Jump to content
Tuts 4 You

Leaderboard

  1. kao

    kao

    Full Member+


    • Points

      24

    • Content Count

      2,323


  2. Kurapica

    Kurapica

    Full Member


    • Points

      10

    • Content Count

      843


  3. Teddy Rogers

    Teddy Rogers

    Administrator


    • Points

      10

    • Content Count

      8,934


  4. LCF-AT

    LCF-AT

    Full Member+


    • Points

      9

    • Content Count

      4,932



Popular Content

Showing content with the highest reputation since 06/16/2020 in all areas

  1. 5 points
    https://github.com/ribthegreat99OrN0P/Agile.NET-Deobfuscator @GameHackerPM @BlackHat To fix delegates, controlflow, and strings here yous go ive made a tool with many comments to help you understand!
  2. 5 points
    awesome_msil_Out.exe Approach: 1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker , and it shall be ran on NetBox 2. Code virtualization is a relatively new feature of .net reactor, added in version 6.2.0.0. Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)
  3. 2 points
    This forum has a login system and for "Human"-Verification it asked (me atleast) to scan a QR-Code to get a key that then verifies that im a human. But first of all, if you have a bot it can easily scan the code itself with the help of some github repos or even easier, you can just open the QR-Image in a new tab and the filename is the key. soooo.. I dont know if you guys already know/care about this but you can also just let it away because anyone who wants to bypass it, can easily do that.
  4. 2 points
    Would recommend avoiding this for the time being. Deno is a re-envision of NodeJS, created/founded by the original creator of NodeJS. However, the project is more of a dictatorship now than being an open source community collaboration. Safety/security are also not something I would say this project actually is, and rather just a buzz-word way of saying, "If you don't enable anything and basically have a useless shell of an application; it's secure!". Majority of any real-world usage out of this will require various flags be enabled that completely diminish the security aspect of it. The way imports/third-party libraries is handled is done via remote URL inclusions directly from your source code. Rather than allow any means of locking things down in a sensible way, the author has decided third-party includes are allowed to break the mixed-mode browser security implications and inherit from insecure sources. So importing a library you assume is safe via an HTTPS url can then itself import insecure libraries. Would say more than half their GitHub issues are revolved around this security problem and the creator has basically said 'deal with it' because normal JavaScript <script> tags allow for http includes, therefore he sees it as 'fine'. Give the project a lot more time to mature and break from the chains of the main guys "final say" over things and become an actual community project before bothering with it, imo.
  5. 2 points
    https://www.bleepingcomputer.com/news/security/net-core-vulnerability-lets-attackers-evade-malware-detection/ bonus medium.com/pcmag-access/former-intel-engineer-explains-why-apple-switched-to-arm-deba86e560b1 Hard Disk Hacking (2013) - spritesmods.com/?art=hddhack&page=1
  6. 2 points
    you shouldn't be using WD in first place.
  7. 2 points
    Pawning 40 CTFs simultaneously
  8. 2 points
    My work machine has normally running MS Teams (2GB right there..), Outlook (250MB), Chrome with 40+ tabs (6+GB), Visual Studio, 1-2 VMware Guests and IDA. Would I expect it to magically work with 8GB of RAM? F*ck no! Sure, you can find a tool that hacks around and maybe reduces the symptoms. But it doesn't fix the problem. The actual problem is that your machine is severely under-powered for that sort of a workload. Another 8GB of RAM would be a proper way to solve those issues. And it costs ~40EUR - which is less than 1-2 hours of your time you probably spent googling for such "tool".
  9. 1 point
    Not only it is protected with DNGuard HVM but also with Appfuscator. The tool you mentioned does not support newer versions of dng and has to be updated to support it. Recently @CodeExplorer announced that he is willing to share source code of this tool to a skilled reverser for it to be updated.
  10. 1 point
    “ai_protocol = IPPROTO_ICMP ? <-- why this?“ 0316F8A4 will hold all the data returned back from your PARAM3 however you showed me the wrong memory buffer “ADDRINFOA struct paramter 4 $ ==> 02B596D0 00000000 $+4 02B596D4 00000000 $+8 02B596D8 00000000 $+C 02B596DC 00000001 ai_protocol = IPPROTO_ICMP ? <-- why this?” The right param4 buffer -> 0316F8A0 0316F8A4 which is why in your second example: “here I just entered a free address in parm 4 which points to just zero bytes” You manually changed the pointer to point to a memory buffer that will hold all those returned bytes - in your case they were already 00’s Why curl did the icmp I dunno ... does it ping a port before the GET I dunno and I haven’t looked at it’s source code sorry
  11. 1 point
    On the topic of PHP, they are also potentially adding a JIT compiler in PHP 8.0 https://stitcher.io/blog/php-jit https://wiki.php.net/rfc/jit
  12. 1 point
    Hello guys. Your forum is great and very helpful! Thanks for your work! I am a beginner in reverse engineering with some basic knowledge of C++. I wanted to create a small offset patch in c++. I found a simple template on how to do that. I tried it first with a simple NOP patching and it worked. After I edited it to patch 8 offsets I ended up with a not working-Send report to Microsoft application. I uploaded the edited source code. I don't know much about it, and why that happened. . . Is this the proper way to do it? Is there another better template? I know that there exist some cool patch engines but I would like to experiment and building my own. Thanks in advance! #include <windows.h> #include <stdio.h> #include <stdlib.h> int applyPatch(); const int SIZE = 8; int main(){ applyPatch(); return 0; } int applyPatch() { int offset[SIZE]={0x5758F,0x57590,0x57591,0x57592,0x57594,0x5792D,0x5792F,0x5F963}; byte patch[SIZE]={0xE9,0x97,0x03,0x90,0x90,0xE4,0x01,0xEB}; int i=0; int patch_counter = 0; FILE *f; f=fopen("target.exe","r+"); if(f==0) { MessageBox(0,"File not found!","Error",MB_ICONERROR); return 0; } for(patch_counter = 0; patch_counter < SIZE ; patch_counter++) { for(i=0;i<2;i++) { fseek(f,offset[patch_counter],SEEK_SET); fprintf(f,"%c",patch[patch_counter]); // Write patch offset[patch_counter]++; } } fclose(f); MessageBox(0,"Successfully patched! ","Patched",MB_OK); return 0; }
  13. 1 point
    Hi deep, so I also thought too that WD would be fine for my tasks (more as normal user) specially when using Windows 10.So sometimes WD dosent react for 100% when I disable the realtime scanner for a while and WD still does say something / detect.Otherwise when WD moves any file in Q then its easy to restore it but the problem in this case is that sometimes just works for few days and then it gets detected again.I mean its not working for 100% to mark any file manually as clean or telling WD no more to say anything about that file XY.Not sure why. greetz
  14. 1 point
    WD is fine. Modern AV arent exactly very deterministic things. If you have a problem with a false positive, just disable it.
  15. 1 point
    Also Windows Defender might have options to do live cloud verification or other levels of threat verification like generic heuristics. Is the web connection enabled in the VM and all Windows Defender settings the same? Virustotal style hash checking and stuff are becoming more common in antivirus apps lately for having access to a more up to date and broader database that allows vendors to find viruses earlier as well. Could even be some random spyware setting in your Windows account profile usually under the title of "help Microsoft improve our products and user experience" type of option. Or Windows Defender is so smart that it knows when you are in a VM or sandbox probably you are studying the viruses and do not want to block them. But doubt it
  16. 1 point
    Updates between Windows 10 machines are not always equal regardless of what date/version things say. They roll things out in batches and based on each devices hardware and other qualifying identifiers. Windows Defender symbols and definitions work in a similar manner. So both of your setups may show the same version of WD, but the definitions could be different as one of the machines probably hasn't gotten "permission" to obtain the latest stuff yet. That said, the detection difference could just be an updated difference in the definitions they pushed or that the way WD detected things was done in a different order. (Pretty sure their scanner does multi-threaded scans for performance purposes so one of the threads may have hit the other detection before another thread completed etc. and it just shows what was found first.)
  17. 1 point
    Hi guys, thanks for the feedback again.So this really sounds like hell to build any own client code without to build a browser engine to find out what kind of validation any xy site does request.So why is this validation so dynamic?Sound like that any server could also use any own request method XY instread GET / POST etc like GET_IT or whatever you know.All in all its just bad for me now so there are too much diffrent variables to handle and to know before.This just sucks. greetz
  18. 1 point
    https://www.infoq.com/news/2020/07/mandrel-graalvm/ @CodeExplorer -- bonus pavellaptev.github.io/web-dark-ages/
  19. 1 point
    Apologies, I deviated the topic on the thought of an affordable 400TB SSD in my lifetime. We may need these capacities if heading to 8K and 16K video sources at some point in the future... Ted.
  20. 1 point
    10-12TB spinning drives only this year started to get to a reasonable $/GB ratio. So, 100TB+ SSD is way, way out of reach for the ordinary consumer. And it will be out of reach for next 5-10years. BTW, the f*ing original article was talking about tape drives, not HDDs or SSDs. Personally, I wouldn't call that a drive - but English is not my native language..
  21. 1 point
    Worlds largest SSD recorded so far is sitting at 100TB currently. From Nimbus Data, was a 3.5" bay drive running under SATA or SAS. Granted they reveled it back in 2018, and SSD tech has GREATLY improved since then, so I'm sure the other companies have larger stuff behind the scenes now and just haven't shown it yet. Most of the work being done on the drive market that we are seeing publicly right now is optimizations to the caching and storing of data on the chips and not so much in regards to chasing the larger sizes for the consumer market.
  22. 1 point
    Every site especially nowadays can be quite different. Not only the form fields which can change need to be identified but persistent login options, one or more redirects can occur, cookies are dropped and must be forwarded, browser headers are checked and per browser details involved. Sometimes custom headers are added, there is CSRF, sometimes client side Javascript is doing some key changes to headers or the request maybe encrypting or encoding, sometimes a captcha will come about some just monitoring mouse movements others requiring specific valid input, sometimes the site loads important cookies from other sites, SSL considerations with client or server side certificates, the original HTML spec even had authentication options like basic and digest, even NTLM Windows auth is possible through digest as I recall. So best to create your generic template which deals with all of these things and have per site settings which guide the template. It's a real project for sure but not impossible. But yea a pain indeed.
  23. 1 point
    CSRF tokens https://stackoverflow.com/a/33829607 https://www.hhutzler.de/blog/using-curl/ https://www.google.com/search?q=curl+login+with+CSRF -- On all modern login system there are 'validation' like this... What I have done in the past, is to use CefSharp library (or even the plain WebBrowser of .NET frm), load the page @ browser set the values to inputboxes and submit the form to the server by clicking the submit button by JS code. ex document.querySelector('.ovm-ClassificationBarButton-18'); restoreTAB.click();
  24. 1 point
    _PyEval_EvalFrameDefault executes a code object on the Python frame. To dump the code object to a file you need to use PyMarshal_WriteObjectToFile / PyMarshal_WriteObjectToString at an appropriate place within the function. DnSpy has nothing to do with Python. It's just a piece of string inserted there on purpose.
  25. 1 point
    truly, lost you... pasting some functions for GET/POST, maybe is helpful function make_post_request($url, $params, $json) { $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_POST, true); if (!$json) { curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params)); } else { $params = json_encode($params); curl_setopt($curl, CURLOPT_POSTFIELDS, $params); curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json; charset=UTF-8', 'X-Accept: application/json')); } // display header // curl_setopt( $curl , CURLOPT_HEADER, 1 ) ; curl_setopt( $curl , CURLOPT_CUSTOMREQUEST , 'POST'); curl_setopt( $curl , CURLOPT_SSL_VERIFYPEER , false ) ; // <-- u searching for this ? curl_setopt( $curl , CURLOPT_RETURNTRANSFER , true ) ; curl_setopt( $curl , CURLOPT_TIMEOUT , 5 ) ; $response = curl_exec($curl); // http status code // $status = curl_getinfo($c, CURLINFO_HTTP_CODE); // var_dump($status); curl_close($curl); return json_decode($response); } function make_get_request($url, $params) { $c = curl_init(); $url .= '?' . http_build_query($params); curl_setopt($c, CURLOPT_URL, $url); curl_setopt($c, CURLOPT_RETURNTRANSFER, true); // curl_setopt($c, CURLOPT_HEADER, true); /* curl_setopt($c, CURLOPT_FOLLOWLOCATION, true); curl_setopt($c, CURLINFO_HEADER_OUT, true);*/ curl_setopt($c, CURLOPT_HTTPHEADER, array('Content-Type: application/json')); $response = curl_exec($c); /* $status = curl_getinfo($c, CURLINFO_HTTP_CODE); var_dump($status);*/ curl_close($c); return json_decode($response); } once user login, store info to session variable at any page you can get any info stored. ex. ata login page $r is a recordset $_SESSION['mail'] = $_POST['email']; $_SESSION['u'] = $r['fullname']; $_SESSION['id'] = $r['user_id']; $_SESSION['level'] = $r['user_level_id']; then on any page, u can read the variable $_SESSION[??] //always u have to use @ the top @session_start(); what is the need? you are on HTTP and what ? ref curl w/o https : serverfault.com/a/469825
  26. 1 point
    Well it's true though right? Every OS upgrade adds more background services, more memory consumption. They always seek to maximally utilize the resources. You basically need a multi core with high RAM to do anything interesting nowadays. By forcing hardware upgrades, they sell more licenses so there is justification for this business strategy. My father told me in the 1970s these same things went on. So it's much older. They never rewrote the code to be more efficient because they wanted the system always busy so they could justify its use and further upgrades. Some things never change Does not leave us consumers with much options. As you correctly point out, tools like this are never as reliable or well understood as the OS choosing to be more efficient or flexible. To prove it further, Microsoft does not do much to stop Win10 cracks. But put a minimal Win10 with the bloat stripped out and they will DMCA it at light speed. Priorities! Instead of designing to run on certain hardware configurations as claimed, they in reality design it not to run on certain hardware specs.
  27. 1 point
    We say this with every iteration of Windows. Recalling XP being bloated... 🤔 Ted.
  28. 1 point
    Often servers have global settings and per domain or IP settings. So globally require SSL is on. But only the IPv4 address is configured for the redirect. The redirect should have been global possibly or defined also for the IPv6. Actually usually it's done on domain names which makes more sense. There are further tricks since SSL can validate IPs and there is some complexity to getting all this to work right in all scenarios such as shared certificates for multiple domains, etc.
  29. 1 point
    This site (in Chinese) explains a bit about that last parameter structure “The fourth parameter ppResult is a pointer of type PADDRINFOA, that is, a double pointer of type addrinfo” https://www.cnblogs.com/Ishore/p/4009205.html
  30. 1 point
    Seems like a tool to keep the cache empty. May be better to leave it to the OS to manage memory... Ted.
  31. 1 point
    Bed_ControlFlow_Remover.rar x86_Retranslater.rar I can't give you the rest of em ( i don't have permission to share them, hope you understand me).
  32. 1 point
    part 2 https://hot3eed.github.io/2020/06/22/snap_p2_deobfuscation.html
  33. 1 point
    This is just a follow up as all too often someone makes a post about something then that is it nothing else. I was fortunate enough to chat with someone on another forum and i was able to make a dump of the bios, and he was able to give me the original password in a couple of minutes, and this has got me interested in the bios dump itself and what it contains. Yes i could have attempted to use CmosPwd 5 or try to reset it with pulling Cmos out for 20 mins, but I'm not sure that would work anymore. The old trick of mistyping the password 3 times to get the code followed by using bios-pw does not work on these newer bios, you still have 3 attempts but no longer do you get a code just a freeze/lock which then means you have to restart the device and start over
  34. 1 point
    This is really the key point that probably should be the requirement for a post to be accepted. A solution should be reproducible, not a list of private tools that are used. Private tools are, as their name implies, private, and by definition that means it is everything but reproducible (unless this tool is shared with the reader of the solution). The only person benefiting from such a reply is the respondent themselves in the form of an ego boost. Not very productive if you'd ask me.
  35. 1 point
    It's a really good question. The answer really depends. Let me give you few recent examples. Example #1: Extreme Coders names the tools and explains HOW to solve the crackme. A lot of effort is required but all the tools can be found via Google. So I have zero issues with the solution. Example #2: Prab names the tools but no explanation is given. "x86 retranslater" definitely cannot be found not on Google. "Clean control flow" tells the obvious thing but it doesn't explain HOW to do that. What's the point of such solution? The only thing reader will learn from this is that he needs a magic wand that he can't have.
  36. 1 point
    View File Reactor v6.3 Try to unpack or alternatively provide a serial. Protections used: Necrobit Antitampering Antidebug Obfuscation Code Virtualization + Shield with SNK Submitter whoknows Submitted 06/10/2020 Category UnPackMe (.NET)  
  37. 1 point
    Hello everyone , I hope you're doing good , I've been searching for a while about how to write a plugin for OllyDbg , with the help of the (plugin api unit) I was able to make a simple plugin that retreives the value of the flag (BeingDebugged) which is used by the function (IsDebuggerPresent) . now the problem is that i still can't change that byte . The function WriteProcessMemory isn't working , can you give me some help please , here's the full code : thanks in advance library AADebug; uses SysUtils, plugin, windows, Classes; {$R *.res} type PEB = record Reserved1: array [0 .. 1] of Byte; BeingDebugged: Byte; Reserved2: Byte; Reserved3: array [0 .. 1] of Pointer; Ldr: Pointer; Reserved4: array [0 .. 102] of Byte; Reserved5: array [0 .. 51] of Pointer; PostProcessInitRoutine: Pointer; Reserved6: array [0 .. 127] of Byte; Reserved7: Pointer; SessionId: ULONG; end; PROCESS_BASIC_INFORMATION = record Reserved1: Pointer; PebBaseAddress: Pointer; Reserved2: array [0 .. 1] of Pointer; UniqueProcessId: cardinal; Reserved3: Pointer; end; resourcestring PLUGIN_NAME = 'Anti IsDebuggerPresent'; var g_hwndOlly: HWND; // OllyDbg Window Handle ProcessBasicInfo : PROCESS_BASIC_INFORMATION; Length:cardinal; EB : PEB; function ODBG_Plugininit(ollydbgversion:Integer;hWndOlly:HWND;features:PULONG):Integer;cdecl; begin g_hwndOlly := hWndOlly; Addtolist(0, 0, pchar(PLUGIN_NAME)); Result := 0; end; function ODBG_Plugindata(name: PChar): integer; cdecl; begin StrLCopy(name, PChar(PLUGIN_NAME), 32); Result := PLUGIN_VERSION; end; function NtQueryInformationProcess(ProcessHandle: THANDLE; ProcessInformationClass: DWORD; ProcessInformation: Pointer; ProcessInformationLength:ULONG; ReturnLength: PULONG): LongInt; stdcall; external 'ntdll.dll'; procedure Getinfo; var debugee,PID : THandle; buffer : byte; begin buffer := $00; PID := PluginGetValue(VAL_PROCESSID); debugee := OpenProcess(PROCESS_ALL_ACCESS,False,PID); NtQueryInformationProcess(debugee,0,@ProcessBasicInfo,sizeof(ProcessBasicInfo),@length); readprocessmemory(debugee,ProcessBasicInfo.PebBaseAddress,@EB,sizeof(EB),length); writeprocessmemory(debugee,@EB.beingDebugged,@buffer,sizeof(buffer),length); messagebox(g_hwndOlly,pchar('BeingDebuggedFlag : '+ inttostr(EB.beingDebugged)),pchar('info'),MB_ICONINFORMATION); end; procedure ODBG_Pluginaction(origin:Integer; action:Integer; pItem:Pointer);cdecl; begin if (origin = PM_MAIN) then begin Getinfo; end; end; exports ODBG_Plugininit name '_ODBG_Plugininit', ODBG_Plugindata name '_ODBG_Plugindata', ODBG_Pluginaction name '_ODBG_Pluginaction'; begin end.
  38. 1 point
    You're writing to the wrong address. It should be something like: WriteProcessMemory(debugee,pointer(dword(ProcessBasicInfo.PebBaseAddress) + 2),@buffer,sizeof(buffer),length); Since Delphi doesn't have a pretty way to get field offset, I had to hardcode the "2" instead of writing something prettier like "offsetof(PEB, BeingDebugged)". You could do some of the ugly tricks mentioned here: https://stackoverflow.com/questions/14462103/delphi-offset-of-record-field but to me it's not worth the effort.
  39. 1 point
    Not necessary to unpack to get the key. Key: Steps :
  40. 1 point
    What makes you question either of these? Private: There are occasionally some techniques, practices (and tools) kept private to stay ahead of the game. Nothing has changed much over the years in this regard as far as I can tell. Knowledge: As @kao already mentioned most of the core techniques and information is out there to be discovered (in these forums for example). It only needs a willing and proactive individual to expand and develop on this information. As everyone seems to have their own blog (or YouTube channel) these days these generally seem to be the new format for tutorials. One day... when all my children have grown up and left home I can get my life back and get back to RCE and making traditional tutorials. Hopefully the RCE world will be an entirely new and interesting place to explore... 👍 Ted.
  41. 1 point
  42. 1 point
    Download: https://github.com/horsicq/pex64dbg/releases Sources: https://github.com/horsicq/pex64dbg More Info: http://n10info.blogspot.com/2019/05/pe-viewer-plugin-for-x64dbg.html
  43. 1 point
    Beds Protector ? I found is Babel Protector .
  44. 1 point
    Run the program, put any fake password, click on "Check password" wrong msg will be prompted, open up process hacker, right click on the file process -> properties -> net module -> strings -> scan/dump and then you have a .txt file with all strings extracted from memory. Seek for the wrong msg prompt text and nearby is the password.
  45. 1 point
    If you're talking about protection, as @JohnWho stated, everything can be unpacked, and easily even. The real dealbreaker is the virtualization. As a person who has already defeated the VMProtect virtual machine and the Themida CISC virtual machine, and whom is currently in the process of defeating the Themida FISH and TIGER machines, I can tell you that they are almost uncomparable in complexity, as Themidas never virtual machines makes VMProtect (and the old Themida CISC machine) seem like childsplay.
  46. 1 point
    Yep. That is one of the sections. It may be more on larger files. BTW. Here is my script for recover VM'ed Enigma OEP. Is written back in 2015 and i don't know if is fail proof because i did not use/test for more than a year ago. // giv@reversing.ro // Script for restore VM OEP on Enigma 5.xx VM'ed OEP // Delphi files + VB6 bc lc bphwc bpmc dbh GMI eip, CODEBASE mov bazacod, $RESULT GMI eip, CODESIZE mov marimecod, $RESULT VAR INTRARE ask "Enter the EIP of the stolen OEP" mov INTRARE, $RESULT //mov INTRARE, 0041F372 BPHWS INTRARE erun bphwc INTRARE ask "Enter compiler type: 1 for Delphi 2 for Visual Basic 3 for C++" mov tipcompilator, $RESULT cmp $RESULT,1 ifeq jmp Delphi endif cmp $RESULT,2 ifeq jmp vb6 endif cmp $RESULT,3 ifeq jmp C_plus endif //Target compiler select mov delphi, 1 mov vb6, 0 mov cpp, 0 ///////////////// cmp delphi, 1 ifeq jmp Delphi endif cmp vb6, 1 ifeq jmp vb6 endif cmp cpp, 1 ifeq jmp C_plus endif Delphi: log "PUSH EBP" log "MOV EBP, ESP" log "ADD ESP, -10" BREAK: bc bphwc bpmc BPRM bazacod, marimecod erun cmp eip, INTRARE ifeq jmp BREAK endif cmp eip, bazacod+marimecod ifa jmp BREAK endif cmp eax, 01000000 ifa jmp DWORD endif cmp [eip], #FF25#, 2 ifeq jmp BREAK endif mov valoareeax, eax eval "MOV EAX, 00{valoareeax}" LOG $RESULT, "" eval "MOV ECX, 00{ecx}" log $RESULT, "" eval "MOV EDX, 00{edx}" log $RESULT, "" mov pozitie, eip eval "CALL 0{pozitie}" log $RESULT, "" GASIRE_RET: bpmc cmp [eip], #FF25#, 2 ifeq jmp BREAK endif find eip, #C3#, 5 mov adresagasitaret, $RESULT cmp adresagasitaret, 0 ifa bp adresagasitaret erun bc adresagasitaret esti gci eip, COMMAND mov stringoep, $RESULT scmpi stringoep, "PUSH 0x0", 4 cmp $RESULT, 0 ifa jmp Comanda_gci endif esti jmp Comanda_gci endif find eip, #5?C?#, 1500 mov adresagasitaret, $RESULT cmp adresagasitaret, 0 ifa mov diferenta, adresagasitaret-eip cmp diferenta, 35 ifb cmp [adresagasitaret], #5BC3#, 2 ifeq bpmc bp adresagasitaret erun esti esti jmp Comanda_gci endif cmp [adresagasitaret], #5DC2#, 2 ifeq bpmc bp adresagasitaret erun esti esti jmp Comanda_gci endif msg "Diferenta prea mica" endif mov adresacomparare, adresagasitaret add adresacomparare, 1 cmp [adresacomparare], #C3#,1 ifneq mov start, eip add start, 35 find start,#E8????????C3# bp $RESULT erun bc find eip, #5?C?# bp $RESULT erun bc esti esti jmp Comanda_gci //msg "Pauza C3" endif bp adresagasitaret erun bc adresagasitaret esti esti jmp Comanda_gci endif find eip, #5?5?5?5?C3#,500 bpmc mov adresagasitaret, $RESULT cmp adresagasitaret, 0 ifa bp adresagasitaret erun bc adresagasitaret esti esti jmp Comanda_gci endif cmp adresagasitaret, 0 Continuare_ret: bpmc ifa bp adresagasitaret bpmc erun endif bc adresagasitaret esti esti Comanda_gci: GCI eip, COMMAND mov comanda, $RESULT scmpi comanda, "PUSH 0x0", 4 ifneq jmp GASIRE_RET endif jmp BREAK DWORD: ///////// bc bphwc ///////// mov gasire, eax rev gasire mov gasire, $RESULT /////////////////// eval "{gasire}" mov gasire, $RESULT ////////////////// len gasire cmp $RESULT, 7 ifeq eval "0{gasire}" mov gasire, $RESULT jmp ansamblare_gasire endif len gasire cmp $RESULT, 6 ifeq eval "00{gasire}" mov gasire, $RESULT endif //log gasire, "" ansamblare_gasire: eval "#{gasire}#" mov gasire, $RESULT findmem gasire, bazacod mov adresa_p, $RESULT cmp adresa_p, 0 ifeq msg "Pointer negasit" pause endif ifa eval "MOV EAX, DWORD PTR[{adresa_p}]" log $RESULT, "" cmp ecx, 401000 ifa eval "MOV ECX, 00{ecx}" log $RESULT, "" endif cmp edx, 401000 ifa eval "MOV EDX, 00{edx}" log $RESULT, "" endif mov pozitie, eip eval "CALL 0{pozitie}" log $RESULT, "" jmp GASIRE_RET vb6: findmem #5642??21#, bazacod mov variabilapush, $RESULT cmp variabilapush,0 ifeq msg "Pattern not found for push value - VB6" jmp Sfarsit endif eval "PUSH 00{variabilapush}" LOG $RESULT, "" asm eip, $RESULT mov variabilacall, eip-6 eval "CALL 00{variabilacall}" LOG $RESULT, "" asm eip+5, $RESULT jmp Sfarsit C_plus: bc bphwc bpmc BPRM bazacod, marimecod erun MOV intrarecallc, eip EVAL "CALL {intrarecallc}" log $RESULT, "" ASM INTRARE, $RESULT bc bphwc bpmc rtr esti BPRM bazacod, marimecod erun MOV jmpc, eip EVAL "JMP {jmpc}" log $RESULT, "" ASM INTRARE+5, $RESULT jmp Sfarsit Sfarsit: msg "Script is finished"
  47. 1 point
  48. 1 point
    Small modification of ragdog's idea: 1) breakpoint on LoadBitmapA; 2) look at parameters to the call: 0012F740 00AC119D /CALL to LoadBitmapA from 00AC1198 0012F744 00AC0000 |hInst = 00AC0000 0012F748 00AC3000 \RsrcName = "MyBitmap" So, the DLL is loaded at address AC0000. 3) Dump memory at address AC0000. I used PETools, so it calculated size of dump automatically (EC000 bytes). But you can always use other tool and dump more memory, it won't hurt. 4) Open dump with CFF and use its resource editor function to extract BMP.
  49. 1 point
    return from LoadBitmapA have you the pointer of this picture ;-) Now must you dump it and write the Bitamp header Here is a example for safe the bitmap (dumper) from rohitab //if you want to save the bitmap to a file now that you have it on your computer,here (i dont take credit for this function) void SaveBitmap(char *szFilename,HBITMAP hBitmap) { HDC hdc=NULL; FILE* fp=NULL; LPVOID pBuf=NULL; BITMAPINFO bmpInfo; BITMAPFILEHEADER bmpFileHeader; do{ hdc=GetDC(NULL); ZeroMemory(&bmpInfo,sizeof(BITMAPINFO)); bmpInfo.bmiHeader.biSize=sizeof(BITMAPINFOHEADER); GetDIBits(hdc,hBitmap,0,0,NULL,&bmpInfo,DIB_RGB_COLORS); if(bmpInfo.bmiHeader.biSizeImage<=0) bmpInfo.bmiHeader.biSizeImage=bmpInfo.bmiHeader.biWidth*abs(bmpInfo.bmiHeader.biHeight)*(bmpInfo.bmiHeader.biBitCount+7)/8; if((pBuf = malloc(bmpInfo.bmiHeader.biSizeImage))==NULL) { MessageBox( NULL, "Unable to Allocate Bitmap Memory", "Error", MB_OK|MB_IConerror); break; } bmpInfo.bmiHeader.biCompression=BI_RGB; GetDIBits(hdc,hBitmap,0,bmpInfo.bmiHeader.biHeight,pBuf, &bmpInfo, DIB_RGB_COLORS); if((fp = fopen(szFilename,"wb"))==NULL) { MessageBox( NULL, "Unable to Create Bitmap File", "Error", MB_OK|MB_IConerror); break; } bmpFileHeader.bfReserved1=0; bmpFileHeader.bfReserved2=0; bmpFileHeader.bfSize=sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+bmpInfo.bmiHeader.biSizeImage; bmpFileHeader.bfType='MB'; bmpFileHeader.bfOffBits=sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER); fwrite(&bmpFileHeader,sizeof(BITMAPFILEHEADER),1,fp); fwrite(&bmpInfo.bmiHeader,sizeof(BITMAPINFOHEADER),1,fp); fwrite(pBuf,bmpInfo.bmiHeader.biSizeImage,1,fp); }while(false); if(hdc) ReleaseDC(NULL,hdc); if(pBuf) free(pBuf); if(fp) fclose(fp); }
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...