Leaderboard

@GautamGreat: I cannot promise to make full write-ups this year, but if I make some, I'll post a link here.

Hey guys, After a long time I started writing on my blog again. https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-1 Best regards

@CodeExplorer: AVG was bought by AVAST few years ago. They kept the brand and got rid of most of the code and technologies behind AVG. Now when you install AVG, it's actually AVAST with a different skin, nothing else.

Finished, was harder than the usual but still got it -To beat this i modded oldrod in-place since there weren't commandlines that supported what i wanted to do. ObfuscationTest.exe

Everything: https://www.epicgames.com/store/en-US/download/everything/home Metro 2033 Redux: https://www.epicgames.com/store/en-US/download/metro-2033-redux/home

You don't need to know correct key to get the flag: Is that what you're looking for? How-to: 1) Run and dump from memory; 2) (optional) Fix imports with Scylla; 3) Load dump in IDA; 4) Find WndProc and see how WM_COMMAND is handled; 5) The key check is very convoluted but it all ends up here: ... lots of horrible operations with entered key .. strncpy(buffer, encryptedFlag, 25); for ( n = 0; n < 25; ++n ) { v3 = buffer[n]; v4 = HIDWORD(v3) ^ HIDWORD(v20) ^ HIDWORD(v21) ^ HIDWORD(v22) ^ HIDWORD(v23) ^ HIDWORD(v11); v8[2 * n] = v3 ^ v20 ^ v21 ^ v22 ^ v23 ^ v11; v8[2 * n + 1] = v4; decryptedFlag[n] = v8[2 * n]; } // check last 2 bytes of decrypted flag result = 24; if ( decryptedFlag[24] == 'Z' ) { result = 23; if ( decryptedFlag[23] == 'C' ) ... Xor key for all bytes is the same. You know encrypted flag. You know last 2 bytes of decrypted flag. So, you can deduce XOR key and decrypt the flag.

Batman week - all of the Arkham games and the three lego batman games currently free on epic. https://www.epicgames.com/store/en-US/collection/batman-free-week

go @ : https://www.filehorse.com/download-sandboxie/ SHA1 compared w/ author site is the same @: https://www.sandboxie.com/AllVersions

I used this in my MyAppSecured exe protector project. This code emulates the winAPI CreateThread using ZwCreateThread, in pure MASM, compiled in WinASM studio. Feel free to use it for your own projects. ZwCreateThread example.rar

Not all of this is correct. However, I am not going to tell you which information is incorrect.

Language : .NET Platform : Windows OS Version : All Packer / Protector : Modified ConfuserEx + KoiVM Description: I don't expect this to be anything extremly hard to unpack. I would like to see a full detailed explanation of how you unpacked this file and the key. Screenshot: Protected.zip

Hi You just need look at GetLastError with debugger

DNS resolvers and queries (over HTTPS) seem to be a bit of a popular topic in the news of late. There are a number of reasons why people should be using DoH (or DoT); privacy, security, prevention against eavesdropping and man-in-the-middle attacks. For those not familar and for those of you interested there are ad-blocking DoH resolvers. Below is a list of ad-blocking resolvers that I am currently aware of. Obviously these will perform better or worse depending on where you are located geographically in the world. My top three for performance are the first three in the list, the others are ranked in no preferential order. https://adblock.mydns.network/dns-query - Anycast (Cloudflare) / DNSSEC / DDoS https://dns.adguard.com/dns-query https://doh.tiarap.org/dns-query - Malware / DNSSEC https://ads-doh.securedns.eu/dns-query - DNSSEC https://doh.dnswarden.com/adblock - DNSSEC https://dns-nyc.aaflalo.me/dns-query https://dns.aaflalo.me/dns-query - DNSSEC https://doh.tiar.app/dns-query - Malware / DNSSEC https://dns.oszx.co/dns-query - DNSSEC If you know of some others out there please share them... Ted.

NO Let's say you have the following scenario An execution range : instructions being run between two locations, for example : Point A : Entry point of the application Point B : is a call to showwindow API These two points should be in the same module, so set a BP on point A and when you are there Start the plugin from the menu, you will see this dialog, END VA is where you enter the address of Point B Module is the name of the module in which tracing should happen so now you press GO button and it will single step each line until it reaches Point B in this module you will see the counter of "Logged events" increasing with time until you reach point B Now you can click "SAVE" button and name this log as "Tracing_State_1" Repeat the same process with different parameters in your application, for example using an invalid password or date save the 2nd log, now you have 2 logs to diff, each log is a text file, you can use Notepad++ and one of its plugins to diff the 2 logs and see where the execution differs within this range.

https://www.reuters.com/article/us-venezuela-politics-adobe/venezuela-designers-turn-to-piracy-after-adobe-announces-it-will-cut-service-idUSKBN1WN25L

Came across this which has some code on how to perform image base relocations and resolve import address table once a dll loaded into memory: https://ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection Just have to adapt the code, as i guess the image is already in memory with the LoadLibraryEx call instead of manually loading it as in the example code shown.

You can look up how manual mapping handles initializing the DLL that was manually mapped into memory. That will show the steps to take to manually rehandle the loading steps. The BlackBone project on GitHub has this handled pretty well which you can reference here: https://github.com/DarthTon/Blackbone/blob/0072fba51c81aec5c6f56b7a7705377fe2f785d1/src/BlackBone/ManualMap/MMap.cpp

Check this by Mr. Kurapica: https://forum.tuts4you.com/topic/38536-x64dbg-conditional-branches-logger-plugin

When using LoadLibrary it will call entry point of dll: here is a tools which stops before calling entry point of dll: https://forum.tuts4you.com/topic/39871-dllsaver don't know if that's what you want!

LoadLibraryEx with flag: DONT_RESOLVE_DLL_REFERENCES,

Following the good old tradition, this thread will be dedicated to the annual Flare-On challenge. Who's going to participate this year?

How you solved challenge BMP HIDE ? I'm always interested in your unique solutions like last time you solved challenge magic with a C# solver.

AVG Rescue CD is some linux which looks more like DOS; also the only thing I could update is the viruses definition; while Avast Rescue CD is a Windows based CD which looks decent. You can download Avast Rescue CD from here: https://we.tl/t-RphW9WWsi1 (just so you won't require to install avast_free_antivirus_setup_online.zip) Updating Avira rescue is a work in progress!

Before you potentially dump $50 on CodeStage, look around for free options. Most of what's offered in his library is already free. Protected memory/variables: - https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.protectedmemory - https://gamedev.stackexchange.com/a/9851 (Xor'd value, same as how CodeStage protects.) - https://www.alanzucconi.com/2015/09/02/a-practical-tutorial-to-hack-and-protect-unity-games/ - https://github.com/Ymiku/SafeInt - https://github.com/pedro15/UniToolKit Protected player prefs: - https://www.alanzucconi.com/2015/09/02/a-practical-tutorial-to-hack-and-protect-unity-games/ - https://gist.github.com/ftvs/5299600 - https://github.com/rawandnf/SecurePlayerPrefs - Any kind of encryption you prefer works for this. Generate Code Hashes: - Use System.Reflection for this. (MethodBody -> GetILAsByteArray -> hash etc.) Detect Speed Hack: - This is done by monitoring the ticks of an application in a timer/thread checking for any sudden increases that cause the timing of the app/process to be considered fast/slow. - https://github.com/WizardVan/UnityDetector Detect Wall Hacks: - This is done a number of ways depending on what kind of detection you are looking for. Detect Injections: - Walk/monitor the app domains assembly list for unknown modules. (AppDomain.CurrentDomain.GetAssemblies()) - Track a list of valid/allowed modules + checksum hashes. - Track IL edits to functions via hash checks. Keep in mind all of this is bypassable, editable, etc. by a hack/cheat/mod so while you are adding a layer of security it will only work against certain people whom are not familiar with bypassing this kind of stuff.

Thats actually how I did it. I know i made ithard for myself. Had to learn smali. There is plugin in android studio to debug smali codes

@Zulu - I don't think you can debug a precompiled Android application could be wrong but I don't think that is the correct way of solving the challenge. I personally used https://github.com/rajivvishwa/apk2java to decompile the code, (reread the question) Sometimes I also use APKTool to get the Bakismali and modify it from there (its kindof a pain because you have to understand bakismali and you have to sign the app) but to answer your question, I don't think you can debug it directly. Ch10 ^ Also if anyone has some hints about Challenge 12 - Help, it would be greatly appreciated (been stuck on it for about a week now), there seems to be quite a number of pitfalls and I haven't found a clear path yet.

Hi. I was able to create myself BitDefender 2020 rescue disk (and works like a charm here on two computers I've test); you can download it from: https://we.tl/t-z9g8kTxqU9 So the only antiviruses left to update: AVG and Avira!

If the companies never pushed new releases, then those are the most up to date for those apps you'll get. At most, they are just shells that rely on updated definition files and such that probably have to be manually updated. I don't use AV software so I'm not familiar with any of them on how they operate specifically though.

Used https://github.com/TobitoFatitoNulled/ArchangelUnCloaker WindowsApp1-UnClocked-Cracked.rar

Used https://github.com/TobitoFatitoNulled/ArchangelUnCloaker and appfuscator tools by codecracker WindowsApp1-UnClocked_deobfuscated_strdec-Cracked.rar

Never been a fan of Brave Browser (PC version). I have tried to love it many times. It always feels to me disjointed, broken and unpolished as if it is purely a theme over Chrome with custom extensions. I know this will not help answer your query and this is a borderline who's browser is better comment, I think you may find something like Vivaldi much more appealing. More polished, stable with a lot more settings and customisation's for you to spend hours fiddling with. If you just want something that works stick with Chrome or a pure Chromium build... Ted.

@j0hn19

@LCF-AT: Sorry about the inconvenience. At the time of posting links were tested from several IP addresses and were working. Please use official download site, or the other option mentioned by whoknows.

Many years ago I wrote a software protector called MyAppSecured. Somewhere in the middle of porting it from Delphi to C++ I lost my interest in this project. Just found it on my HDD so I thought it might be helpful for someone. In short, the GUI of this protector is written in C++ and the protection stub in written in MASM. The C++ code loads a target in memory and adds 2 PE sections to it. One for the TLS callback code and one for the main code. The MASM stub will be written to those 2 sections. This protector has just 2 protection features: Analyze Immunity (anti-debug) and Memory Shield (anti debug-tools, OEP relocation). Note this is not a download-and-use-right-away protector. The code is written years ago so it's not very well written and also for some unknown reason the MASM stub could not be written into the 2 created sections. It did work very well years ago but I don't have the time to investigate why it doesn't work now. To be clear, the compiled exe file you will find in the package should run nicely but once you try to secure a exe file, that exe file is gonna be corrupted. This project is free for personal and commercial purposes. If you have any questions please ask, but keep in mind I abandoned this project and removed it from my HDD right after posting it here. Even if you are not gonna use this project it might be interesting to check the code. Some interesting stuff you might find there for your own project, such as emulating the CreateThreadW function in pure MASM, adding PE sections & relocation of OEP. MyAppSecured v1.00 Beta source.zip

No, thanks. Compared to Themida v2, the themida v3 does not have a great improvement over the VMs. There are two types of VMs in this UnPackMe, Dolphin and Tiger.

1. Read https://www.oreans.com/ThemidaHelp.pdf 2. Add obfuscation like a ithare::obf 3. Encrypt strings with xorstr https://github.com/JustasMasiulis/xorstr 4. For education read https://github.com/lurumdare/ideas 5. Some tricks https://github.com/lurumdare/DefensiveGuideAgainstCrackers 6. Use embedding objects https://github.com/lurumdare/furikuri_tutorial (I think it is anti-disassembler https://forum.reverse4you.org/t/eset-finfinsher/1127 supported VMProtect, test on Themida and write me PM)

Download: https://github.com/horsicq/pex64dbg/releases Sources: https://github.com/horsicq/pex64dbg More Info: http://n10info.blogspot.com/2019/05/pe-viewer-plugin-for-x64dbg.html

I think nobody can unpack this protector because it's very hard.

fix and tools in attach. example_fix.zip RGN Tools.zip

You make me cry a little everytime I see your replies. I will before-hand declare that this is my last response to your impeccable rant of stupidity, but I feel the need to put out these points. Yes, you did just say a few posts back, that "OP asked for protection, not virtualization", thus claiming that virtualization is not protection. Yes, OP asked for a native packer, as he asked for a packer for his Win32 file. Win32 is a native format, unlike .NET which is a non-native format. If you claim otherwise, I'll die of laughter. Nope, Themida is not useless. It might be easily unpacked (since LCF-AT made a superior script), but there's a big difference between unpacking and devirtualizing. If you have succesfully unpacked a file, no matter how you did it, the file is still protected (as an unpacked software) as long as the virtualization is not broken (which is a whole different league to unpacking). The virtualized code sections will not be made readable by any public tools, and there are very few people world-wide who has even got the capability of making such tools. So nope, I'm not unknowledgeable. Actually, I'd go as far as to claim that on the contrary, I am moderately knowledgable and you are simply extremely uninformed. Yes, OP was looking for constructive feedback, which is why I striked down on you, as you were supplying false information. Oh my god.. I don't even know what to say to this... Themida not an obfuscator? If you had the time to properly read that image, you'd immediately notice the big fat .NET in front of the obfuscator. They're saying it's not a .NET Obfuscator, which means it doesn't obfuscate the IR for .NET. It is however, a compressor, an obfuscator and a virtual machine software for native formats.

Once again, you bless us with your unfathomable stupidity. First you claim virtualization is not "protection"..? If he OP wants protection, and asks which protection software to go with, it includes all features of the protection software, such as virtualization. Themida offers exceptional protection in real situations, when you don't want people to understand certain functions. Next you pick a .NET virtualizer and tell us that, if we're to deduce the best virtualization protection software (while the choice stands between VMProtect and Themida) we should pick Agile.NET??? In case that point flew over your head, here's another stupid point to this: He's asking for a packer for a native Win32 file. You suggest using a non-native .NET packer.

Interesting indeed, always knew antivirus were just backdoors.. IoT is a joke there has never been any security on them.. you 'could' watch supermarket camera's / most surveillence camera's online with just a clever google search.. same problem mostly.. crap password or just default setups.. some stupider companies embedded backdoor logins or just plainly not configurable.. closing all your ports on windows is a great idea (especially netbios) , disabling ipv6 is for now a great idea for now as dns traffic (546) can be used for nefarious purposes(mostly unknown about by most).. avoid java all together and flash / pdf.. tor is crap (exit nodes), torrents (sha1 collisions can now be used to detect the best hidden ones or replace files to infect users unaware).. Some companies have memory malware so undetectable file wise.. Also registry can be used to hide and run code, yes many unpatched tricks there... files hidden in alternate data streams in ntfs files / pictures using stenography or hard drive sectors.. so many different ways i could go on for ages here.. lol either way no one is unhackable there is always a way and they know and keep secret all of them.

I created this thread because of this thread: http://forum.tuts4yo...ction-question/ Some beginner still think that ImpREC works on Windows 7, this is simply not true. Here is a prove screenshot. The test application is a simple C++ application not packed/protected. Scylla is the only tool which can rebuild the IAT correctly. I guess this doesn't need any explanation just see for yourself. (Download the .zip for better resolution) compare_ir_.zip

'normal koivm' well the dll is protected with vm protect TRIAL, which means that it can only run on your pc so this is not a valid unpackme