Leaderboard

@XenocodeRCE: I have a huge respect for you as a RE guy but now you're just being a d*ck. If you have some personal issues with mamo/localhost0/whatever he calls himself this week, please resolve them privately and don't make a huge public drama out of it. No matter how I count, it's 3 months and 2 days max. If you're gonna whine, at least get your facts right. Umm, no. The requirement from law is to react on any reported copyright infringements, not to actively run around and search for any possible issues. See DMCA 512(c). So, if admins ignored a properly reported copyright issue for 3 months, then yes, maybe they could be held responsible. But that's not the case.

https://mega.nz/file/xgonHADA#6-giBWOZXfODm7sLFAMzuCH9L2uQz4sL_9NNBlDkLTM - for those who don't want to fill in the stupid questionnaire with company email address, job position and what not. https://mega.nz/file/Nt4xSaoK#jRcuuuM2vS77DM9Y-KuT4UQUKiYIEl0KkKd6Cp9t7hE - code samples that TheHackersNews forgot to include. Book tries to cover very wide area of topics - from Windows to .NET to Linux, IoT, iOS, Android and shellcodes. By doing so, it fails to cover any of the topics in sufficient details. So, it's a "Jack of all trades, master of none".

Get your tools ready!

Hello everyone. For some time now any registered member of the forum can upload or download copyrighted content that is illegally shared and hosted on the forum. Indeed, not only are there disruptive elements within this community, but in addition they allow themselves to use the forum as a platform for retrieving pirated and / or stolen content. Here is a non-exhaustive list of these positions: - https://forum.tuts4you.com/topic/42411-armdot-source-code/ - https://forum.tuts4you.com/topic/42159-beds-protector-private/ - https://forum.tuts4you.com/topic/42391-cawk-vm-open-source/ - https://forum.tuts4you.com/topic/42210-atomic-obfuscator-90-open-source/ 1) The first item is copyrighted software which has nothing to do here. Not only can we download the software, but we can also view its source code, which is a violation of digital copyright law and a violation of reverse engineering laws. 2) The other three are not copyrighted software, but remain private projects. - For example the second subject, "Beds protector -> private <-" includes in its title directly the information that it is a sharing of a private project. So while the software or the code behind the software is not currently regulated, should everyone be allowed to share private code? - The third subject concerns a private project, once again, of one of our emeritus member, Cawk [https://forum.tuts4you.com/profile/90434-cawk/]. Those who speak with him or those who have had the chance to communicate with him know very well that he kept this project private in order to sell it. He had already sold one of his private project on this forum. Out of pure respect I wonder if it makes him happy to see his private projects shared with impunity on a forum he appreciated. - The last one has already been the subject of a DMCA complaint [https://i.imgur.com/V4GjHXR.png] but I want to add something even more serious in my opinion: if you do not know what is " atomic-obfuscator ", you can imagine that it is a paid private obfuscator, which had a very small number of users. Now if you type the name of the project on Google you will find its shared source code several times, in different versions of the project, and this in a systematic way. What I am targeting here is the relentlessness that certain users allow themselves towards other users and their projects. If we refer to the forum rules, since the first sharing of private content on the forum by the user "localhost0" we can observe several repeated violations of the rules: - "01. Your Expected Behavior and Attitude": what good attitude would allow you to share private code on semi-public forums? None. - "07. Uploads, Downloads & Files": the leaked and cracked versions of the programs mentioned above are expressly hosted on the forum, or use the forum's hosting platform. In other words, the forum is currently hosting illegal content. - "11. Scene Warez": A bit for the same reasons, but if only it was disparate; we can see that the user "localhost0" is ONLY sharing leaked code or private project source code. - "22. Intellectual Property": It goes without saying that all of this content hosted on the forum is subject to violation of the intellectual property code. I am not a lawyer but in my humble opinion there is no need to get a PhD in digital law to understand the problem. What I propose: - The "Packer and Protector release" section must be reworked, or be moderated: our newly created topic must be approved by a moderator before being visible, in order to prevent sharing of illegal content or sensitive.

This code and accompanying article is worse than most ConfuserEx mods written by script kiddies... Where do I start? Holy f*ck, have you ever heard of things you should never ever do inside DllMain? Loading another DLL from DllMain is one of the basic ones - it virtually guarantees a deadlock. "DLL hook"... You mean DLL name? Like, I don't know... a string? Not since year 2018... And it's called "Detours" And the cherry on the top! Just 4 problems in 9 lines of code! Must be a world record or something! 1) if CreateRemoteThread fails, child process is left hanging; 2) WaitForSingleObject with 4000ms timeout assumes that remote thread runs immediately and that hook DLL loads and does its stuff immediately. You just created a race condition between hooking thread and main process thread. 3) WaitForSingleObject with timeout + VirtualFreeEx creates another nasty race condition. 4) You should close the thread handle for the process you created: CloseHandle(processInformation.hThread);

Ted.

"Mastering" means obtaining deep and complete knowledge of a certain subject. If the book was called "Basics of Malware Analysis" or "Malware Analysis for Dummies", I'd have no issues with its title or content. But not like this..

@Loki Please remove any member using fake accounts, we all know whom I mean, he is the source of all troubles here.

Just to clarify, do you want to create a new menu for all of your different tools not written by you or do you want to integrate the tools you have written into the context menu? 7-zip and winrar integrate themselves into the context menu and the 'New' context menu is a windows feature If you want to create a new menu like the 'New' menu then it can be done easily by editing the registry If you want to code your apps to integrate themselves then you don't have to use C++, you can use whatever language you code in to create a shell extension COM server which registers itself into your system

Check this article series, it's quite pratical : https://www.codeproject.com/Articles/441/The-Complete-Idiot-s-Guide-to-Writing-Shell-Extens Regards, Tony

Yet another service Google will kill in a few months lol. (For context: https://killedbygoogle.com/ )

Amazes me that with that power they went for a bitcoin scam..... imagine what they could have got by shorting Tesla and Apple stock. Less traceable this way I guess, and they still made some cash.

This forum has a login system and for "Human"-Verification it asked (me atleast) to scan a QR-Code to get a key that then verifies that im a human. But first of all, if you have a bot it can easily scan the code itself with the help of some github repos or even easier, you can just open the QR-Image in a new tab and the filename is the key. soooo.. I dont know if you guys already know/care about this but you can also just let it away because anyone who wants to bypass it, can easily do that.

Would recommend avoiding this for the time being. Deno is a re-envision of NodeJS, created/founded by the original creator of NodeJS. However, the project is more of a dictatorship now than being an open source community collaboration. Safety/security are also not something I would say this project actually is, and rather just a buzz-word way of saying, "If you don't enable anything and basically have a useless shell of an application; it's secure!". Majority of any real-world usage out of this will require various flags be enabled that completely diminish the security aspect of it. The way imports/third-party libraries is handled is done via remote URL inclusions directly from your source code. Rather than allow any means of locking things down in a sensible way, the author has decided third-party includes are allowed to break the mixed-mode browser security implications and inherit from insecure sources. So importing a library you assume is safe via an HTTPS url can then itself import insecure libraries. Would say more than half their GitHub issues are revolved around this security problem and the creator has basically said 'deal with it' because normal JavaScript <script> tags allow for http includes, therefore he sees it as 'fine'. Give the project a lot more time to mature and break from the chains of the main guys "final say" over things and become an actual community project before bothering with it, imo.

I noted in at least one of the links you posted you were able to "like" a post and likely downloaded content yet did not report to moderators any of these up until 45 minutes prior to starting this topic. I am assuming your current motives and interest are purely driven due ArmDot source code being released and were okay not to care reporting of the other links up until this point. As commented previously one of those topics you linked (source code for commercial copyright software) was taken down, within five hours of it being posted. Another was taken down and restored after a week because the person (claimed author) making the complaint never responded to PM's to provide further information or context. Regarding "private", it is not uncommon in the RCE scene for private tools, code, etc. to be released (not leaked) to the public. There are also open source code that get released under various licences that people modify and those changes may still fall under an open licence. What I am getting at here, and this is not an excuse, is that sometimes there are grey areas and it would be appreciated if you reported these to the moderators as we aren't always aware of everything that is happening out there. Occasionally people have incorrectly or falsely reported posts and topics for various reasons (sometimes out of spite, jealousy, personal disputes, etc.). If we really want to follow the rules moderators could request information to validate as described in section 22 of the terms. The moderators have actioned all your reports on good faith and in a timely manner without requesting any of this information... Ted.

To discuss about Twitter Bitcoins Scam happened yesterday - 15-07-2020 BTC Address of Hacker -- https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh though after the Total Hack, Hacker was able to garnered around 10 Millions ++ USD News Covered by BBC -- https://www.bbc.com/news/technology-53425822 The Verge - https://www.theverge.com/2020/7/15/21326200/elon-musk-bill-gates-twitter-hack-bitcoin-scam-compromised Few Hacked Accounts I saw - 1- Apple Official - iPhone Owner Official LOL 2- Twitter Support - Haha Official Account 3- Bill Gates - LOL No Need Description 4- Barack Obama - ex President of USA 5- Elon Musk - Well Known 7th Richest Person and Tesla SpaceX CEO 6- Mike Bloomberg - Billionaire Media Owner 7- Cashapp 8- kanye West - May be standing for Election and Famous Singer 9- Jeff Bezos - No. 1 in the List of rich and Ofcourse Amazon Owner 10- Benjamin Netanyahu 11- Uber 12- Tron 13- Coinbase 14- Bitcoin 15- BINANCE 16- Charlee Lee 17- Joe Biden 18- Justin Sun 19- Warren Buffett 20- Ripple and almost all CEOs and Crypto Companies, Payments Site Luckily I didn't see Mark Zuckerberg in the List. They targeted almost all big accounts on twitter. Its the most astonishing news I saw and i think probably 2nd biggest news after Corona in this 2020. what is your opinion guys? Let's discuss about it. 1 Million Bounty announced for White Hat by Justin Sun -- https://cointelegraph.com/news/justin-sun-offers-1-million-bounty-in-exchange-for-twitter-hackers

Unfortunately, people who write these kinds of articles, lack even the most basic knowledge of economics. "Loss of revenue" is not the same as an actual "loss" (also called "financial loss"). Suppose you're selling cars. You normally sell one car a month for 20'000EUR. A bad month (or Coronavirus) comes and you don't sell any car that month. Did you just lose 20'000EUR? No, you didn't. Sure, you had some expenses, like salary, rent of the office, telephone - those expenses will be your actual financial loss. But that wouldn't sound that scary, right?

@Kurapica https://www.bleepingcomputer.com/news/security/bypassing-windows-10-uac-with-mock-folders-and-dll-hijacking/

Public tool that can devirt latest DNGuard HVM? lol

He is implying that if you (properly) mod koivm yourself it'd be better than the commercially available vm's.

Sorry to let things go OT, but today I did see the truths everywhere and a lot of info right from the horse's mouth. https://www.nytimes.com/2020/07/17/technology/twitter-hackers-interview.html Hope they used a VPN

Gents. Please keep conversation on topic. There is no reason to bring personal vendettas up over and over. Thank you.

Hmmm my x86 version of curl 7.71 won’t pop the getaddrinfo API ... which makes it tough to see what you’re saying about param 4 with curl... lemme see if I can find you’re particular version ... Btw - reason I asked about a proxy is getaddrinfo won’t work behind a proxy (https://devblogs.microsoft.com/oldnewthing/20150916-00/?p=91581)

My struct for results is already set as a pointer struct addrinfo hints, *res; so my &res is the memory location which will hold a pointer this pointer comes to us after a successful call so *res is pointing to another memory location which has all our linked list results btw- are you using curl through a proxy ?

For things like that with Elons account, it would raise red flags before people would react out of fear. After issues in his past over the last handful of years, he's not allowed to Tweet things about Tesla/Tesla stock without a panel review now. So if he suddenly shotgunned out weird Tweets about the company/it's stock, it would be met with instant/immediate red flags of him being hacked. Wouldn't really do much damage and would get Twitters attention from his company and board faster than the Bitcoin Tweets would have since those are actually believable to some extent. Especially with people like Elon. Given the way the breech happened and was done via password resets, the people behind the attack knew they only had a limited amount of time to do something/anything before one of the people affected would begin reporting their account hacked/stolen to Twitter. So the bitcoin idea was honestly their best bet to make out with some easy money and keep a somewhat believable message up across multiple high-figure celebs accounts for the longest time possible.

Short way: search for memory (could be complex if you don't know what to search) Longer way: Unpack with UPX, use AutoIt Decompiler on the file. If we launch decompiled script, it will freeze. That is because there is a certain check that prevents us from running. $_1111111ll11 = @Compiled ; ... If NOT $_1111111ll11 Then _ll11lll1111() ; we have to comment this to be able to run A correct "good boy" password can be obtained without analyzing how strings are stored as we can always print any variable to a messagebox.

It is not unusual for API's to support different OS versions or even OS builds, predominantly as is the case on Windows 10. There has to be a minimum baseline when the API's are introduced and supported. It is impractical for Microsoft to go back and update every previous OS and build. For new software I would personally focus my time on developing for OS's that are still in their support life-cycle unless it is for a specific use case. At least one of the API's you have listed has been deprecated. I would check them all again and follow the guidance notes... Ted.

here's my quick example source code in relevant part since im behind a proxy via iphone at port 443 i use it as an example: hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; getaddrinfo("192.168.127.120","443",&hints,&res); =========== AT THE CALL: stack params: param3: ai_flags=0 - we didnt set any ai_family = 0 - AF_UNSPEC ai_socktype = 1 - SOCK_STREAM we set it to this ai_protocol = 6 - IPPROTO_TCP we also set this param4: nothing because we havent completed the API call yet ======================= AFTER THE CALL EAX = 00000000 (successful call) stack: (its noted i cleaned the esp after call by 10) param3: hasnt changed param4 however: so if i read this correctly our reply contains info that the server (my proxy on the iphone) expects ai_flags = 04 - AI_NUMERICHOST ai_family = 2 - AF_INET (IPv4) ai_socktype = 1 - SOCK_STREAM ai_protocol = 6 - IPPROTO_TCP ai_addrlen = 10 - The length, in bytes, of the buffer pointed to by the ai_addr member ai_canonname = 0 ai_addr (sockaddr ) = 0x0071EA80 (mem buffer location) struct sockaddr { ushort sa_family; char sa_data[14]; }; ai_next (addrinfo ) = 0x00 A pointer to the next structure in a linked list. This parameter is set to NULL in the last addrinfo structure of a linked list. We have but one so it was set to NULL someone can correct me if im wrong... but thats how it works in a nutshell

Knew you would say that ... lemme see it brb

Who said they would have to short to make money. Short sale profits are much more suspicious. They could just buy the stock, announce all sorts of amazing good news about new contracts and profits and stuff and then get out. And normal buying and selling is much harder to deem as fraudulent. Chances are in a few hours, its not going to be the most profitable scheme though, without investing a huge principal amount. Coulda shorted Twitter stock itself though regardless of what method they used - its the one that was going down no matter what. I saw a news article that the attack was part of a group which I recall was called "Team Irish Republican Army" whose lead by an alias of the "Lord of Technological Trolling" - so these actors were very likely behind this bitcoin scam. Unfortunately the news article was deleted shortly after it went up, don't know what happened. Twitter has figured everything out already it seems as their idea to implement a watermark based session scheme in their admin tools which was not successfully removed lets them exactly id a admin who was compromised. Otherwise would expect more scattered rays of postings to come.

I hope it was all Apple die hard fans which got scammed because ain't nobody gives a shit bout them flexing there new iphone 20 with camera and screen sold separately at 10k in total, tbh if it was I'd laugh so hard it would shake the whole world so much it'll be documented as a 10+ in a seismograph.

Hi all i'm new on this forum and i really need you're help (sorry for my bad english) let me introduce my problem : in few days ago i tried to crack a keylogger to see how he was made and this software was packed by two packers the number one is called enigma protector 5.x and the second packer is called dnguard (yeah dnguard a very old packer) so i successfully bypassed the enigma protection and now there is my problem "DNGUARD" this packer is old and he seems to be good as far as i could see so i googled how to unpack this and i found nothing i just found one unpacker made by "death" and this tool upgraded and fixed by codecracker (codeexplorer i think ?) so i downloaded the codeexplorer version but now i have a huge problem the unpacker returns a error when i want to unpack my keylogger after this error the program won't continue so i searched for a fixed version of this problem and i found some links but all links where the uploaded fixed version are dead 🙁 or make this error obfuscated code : all strings are encrypted by this message "error dnguard runtime library not loaded" so if someone can help me how to unpack it it would be really nice the exe (zipped with all resources) : https://www28.zippyshare.com/v/lJ9k96Xb/file.html i left the enigma version if i do something wrong Thanks !

Not only it is protected with DNGuard HVM but also with Appfuscator. The tool you mentioned does not support newer versions of dng and has to be updated to support it. Recently @CodeExplorer announced that he is willing to share source code of this tool to a skilled reverser for it to be updated.

“ai_protocol = IPPROTO_ICMP ? <-- why this?“ 0316F8A4 will hold all the data returned back from your PARAM3 however you showed me the wrong memory buffer “ADDRINFOA struct paramter 4 $ ==> 02B596D0 00000000 $+4 02B596D4 00000000 $+8 02B596D8 00000000 $+C 02B596DC 00000001 ai_protocol = IPPROTO_ICMP ? <-- why this?” The right param4 buffer -> 0316F8A0 0316F8A4 which is why in your second example: “here I just entered a free address in parm 4 which points to just zero bytes” You manually changed the pointer to point to a memory buffer that will hold all those returned bytes - in your case they were already 00’s Why curl did the icmp I dunno ... does it ping a port before the GET I dunno and I haven’t looked at it’s source code sorry

Hi guys, I found a new song which came out last year but didn't heard it before. Pretty hot dance track and I love it, hehe. The original song sounds already pretty disco but this remix by "Purple Disco Machine" puts another shovel on it. So both versions are just great! ....below the hot remix..... greetz

On the topic of PHP, they are also potentially adding a JIT compiler in PHP 8.0 https://stitcher.io/blog/php-jit https://wiki.php.net/rfc/jit

Hi deep, so I also thought too that WD would be fine for my tasks (more as normal user) specially when using Windows 10.So sometimes WD dosent react for 100% when I disable the realtime scanner for a while and WD still does say something / detect.Otherwise when WD moves any file in Q then its easy to restore it but the problem in this case is that sometimes just works for few days and then it gets detected again.I mean its not working for 100% to mark any file manually as clean or telling WD no more to say anything about that file XY.Not sure why. greetz

Done... https://forum.tuts4you.com/files/category/82-immunity-debugger/ Ted.

Hi Password : @flag{} inline patched file attached CrackMe_inlined.rar

here is unpacked after unpack MSG in Chinese language i am not understand

Almost unpacked! I was only not able to remove the Delegates and the Control flow. What I removed is: - Anti Tamper (manually; the easiest way consists in finding the call to the anti tamper method (which can be identified by looking at ConfuserEx's source code), setting a breakpoint just after (so that the anti tamper method decrypts the CIL code) and getting the decrypted module in the "Module" section of the dnSpy debugger) - Hide Methods (https://github.com/illuZion9999/Rzy-Protector-V2-unpacker/blob/master/Rzy Protector V2 Unpacker/Protections/Hide Methods.cs (not really reliable, though; a good way would be to get the invalid instructions from the exception handler) - Anti Debug (identify the anti debug method by looking at ConfuserEx's source code and add a ret instruction at its start) - Module Flood & Junk (these are just useless methods & instructions, which can be removed without problems (i removed them manually)) - Native methods (using cawk emulator x86 methods retranslater: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/cawk-Emulator/.NET-Instruction-Emulator-master/CawkEmulatorV4/Instructions/Native/X86MethodToILConverter.cs) - Constants Protection (modded the ConfuserEx Unpacker 2 Constants Decryptor to support 3 parameters: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/ConfuserEx Unpacker/ConfuserEx Unpacker/Protections/Constants/Remover.cs ; you can also invoke the decryption which makes it way easier than emulating it) - Mutations (sizeof (https://github.com/RivaTesu/SizeOf-Fixer), simple operations (de4dot: https://github.com/0xd4d/de4dot) & double.parse (the double.parse method is hidden by a delegate but I recognized the protection ; you can still find a tool for it on GitHub, but you would have to change the parameter check if there are delegates (or, ideally, use an emulator, which should support the double.parse protection with or without delegates): https://github.com/Riziebtw/DoubleParseFixer (note that this tool is not really reliable, and would need some changes)) - Call to calli (https://github.com/Riziebtw/CalliFixer; note that this tool solves the call to calli when the call and its pointer are one after the other, while, in the challenge, the call pointer (an ldftn instruction) is set to an IntPtr field, which is used as a parameter for the calli. You would hence have to grab the fields value (which are assigned in the constructor of the <Module> type) and then solve the callis with these values.) Don't hesitate to get my file and remove the Delegates (and control flow but I consider it not necessary to remove) in order to fully solve the challenge! CrackMe - almost unpacked.exe

Download: https://github.com/horsicq/pex64dbg/releases Sources: https://github.com/horsicq/pex64dbg More Info: http://n10info.blogspot.com/2019/05/pe-viewer-plugin-for-x64dbg.html

Hello All, I created my first reverse engineering project. It's an open source loader called patchya, It's not strong as dUP yet. I am planning to port it to Linux and to add more features as anti anti debugging tricks. Would appreciate any feedback! Github project: https://github.com/misaleh/patchya

If you're talking about protection, as @JohnWho stated, everything can be unpacked, and easily even. The real dealbreaker is the virtualization. As a person who has already defeated the VMProtect virtual machine and the Themida CISC virtual machine, and whom is currently in the process of defeating the Themida FISH and TIGER machines, I can tell you that they are almost uncomparable in complexity, as Themidas never virtual machines makes VMProtect (and the old Themida CISC machine) seem like childsplay.

Fantastic work guys! Both of you ... and on the x64 one Great! You both say that you didn't nothing special and, yeah, in comparison to God who created the world in seven days (well, 6 exactly :P) you did indeed nothing ... but hey we are human (and I underline we, not you ) ... and your work is brilliant. Well done I wish I could have at least an idea on how to start such a job ... Best Regards, Tony

Difficulty : 5 Language : Delphi Platform : Windows X86 OS Version : XP and above Packer / Protector : Safengine Licensor 2.3.7.0 Description : We need to do a patch HWID or unpack. Password - unpackme Screenshot : unpackme Safengine Licensor 2.3.7.0.rar

PatchRSAPublicKey_KeyGen PatchRSAPublicKey_KeyGen.rar

Use UPX !