Jump to content
Tuts 4 You


Popular Content

Showing content with the highest reputation since 09/22/2019 in all areas

  1. 5 points
    Hey guys, After a long time I started writing on my blog again. https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-1 Best regards
  2. 4 points
    There is definitely room for a good modification of ConfuserEx to eventually happen and be posted here. ConfuserEx itself was the successor/fork of Confuser itself, which has greatly improved the original. ConfuserEx has completely changed how the .NET protection field has worked as well, with it completely influencing every other obfuscator on the market. Especially the ones made from people in the RE scene all using ConfuserEx as a base to work from. (Whether they want to admit to it or not.) Since ConfuserEx and now KoiVM are open source, they tend to be the most used and modified. No other real protection system for .NET is open source let alone offers the kind of features that they do. While it does mean a lot of terrible rebrands and mods will happen, it doesn't mean every single one is going to be trash in the future. Given that KoiVM is open source, it leaves a lot of room for others to take that concept and run with it to make their own VMs with much more in depth features, better C# language support for newer features, and so on. I don't think out-right banning it from existing on the site is a good idea either. There shouldn't be a reason to further divide what little of the RE scene is left. Some thoughts of mine on how to approach this going forward: 1. Make a new section/sub-forum specifically for ConfuserEx mods. This way the general .NET unpack section can focus on other non-ConfuserEx related challenges and not be drowned out with the various customizations/mods people want to post. 2. In the new section, have some type of guidelines/rules on what is considered a valid challenge. Mods to ConfuserEx that do nothing to the actual core and just add 1-2 new things should be rejected because the base/core has not been touched, therefore all the existing tools will work against said mod. Simply renaming the ConfuserEx attribute is not a valid means to try and deter tools from working etc. Focus on making sure people have actually put time/effort into their mods vs. just renaming the project and adding 1 thing to it. 3. Avoid belittling people that are coming here to learn and making an effort to work on modifications. Rather than people just shitting on someone or leaving a few word replies telling the person they suck, their mod is shit, etc. encourage people responding to the threads to actually give feedback in a friendly manner. Everyone started somewhere, knowing nothing, so putting egos aside and encouraging new comers to go back and learn certain things, showing them why a certain protection/mod doesn't work/help, etc. goes a long way. (Simply put, if your objective is just to be a dick when responding, just don't respond.) 4. If moderators are added, would really suggest making sure that there is some rules/guidelines on how they should moderate the new section/topics. Basically to avoid power-tripping, egos, and other nonsense that doesn't need to exist here. Another thing is to understand everyone has different skill levels when it comes to unpacking/cracking things, and while person A may think a given mod is weak/easy/crap, person B who is just learning may see the given challenge as a great learning experience and a way to enhance their skills. So avoiding skill sets being the end-all judgement of how something is moderated. Of course there are situations where things like this will have trolls or people posting challenges that have their own issues with pride/ego as well. Which is something seen already with a few people posting ConfuserEx mods that do not really understand the base project, how .NET operates, etc. For example, there is someone on a specific Discord community that keeps making 1-2 line edits to ConfuserEx and deeming it uncrackable. Every time, someone will use the existing tools, unpack his app and prove him wrong, but he refuses to be wrong and keeps spamming the Discord with modifications constantly. In a case like this I would say preventing them from posting new challenges for a given period of time may be warranted to avoid them from posting 100 different mods in a day. All in all though, I wouldn't recommend banning it altogether. The RE scene is so small anymore as it is, banning discussions on given topics at all is just going to further divide things than they already are. As it is, there are people on this site that land up driving new comers away already which most land up joining one of the various Discord communities instead that are focused on RE/.NET RE etc.
  3. 4 points
    I used this in my MyAppSecured exe protector project. This code emulates the winAPI CreateThread using ZwCreateThread, in pure MASM, compiled in WinASM studio. Feel free to use it for your own projects. ZwCreateThread example.rar
  4. 3 points
    Regardless of the borderline-spam that we have been observing in the challenges sections, I think .NET is still a valid platform to write reverse engineering challenges for. Look how obfuscators like DNGuard still seem to be a challenge for a lot of people. Also, even though KoiVM is more or less defeated nowadays, it used to be a very difficult task as well for the majority of people around here. There are many tricks one could pull off to make a challenge interesting, and this includes the ones written in .NET. I think the difficulty of a challenge does not always rely on the platform it is running on. For example, some rely on interesting or flawed cryptographic algorithm implementations that the reverse engineer needs to exploit in some way or another. Others might use an uncommon model of a virtualization that people haven't seen before all too often. Furthermore, writing these kinds of challenges in .NET could make the challenge actually more fun, as the reverser doesn't have to worry too much about the imperfect decompiled code of IDA or Ghidra or whatever tool people use. Rather, they can focus more on the actual problem that the challenge is about. Granted, I might be talking a bit more about KeygenMes now rather than "simple" unpackme's, but I think you get my point. Creativity is the key to success in my opinion, but you are right this is hard to benchmark. Banning challenges that are protected by a specific (potentially modded) obfuscator sounds like a bad idea as well in my opinion, and could hurt the forum more than it would do good. It might be a good idea however to limit the number of challenges per obfuscator, although I am not entirely sure how to limit this or when to decide when this limit is reached. Perhaps one or two per version/update or maybe per feature that an obfuscator might offer?
  5. 3 points
    @GautamGreat: I cannot promise to make full write-ups this year, but if I make some, I'll post a link here.
  6. 3 points
    @CodeExplorer: AVG was bought by AVAST few years ago. They kept the brand and got rid of most of the code and technologies behind AVG. Now when you install AVG, it's actually AVAST with a different skin, nothing else.
  7. 3 points
    Many years ago I wrote a software protector called MyAppSecured. Somewhere in the middle of porting it from Delphi to C++ I lost my interest in this project. Just found it on my HDD so I thought it might be helpful for someone. In short, the GUI of this protector is written in C++ and the protection stub in written in MASM. The C++ code loads a target in memory and adds 2 PE sections to it. One for the TLS callback code and one for the main code. The MASM stub will be written to those 2 sections. This protector has just 2 protection features: Analyze Immunity (anti-debug) and Memory Shield (anti debug-tools, OEP relocation). Note this is not a download-and-use-right-away protector. The code is written years ago so it's not very well written and also for some unknown reason the MASM stub could not be written into the 2 created sections. It did work very well years ago but I don't have the time to investigate why it doesn't work now. To be clear, the compiled exe file you will find in the package should run nicely but once you try to secure a exe file, that exe file is gonna be corrupted. This project is free for personal and commercial purposes. If you have any questions please ask, but keep in mind I abandoned this project and removed it from my HDD right after posting it here. Even if you are not gonna use this project it might be interesting to check the code. Some interesting stuff you might find there for your own project, such as emulating the CreateThreadW function in pure MASM, adding PE sections & relocation of OEP. MyAppSecured v1.00 Beta source.zip
  8. 2 points
    Simple Polymorphic Engine (SPE32) is a simple polymorphic engine for encrypting code and data. It is an amateur project that can be used to demonstrate what polymorphic engines are. SPE32 allows you to encrypt any data and generate a unique decryption code for this data. The encryption algorithm uses randomly selected instructions and encryption keys. https://github.com/PELock/Simple-Polymorphic-Engine-SPE32 Sample polymorphic code in x86dbg window: Another polymorphic code mutation, this time with code junks
  9. 2 points
  10. 2 points
    Everything: https://www.epicgames.com/store/en-US/download/everything/home Metro 2033 Redux: https://www.epicgames.com/store/en-US/download/metro-2033-redux/home
  11. 2 points
    You don't need to know correct key to get the flag: Is that what you're looking for? How-to: 1) Run and dump from memory; 2) (optional) Fix imports with Scylla; 3) Load dump in IDA; 4) Find WndProc and see how WM_COMMAND is handled; 5) The key check is very convoluted but it all ends up here: ... lots of horrible operations with entered key .. strncpy(buffer, encryptedFlag, 25); for ( n = 0; n < 25; ++n ) { v3 = buffer[n]; v4 = HIDWORD(v3) ^ HIDWORD(v20) ^ HIDWORD(v21) ^ HIDWORD(v22) ^ HIDWORD(v23) ^ HIDWORD(v11); v8[2 * n] = v3 ^ v20 ^ v21 ^ v22 ^ v23 ^ v11; v8[2 * n + 1] = v4; decryptedFlag[n] = v8[2 * n]; } // check last 2 bytes of decrypted flag result = 24; if ( decryptedFlag[24] == 'Z' ) { result = 23; if ( decryptedFlag[23] == 'C' ) ... Xor key for all bytes is the same. You know encrypted flag. You know last 2 bytes of decrypted flag. So, you can deduce XOR key and decrypt the flag.
  12. 1 point
    +1 to what @Washi and @atom0s said. To keep the .NET unpackme section in a decent shape we would need a moderator who, well, moderates.. Posting a crackme is not a basic human right - it must be earned. I believe it's a moderators right and duty to say "Sorry, but this thing you made is not a good crackme. May I suggest you to learn a bit more and come back later?" That moderator action would stop floods of ConfuserEx shit-mods once and for all. Another duty of moderator is to intervene and to keep discussion civilized and to the point. Mamo's responses in his topics fell short of that (for example, the part where users reported broken/nonworking crackme). While I understand that some of members don't speak good english or even use a machine translator, it doesn't give them rights to behave like a dick. As for newcomers going away from the forum and joining some Discord channel - there's nothing we can or should do about that. Those Discord channels are full with blinds leading the blind. But that's what modern skids want - feeling important, feeling smart and being able to shout "omg lol i brokz t3h unpacker!!!111", "how i can make this rat fud??", "duuude, I compiled confuserex!" or, better yet, posting an excruciating 30minute video showing that process.. We don't need that here.
  13. 1 point
    https://github.com/lurumdare/Lycosidae Bypass ScyllaHide Features - Import no leak - Strings no leak
  14. 1 point
    Report post Posted just now FILES ARE IN VIDEO DESCRIPTION Regards Anees Khan
  15. 1 point
  16. 1 point
    I would take this job but ! Mental and Dental included ? Kidding
  17. 1 point
    Alan Wake American Nightmare Observer Crusader Kings II Ted.
  18. 1 point
    I'm afraid we need to reopen this topic again. In last 2 months moderators have approved 8 (yes, eight!) unpackmes from the user mamo434376. They are all simple modifications of ConfuserEx and KoiVM with very little original work. What exactly is the point of having them here?
  19. 1 point
    Analyzing Keyboard Firmware Part 2 Ted.
  20. 1 point
    Language : .NET Platform : Windows OS Version : All Packer / Protector : Modified ConfuserEx + KoiVM Description: I don't expect this to be anything extremly hard to unpack. I would like to see a full detailed explanation of how you unpacked this file and the key. Screenshot: Protected.zip
  21. 1 point
    Hi You just need look at GetLastError with debugger
  22. 1 point
    DNS resolvers and queries (over HTTPS) seem to be a bit of a popular topic in the news of late. There are a number of reasons why people should be using DoH (or DoT); privacy, security, prevention against eavesdropping and man-in-the-middle attacks. For those not familar and for those of you interested there are ad-blocking DoH resolvers. Below is a list of ad-blocking resolvers that I am currently aware of. Obviously these will perform better or worse depending on where you are located geographically in the world. My top three for performance are the first three in the list, the others are ranked in no preferential order. https://adblock.mydns.network/dns-query - Anycast (Cloudflare) / DNSSEC / DDoS https://dns.adguard.com/dns-query https://doh.tiarap.org/dns-query - Malware / DNSSEC https://ads-doh.securedns.eu/dns-query - DNSSEC https://doh.dnswarden.com/adblock - DNSSEC https://dns-nyc.aaflalo.me/dns-query https://dns.aaflalo.me/dns-query - DNSSEC https://doh.tiar.app/dns-query - Malware / DNSSEC https://dns.oszx.co/dns-query - DNSSEC If you know of some others out there please share them... Ted.
  23. 1 point
    NO Let's say you have the following scenario An execution range : instructions being run between two locations, for example : Point A : Entry point of the application Point B : is a call to showwindow API These two points should be in the same module, so set a BP on point A and when you are there Start the plugin from the menu, you will see this dialog, END VA is where you enter the address of Point B Module is the name of the module in which tracing should happen so now you press GO button and it will single step each line until it reaches Point B in this module you will see the counter of "Logged events" increasing with time until you reach point B Now you can click "SAVE" button and name this log as "Tracing_State_1" Repeat the same process with different parameters in your application, for example using an invalid password or date save the 2nd log, now you have 2 logs to diff, each log is a text file, you can use Notepad++ and one of its plugins to diff the 2 logs and see where the execution differs within this range.
  24. 1 point
  25. 1 point
    Came across this which has some code on how to perform image base relocations and resolve import address table once a dll loaded into memory: https://ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection Just have to adapt the code, as i guess the image is already in memory with the LoadLibraryEx call instead of manually loading it as in the example code shown.
  26. 1 point
    You can look up how manual mapping handles initializing the DLL that was manually mapped into memory. That will show the steps to take to manually rehandle the loading steps. The BlackBone project on GitHub has this handled pretty well which you can reference here: https://github.com/DarthTon/Blackbone/blob/0072fba51c81aec5c6f56b7a7705377fe2f785d1/src/BlackBone/ManualMap/MMap.cpp
  27. 1 point
    Check this by Mr. Kurapica: https://forum.tuts4you.com/topic/38536-x64dbg-conditional-branches-logger-plugin
  28. 1 point
    When using LoadLibrary it will call entry point of dll: here is a tools which stops before calling entry point of dll: https://forum.tuts4you.com/topic/39871-dllsaver don't know if that's what you want!
  29. 1 point
    LoadLibraryEx with flag: DONT_RESOLVE_DLL_REFERENCES,
  30. 1 point
    Following the good old tradition, this thread will be dedicated to the annual Flare-On challenge. Who's going to participate this year?
  31. 1 point
    How you solved challenge BMP HIDE ? I'm always interested in your unique solutions like last time you solved challenge magic with a C# solver.
  32. 1 point
    AVG Rescue CD is some linux which looks more like DOS; also the only thing I could update is the viruses definition; while Avast Rescue CD is a Windows based CD which looks decent. You can download Avast Rescue CD from here: https://we.tl/t-RphW9WWsi1 (just so you won't require to install avast_free_antivirus_setup_online.zip) Updating Avira rescue is a work in progress!
  33. 1 point
    Before you potentially dump $50 on CodeStage, look around for free options. Most of what's offered in his library is already free. Protected memory/variables: - https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.protectedmemory - https://gamedev.stackexchange.com/a/9851 (Xor'd value, same as how CodeStage protects.) - https://www.alanzucconi.com/2015/09/02/a-practical-tutorial-to-hack-and-protect-unity-games/ - https://github.com/Ymiku/SafeInt - https://github.com/pedro15/UniToolKit Protected player prefs: - https://www.alanzucconi.com/2015/09/02/a-practical-tutorial-to-hack-and-protect-unity-games/ - https://gist.github.com/ftvs/5299600 - https://github.com/rawandnf/SecurePlayerPrefs - Any kind of encryption you prefer works for this. Generate Code Hashes: - Use System.Reflection for this. (MethodBody -> GetILAsByteArray -> hash etc.) Detect Speed Hack: - This is done by monitoring the ticks of an application in a timer/thread checking for any sudden increases that cause the timing of the app/process to be considered fast/slow. - https://github.com/WizardVan/UnityDetector Detect Wall Hacks: - This is done a number of ways depending on what kind of detection you are looking for. Detect Injections: - Walk/monitor the app domains assembly list for unknown modules. (AppDomain.CurrentDomain.GetAssemblies()) - Track a list of valid/allowed modules + checksum hashes. - Track IL edits to functions via hash checks. Keep in mind all of this is bypassable, editable, etc. by a hack/cheat/mod so while you are adding a layer of security it will only work against certain people whom are not familiar with bypassing this kind of stuff.
  34. 1 point
    Thats actually how I did it. I know i made ithard for myself. Had to learn smali. There is plugin in android studio to debug smali codes
  35. 1 point
    @Zulu - I don't think you can debug a precompiled Android application could be wrong but I don't think that is the correct way of solving the challenge. I personally used https://github.com/rajivvishwa/apk2java to decompile the code, (reread the question) Sometimes I also use APKTool to get the Bakismali and modify it from there (its kindof a pain because you have to understand bakismali and you have to sign the app) but to answer your question, I don't think you can debug it directly. Ch10 ^ Also if anyone has some hints about Challenge 12 - Help, it would be greatly appreciated (been stuck on it for about a week now), there seems to be quite a number of pitfalls and I haven't found a clear path yet.
  36. 1 point
    Hi. I was able to create myself BitDefender 2020 rescue disk (and works like a charm here on two computers I've test); you can download it from: https://we.tl/t-z9g8kTxqU9 So the only antiviruses left to update: AVG and Avira!
  37. 1 point
    If the companies never pushed new releases, then those are the most up to date for those apps you'll get. At most, they are just shells that rely on updated definition files and such that probably have to be manually updated. I don't use AV software so I'm not familiar with any of them on how they operate specifically though.
  38. 1 point
    Used https://github.com/TobitoFatitoNulled/ArchangelUnCloaker WindowsApp1-UnClocked-Cracked.rar
  39. 1 point
    Used https://github.com/TobitoFatitoNulled/ArchangelUnCloaker and appfuscator tools by codecracker WindowsApp1-UnClocked_deobfuscated_strdec-Cracked.rar
  40. 1 point
    Batman week - all of the Arkham games and the three lego batman games currently free on epic. https://www.epicgames.com/store/en-US/collection/batman-free-week
  41. 1 point

    Version 1.7


    REPT KeyGen Maker is an utility to make keygens easily without having a programming knowledges. Please report any bug/improve to make it better This is currently done in .NET so will need .NET Framework 3.5 or higher. Thanks for download it!
  42. 1 point
    1. Read https://www.oreans.com/ThemidaHelp.pdf 2. Add obfuscation like a ithare::obf 3. Encrypt strings with xorstr https://github.com/JustasMasiulis/xorstr 4. For education read https://github.com/lurumdare/ideas 5. Some tricks https://github.com/lurumdare/DefensiveGuideAgainstCrackers 6. Use embedding objects https://github.com/lurumdare/furikuri_tutorial (I think it is anti-disassembler https://forum.reverse4you.org/t/eset-finfinsher/1127 supported VMProtect, test on Themida and write me PM)
  43. 1 point
    Download: https://github.com/horsicq/pex64dbg/releases Sources: https://github.com/horsicq/pex64dbg More Info: http://n10info.blogspot.com/2019/05/pe-viewer-plugin-for-x64dbg.html
  44. 1 point
    I think nobody can unpack this protector because it's very hard.
  45. 1 point
    You make me cry a little everytime I see your replies. I will before-hand declare that this is my last response to your impeccable rant of stupidity, but I feel the need to put out these points. Yes, you did just say a few posts back, that "OP asked for protection, not virtualization", thus claiming that virtualization is not protection. Yes, OP asked for a native packer, as he asked for a packer for his Win32 file. Win32 is a native format, unlike .NET which is a non-native format. If you claim otherwise, I'll die of laughter. Nope, Themida is not useless. It might be easily unpacked (since LCF-AT made a superior script), but there's a big difference between unpacking and devirtualizing. If you have succesfully unpacked a file, no matter how you did it, the file is still protected (as an unpacked software) as long as the virtualization is not broken (which is a whole different league to unpacking). The virtualized code sections will not be made readable by any public tools, and there are very few people world-wide who has even got the capability of making such tools. So nope, I'm not unknowledgeable. Actually, I'd go as far as to claim that on the contrary, I am moderately knowledgable and you are simply extremely uninformed. Yes, OP was looking for constructive feedback, which is why I striked down on you, as you were supplying false information. Oh my god.. I don't even know what to say to this... Themida not an obfuscator? If you had the time to properly read that image, you'd immediately notice the big fat .NET in front of the obfuscator. They're saying it's not a .NET Obfuscator, which means it doesn't obfuscate the IR for .NET. It is however, a compressor, an obfuscator and a virtual machine software for native formats.
  46. 1 point
    Once again, you bless us with your unfathomable stupidity. First you claim virtualization is not "protection"..? If he OP wants protection, and asks which protection software to go with, it includes all features of the protection software, such as virtualization. Themida offers exceptional protection in real situations, when you don't want people to understand certain functions. Next you pick a .NET virtualizer and tell us that, if we're to deduce the best virtualization protection software (while the choice stands between VMProtect and Themida) we should pick Agile.NET??? In case that point flew over your head, here's another stupid point to this: He's asking for a packer for a native Win32 file. You suggest using a non-native .NET packer.
  47. 1 point
    Interesting indeed, always knew antivirus were just backdoors.. IoT is a joke there has never been any security on them.. you 'could' watch supermarket camera's / most surveillence camera's online with just a clever google search.. same problem mostly.. crap password or just default setups.. some stupider companies embedded backdoor logins or just plainly not configurable.. closing all your ports on windows is a great idea (especially netbios) , disabling ipv6 is for now a great idea for now as dns traffic (546) can be used for nefarious purposes(mostly unknown about by most).. avoid java all together and flash / pdf.. tor is crap (exit nodes), torrents (sha1 collisions can now be used to detect the best hidden ones or replace files to infect users unaware).. Some companies have memory malware so undetectable file wise.. Also registry can be used to hide and run code, yes many unpatched tricks there... files hidden in alternate data streams in ntfs files / pictures using stenography or hard drive sectors.. so many different ways i could go on for ages here.. lol either way no one is unhackable there is always a way and they know and keep secret all of them.
  48. 1 point
    I created this thread because of this thread: http://forum.tuts4yo...ction-question/ Some beginner still think that ImpREC works on Windows 7, this is simply not true. Here is a prove screenshot. The test application is a simple C++ application not packed/protected. Scylla is the only tool which can rebuild the IAT correctly. I guess this doesn't need any explanation just see for yourself. (Download the .zip for better resolution) compare_ir_.zip
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
  • Create New...