mentioned above, reverse engineering hardware chips is totally different from reversing Windows malware. Once you know exactly what you want to learn, it will be much easier to suggest a specific book or course. Hope this helps. kao.
  17. 1 point
    By seeing the number of imports on your screenshot and the ollydbg.exe in upper case i would guess you tried this on ollydbg v1.10, not on ollyv2 The description don't mention it here but that thing is for v2, if you look inside the readme of the archive, it says (in french) that the code has been rewrote for olly 2. So try with v2, or recompile the dll for v1. Also i'm checking the src and this can really be improved more. Especially for the v2 as if you rename ollydbg.exe to blabla.exe, then it will look for blabla.ini, but OllyPath2 will create only 'ollydbg.ini' as this string is in hard inside.
  18. 1 point
    Civ VI Free on Epic Store https://www.epicgames.com/store/en-US/product/sid-meiers-civilization-vi/home
  19. 1 point
    View File VMProtect v3.4.0.1155 Try to unpack or alternatively provide a serial. If there is no solution provided by Saturday 11am (GMT+0) I will attach the same without debugger detection. Protections used: Debugger detection (User-mode + Kernel-mode) Ultra (Mutation + Virtualization) Disabled protections: Virtual Machine Packer Submitter whoknows Submitted 05/20/2020 Category UnPackMe (.NET)  
  20. 1 point
  21. 1 point
    Write a Shellcode don't need RE?
  22. 1 point
    @maristroch I think I can do it except VM.
  23. 1 point
  24. 1 point
    Grand Theft Auto V Premium Edition Aegis Defenders Ted.
  25. 1 point
    1.Remove Anti Damp 2.Dump 3.Fix x86 Calls 4.Fix Delegates 5.Fix Calls 6.Constants Decode 7.Remove Fake Attributes 8.Remowe Control Flow 9.Rename Module 10.De4Dot For Rename and Clean Unused Methods Easy >.< Unpack_Me-d_noX86-Cleaned_patched-Cleaned-ConstantDec_fix_nodelegate-Cleaned-cleaned-cleaned.exe
  26. 1 point
  27. 1 point
    4228004 is 4083A4 in decimal.
  28. 1 point
    You could also do that for the whole code section, however you have to be very careful as to 1) disassemble everything correctly, in order not to run into the same problem as before, where the 0xCC occurs as data in a legitimate instruction 2) padding might use 0xCC as filler bytes. Especially Delphi also likes to embedd data in the code section, so you cannot just do a linear assembly and compare the first byte. your dissassemler would be thrown off by embedded data or padding. in practice, there is no good way here. I dont know how to do this in Delphi. You'd start by getting a method pointer and pass that to ReadMemory WinApi. No idea how to get the size of the method or how to do it concretely. Generally I think C or C++ is more straight forward for this kind of lowlevel stuff ... in my opinion.
  29. 1 point
    When a debugger sets a Softwarebreakpoint, it writes the opcode-byte 0xCC to the address where the breakpoint is set. Thus, a way to scan and detect breakpoints is to compare the first by of all the instructions you want to protect against breakpoints to 0xCC - if you find one, you found a breakpoint. In the example, protected_code_start and _end refer to the limits of the code you are scanning. This could be the start and end of a critical function you wish to protect. The code is bad though: it blindly compares ALL bytes in range against 0xCC, whereas you should compare the first byte of each instruction only. Longer instructions might contain legitimate 0xCC bytes as data. Consider mov al, 0xCC ==> b0 cc . IDT hooking is something completely different.
  30. 1 point
  31. 1 point
    Mine is a laptop and was ordered as a custom build so everything was pre-installed on arrival. The only things I have changed really are software settings, disabled startup items, services etc.and being a laptop not really sure of the motherboard specs I used to do a lot with hardware when I had my Desktop but really haven't kept up to date with latest hardware differences for a few years now since buying my laptop which was the best spec I could afford at the time so I could hopefully keep it for a few years with no problems It has i7-6820HK Quad Core 2.7GHz Overclocked to 4.1GHz, 8mb Cache with 32gb of DDR4 RAM with GTX1070 GPU with 8gb GDDR5 The BIOS is a pre-boot environment so although you can update it in Windows you cannot change any settings in Windows or via software, you either need to select recovery or similar in Windows settings which will then restart into it or press hotkey on restart Maybe someone else can advise you on BIOS settings for your hardware and BIOS manufacturer I used to get problems with my old Desktop and I found HWMonitor to be excellent to show problem temperatures due to inefficient fans
  32. 1 point
    I've also found the number of cores in the CPU to be absolutely vital. Quad pr hexi core is basically a minimum spec for a Win10 power user. Dual cores no longer cut it partly due to the sheer amount of background activity. Have you used utilities to change CPU core parking??? Turboboost also can have its settings tweaked. If anything this could also fix IO issues. QuickCPU or ParkControl apps should help in this regard
  33. 1 point
    Here are my SSD speeds as a comparison As you can see my read speeds are greater than yours but your write speeds are greater than mine but still your speeds are not too bad and real world speeds probably wont match advertised speeds My Win10 x64 boot up times from my bios password screen to seeing my desktop (No windows password) is about 12 seconds but after that my AV, Firewall and other services take a few more seconds to load (Some are set to delayed start) When you power off do you shutdown or use hibernation? hibernation can cause unnecessary writes to your drive which will reduce it's lifespan and for me it slowed bootup times massively on my SSD compared to my old SATA but that also depends on the amount of RAM you have Where do you time your bootup? If it's once everything is loaded then check your startup tab in task manager and see what is loading and try to disable as many as possible you don't always use from auto loading on windows startup. Themes, desktop items and unnecessary services can also slow bootup times Some BIOS settings will affect bootup times too but you will have to check your BIOS manufacturer recommended settings for the board and hardware you have
  34. 1 point
    If you have good qualifications (certificates in the relevant fields) then easy to get job. Without them the burden of proof is on you to convince them to hire you. Or you can do freelance jobs as already discussed in Kao's post above.
  35. 1 point
  36. 1 point
    This is an explanation from an app I use... Run this from cmd... fsutil behavior query DisableDeleteNotify 0 means TRIM is enabled
  37. 1 point
    here is my production of face shields, already 200 dispatched around my town to local hospital, liberal nurses, etc...
  38. 1 point


    Video tutorial on keygenning Kurapica KeygenMe 2011.
  39. 1 point


    A Shockwave Flash movie tutorial showing a method of keygenning Kurapica's CrackMe #15. It includes the source code for the keygen.
  40. 1 point


    A video tutorial on keygenning BadSector CrackMe #1.
  41. 1 point


    RSA Tutorial 01 - Keygenning RSA RSA Tutorial 02 - Serial Fishing RSA RSA Tutorial 03 - How to Find RSA Primes
  42. 1 point


    A Shockwave Flash movie tutorial showing a method of keygenning a simple KeygenMe. Example code is in Delphi.
  43. 1 point
    .NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch. Here is unpacked version of your file unpackme -cleaned.exe
  44. 1 point
    It's been a while, here is some new graph related to zbot (warning, they are heavy) Zbot graph: https://www.virustotal.com/graph/embed/gf288663e9d4245c7b8384b9ab36b64f41b58a7df62a145e3ad643bfe140ffb02 (4k nodes) With some additional details related to Microsoft citadel sinkhole operation. CCAM (atmos monitoring): https://www.virustotal.com/graph/embed/g5edbfcddab834a59a105964ffdc24492b03a6a5ab4824cca96949cd0d9a3395b With some details about in the wild locations.
  45. 1 point
  46. 1 point
    No, thanks. Compared to Themida v2, the themida v3 does not have a great improvement over the VMs. There are two types of VMs in this UnPackMe, Dolphin and Tiger.
  47. 1 point
    https://youtu.be/Sv8yu12y5zM bonus - VSCodium - Binary releases of VS Code without MS branding/telemetry/licensing - hxxps://github.com/VSCodium/vscodium
  48. 1 point
    I'm not a big fan of Kip Irvine's book. But I can't recommend any particular book instead of it - I learned ASM by reading source codes of DOS-era viruses. There were no ASM books available in my country at that time, so I just had to figure it out on my own.. Since you seem to be mostly interested in reverse-engineering aspect of ASM language, I would recommend reading https://sensepost.com/blogstatic/2014/01/SensePost_crash_course_in_x86_assembly-.pdf - it's a pretty decent summary and contains links to other useful resources as well. One thing I can tell you - you need to start from the beginning and work methodically. Currently you're jumping from C sample code to VMProtect to driver disassembly. It makes no sense and is actually slowing you down.
  49. 1 point
    I too am dubious about your claims, and here is why... For a malware analyst you are asking some pretty basic questions about malware, unpacking and RE For a chief independent researcher you are asking some basic questions which have been answered numerous times, I would expect a researcher to use search or google... For someone who has been programming for over 10 years it really surprises me that you cant create a little code to open a file and change a byte... You are 20 years old, you have been programming since 10 years old? You started your career when you were 15 years old? It's not a good start, your intentions might be good but none of your statements add up so I very much doubt you will get what your asking from here. BTW, you can ask whatever you like for software but it doesn't mean anyone will buy it at that price, do u have a business plan? Do you have any sales so far or just ideas? Just my opinion of course, sorry
  50. 1 point


    Turntableized Skin...
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
  • Create New...