Leaderboard

Went for a keygen instead of a full devirtualization. I don't fancy devirtualizing VMProtect stacked on top of KoiVM, so I went with a fully dynamic analysis approach. Code is clear enough though if you are able to set the right breakpoints at the right places. Personally am not a fan of including anti-VM in challenges, it only makes it annoying rather than interesting, but maybe that's just me. Sample key: Approach: Keygen.cs

I am of the opinion that any solution posted here should be reproducible (hence the name tuts4you). Anyone reading my solution should be able to follow the steps and get to the same conclusion. For the case of a VM, since they are complicated beasts, it means it gives me only two options: I would have to release the source code of any type of devirtualizer that I would've made, or I would have to spend an entire blog post talking about how VMP's VM works and how to reverse it. While I genuinely enjoy doing both, both options take a lot of time, something I have very little of these days. But even if I had the time, it's arguably not really worth it. If I were to make a devirtualizer for VMP and release it, it will not take long for the VMP developers to catch on and update their software. Unless the devirtualizer was made in such a way that it would be resistant towards the kinds of changes (which again, takes more time), it means it is probably only going to be useful for a short period. Just doing this for a single unpackme posted on a forum does not really make it worth it for me. Also, while I generally don't have any problem with publishing articles or source code (unlike other people that post solutions here it seems), I do have a problem with potentially harming other people's businesses. I am not a fan of releasing devirtualizers or unpackers for protectors that are still in business and have customers. From a legal and ethical perspective, that's just not something I would do easily. Generally speaking though, with reverse engineering it is often not required to fully unpack anyways. You extract what you need and leave out the unimportant business. In a lot of cases that does not require a full deobfuscation. Especially not with keygenme's like these. Maybe someone else thinks differently about that, and does pick this up as a challenge though

Target uses homomorphic encryption of two pieces of code, which are the crucial part of verifying the serial. Not sure if it's keygennable, maybe someone else will make it. If the string that we enter to the input box is passed to these following two methods and both of them return expected result then we get goodboy ("Hooollaaaaa :)") message. Result of this method internal static int check1(string input) { int num = 0; for (int i = 0; i < input.Length; i++) { num += (int)(input[i] + 'P'); } return num; } must be 5214 Result of this method internal static int check2(string input) { int num = 0; for (int i = 0; i < input.Length; i++) { num += i * (int)input[i] % 0x7FFFFFFF; } return num; } must be 40106

This is update to my last post, I've decided to continue working on my unpacker and was able to figure out how to decrypt operands, when it comes to callinternal it's operand, when decrypted, tells you which method to execute, the next problem I've gotten was homomorphic encryption, but it wasn't a hard nut to crack all you have to do is bruteforce the key and use it to decrypt method body. With all this I've finally made the devirtualiser and was able to unpack the assembly.Then I ran it through de4dot to clean it up a bit. And then I have manually taken care of debug code(I haven't removed it I've just put if(true)return; at the beginning of each debug method). Here is a video of me unpacking it : https://streamable.com/gynmi9 The file password is superfrog. For some reason I couldn't upload the raw exe so I zipped it ggggg-unpacked-cleaned.zip

I was unable to unpack this executable but have made some progress in creating a devirtualiser.First thing I've done it debug the program to understand how the vm works.There I've realised that class \u0008\u2008 is the VM class, in which most of the VM code is located.Then I dumped \u0008\u2008.\u0006\u2002 this is a field of type Dictionary<int, \u0008\u2008.\u0002\u2000> where int is vm op code id and \u0008\u2008.\u0002\u2000 is a method associated with that VM opcode.After I had that dumped I ran it through my program and was able to link some of those methods to CIL opcodes.You'll be able to download the map from the file below.Then I linked those CIL opcodes to instruction ids.This allows me to devirualise virtualized code. Now I needed method bodies. Those were pretty easy to obtain.You'll be able to see both virtualised and devirtualised bodies in the file below.Ok so I knew what op code corresponds to what VM op code and had all the virtualised bodies so I should be able to unpack it, but that wasn't the case because of 2 factors.First one is that the operands for certain instruction(call,ldtoken,callvirt,ldfld,stfld...) are encrypted.All eaz assemblies have an encrypted resource from which they get these values.I tried to decrypt these values but failed, but fortunately I was able to semi-circumvent this. Eaz caches all the decrypted operands so I ran the program gave a wrong input and dumped the assembly and obtained these value, unfortunately the values that were not decrypted didn't get cached so I was unable to obtain them.List of decrypted operands are in the file below.Second issue is the eaz opcode callinernal(my nickname).This opcode takes an encrypted operand as the argument and uses it to pretty much create a dynamic method, I wasn't able to get bodies for these methods(I was able to get 3 including anti-dbg code), and from the looks of it they are important.I tried to fix these to issue but couldn't so I gave up.I decided to just devirtualise bodies I had with limited information I had and you can get those unpacked bodies from the file below.I hope this info proves useful to someone so they can make an unpacker.I just wanna be clear on this one <Decrypted></Decrypted> field refers to wheter the operand was decrypted and <BranchTo></BranchTo> refers to command that branch instruction is referencing. Forgot to mention, might be important the method that runs the vm code looks like this: private void \u0008\u2000(bool \u0002) { uint u0005_u = this.\u0005\u2001; for (;;) { try { while (!this.\u000E) { if (this.\u0008\u2003 != null) { this.\u0003\u2001 = this.\u0008\u2003.Value; this.\u0002((long)((ulong)this.\u0003\u2001)); this.\u0008\u2003 = null; } else if (this.\u0003\u2001 >= u0005_u) { break; } this.\u0006(); } } catch (object u) { this.\u0002(u, 0U); if (\u0002) { continue; } this.\u0008\u2000(true); } break; } } the part that executed the vm op code is this.\u0006(); and it looks like this private void \u0006() { this.\u0002\u2002 = this.\u0003\u2001; int key = this.\u000E\u2003.\u0006(); this.\u0003\u2001 += 4U; \u0008\u2008.\u0002\u2000 u0002_u; global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u); u0002_u.\u0003(this, this.\u0002(this.\u000E\u2003, u0002_u.\u0002)); } This like generated vm opcode id int key = this.\u000E\u2003.\u0006(); And this line gets the method associated with that key global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u); and the last line executes it Data.xml

In your assembly there is a field Interpreter.zC which contains virtualized version of il code.This is a field of type Dictionary<int,byte[]> and the int in there is an md token of the method so I knew which body corresponds to which method. Then I copy some code from your assembly to my devirtualizer. So then I convert body from byte[] to o(class name) then we have property L2 which contains a list of instructions.Instruction is of type x(also class name).One of the properties of x is p4 which indicates what op command that x is.With that info I can easily convert o to a list of cil instructions and in field xV there is additional info about the instruction if neccessery so if the instruction is ldstr filed xV will contain the string... ,then reconstruct the bodies, remove vm code and fix issues and that's it. There is unpacked assembly below. UnPackMe-ILV -Unpacked-Cleaned.exe

x0man's version of starfield with bmp aboutbox effect - ripped from Casino PokeR Analyzer v4.17 by tPORt.zip , with IDA pro. (yep, this aboutbox wasn't really open-source - like Funny Word, Crazy Word and New year theme - back then) Also available on Xylitol's collection of masm32 graphical effects repository on github . starfield_with_bmp[tPORt].zip

Methodology - Since It is a CrackMe I won't bother myself to generate/find a Valid Serial by understanding the Algo. So I simply gonna patch it to accept any Key or show Valid Message from any of that. Thanks to RCE Community Members from all those diff Forums who shared their Knowledge with Public. Valid Key - Steps - Image - Method 2 - Since it is a Crack Me so these method makes sense but in Real World App, these are not so useful. We must need to Devirt the App to fully Read the Code. So You can follow my 1st Comment regarding Complete Unpacking of Your Code.

Google parent Alphabet launches Intrinsic www.theverge.com/2021/7/23/22590109/google-intrinsic-industrial-robotics-company-software Mark Zuckerberg says Facebook will turn into a ‘metaverse’ www.independent.co.uk/life-style/gadgets-and-tech/facebook-mark-zuckerberg-metaverse-augmented-vitual-mixed-reality-b1889284.html Biden administration sounds the alarm on the semiconductor crisis fortune.com/2021/07/16/biden-administration-sounds-the-alarm-on-the-semiconductor-crisis/ Meet the Microsoft Game Developer Kit (GDK) developer.microsoft.com/en-us/games/blog/meet-the-microsoft-game-developer-kit-gdk/ Scientists Finish the Human Genome at Last www.nytimes.com/2021/07/23/science/human-genome-complete.html Insight.js – Never Console.log Again getinsight.dev/ Anybody can read the registry in Windows 10 doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5 Amiga 2000 EATX PCB github.com/jasonsbeer/Amiga-2000-ATX Rivian announces $2.5 bln funding round led by Amazon, Ford www.reuters.com/business/autos-transportation/ev-startup-rivian-announces-25-bln-funding-round-led-by-amazon-ford-2021-07-23/ Schools opened, suicide attempts in girls skyrocketed insidemedicine.bulletin.com/2977384169199489/ K-9 Mail new release v5.8 (finally!) k9mail.app/2021/07/24/K-9-Mail-is-back Hacking the DLink DIR-615 noob3xploiter.medium.com/hacking-the-dlink-dir-615-for-fun-and-no-profit-part-2-cve-2020-10215-586204d42bba Chimpanzees have been spotted attacking and killing gorillas edition.cnn.com/2021/07/22/africa/chimpanzee-gorilla-attacks-scn-scli-intl/index.html

Migrating Facebook to MySQL v8.0 engineering.fb.com/2021/07/22/data-infrastructure/mysql/ Akamai Edge DNS Down edgedns.status.akamai.com/ www.bbc.com/news/technology-57929544 AlphaFold Protein Structure Database alphafold.ebi.ac.uk/ Even if you’re paying, you’re still the product odysee.com/@CyberLounge:a/even-if-youre-paying-youre-still-the-product:7 Wiser – minimal hypervisor boots Linux VM. Written in C github.com/flouthoc/wiser open-source-alternatives www.btw.so/open-source-alternatives Reflections as the Internet Archive turns 25 blog.archive.org/2021/07/21/reflections-as-the-internet-archive-turns-25/ Man Arrested in Connection with Alleged Role in Twitter Hack www.justice.gov/opa/pr/man-arrested-connection-alleged-role-twitter-hack NSO group say enough is enough www.nsogroup.com/Newses/enough-is-enough/ Colorado River is shrinking www.sciencemag.org/news/2021/07/colorado-river-shrinking-hard-choices-lie-ahead-scientist-warns sudo - music for developers sudo.fm Bezos donates $100 million each to CNN contributors www.cnn.com/2021/07/20/media/van-jones-bezos-100-million/index.html Telegram founder listed in leaked Pegasus project data www.theguardian.com/news/2021/jul/21/telegram-founder-pavel-durov-listed-spyware-targets-nso-leak-pegasus Epic Games acquires Sketchfab techcrunch.com/2021/07/21/epic-games-acquires-sketchfab-a-3d-model-sharing-platform/ How do Chrome extensions impact browser performance? www.debugbear.com/blog/chrome-extension-performance-2021 Neverinstall – A platform to bring desktop applications to the browser neverinstall.com/ Intel Distribution for Python software.intel.com/content/www/us/en/develop/tools/oneapi/components/distribution-for-python.html Google pushed a one-character typo to production, bricking Chrome OS devices arstechnica.com/gadgets/2021/07/google-pushed-a-one-character-typo-to-production-bricking-chrome-os-devices/ G - Introducing the Data Validation Tool for EDW migrations cloud.google.com/blog/products/databases/automate-data-validation-with-dvt Kaseya obtained a decryptor for victims of the REvil ransomware apnews.com/article/lifestyle-technology-joe-biden-europe-business-bb7298b31b7157640fbd5f90fc19c224 helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-21st-2021 California Sues Gaming Giant Activision Blizzard Over Unequal Pay, Sexual Harassment www.npr.org/2021/07/22/1019293032/activision-blizzard-lawsuit-unequal-pay-sexual-harassment-video-games Our genes shape our gut bacteria www.sciencedaily.com/releases/2021/07/210708170331.htm Zip - How not to design a file format games.greggman.com/game/zip-rant How TikTok's Algorithm Figures Out Your Deepest Desires www.wsj.com/video/series/inside-tiktoks-highly-secretive-algorithm/investigation-how-tiktok-algorithm-figures-out-your-deepest-desires

Be mindful of what types functions return. The intrinsic function '_rotr' returns an unsigned value, which goes against the signed types you are trying to use. Because of that, you need to cast its return back to a signed type or store it in a signed variable first. int32_t eax = 0; int32_t ebx = 0x288d6c47; //_rotr(ebx ^ 0x9714, 0x2) = 0xca237ed4 eax = (int32_t)_rotr(ebx ^ 0x9714, 0x2) >> 0x3; Should get what you want.

Key: Approach:

Version 0.05 [+] Minor bugs fixed https://github.com/horsicq/x64dbg-Plugin-Manager/releases/tag/0.05

Cookies are a basic web mechanic. They are not all evil and are not all for DMP type tracking. Deleting all cookies is like permanently using Chrome's incognito mode. That mode is separate for a reason..... it breaks the basic mechanic of remembering sessions where you want to be remembered. You're not being tracked across sites and deleting those cookies just gives you a personal headache logging in each time. Your choice, clearly, but deleting 'every' cookie is like tidying a cupboard by throwing everything away, rather than sorting out the junk. Given how much people share passwords, 2FA should be standard across all sites these days so I struggle to see how T4U is the only site causing issues.

You do not have to stay logged in, and you only need to keep the cookie containing the device key. You must be crazy if you do not have or utilise some form of 2FA for home banking. There are good reasons why I have chosen to enabled it. For the majority of users they are likely not to even notice the change until (they login from another device or) their device key expires which, I think is set around ~1.5 years... Ted.

i hope u have SnD PERMISSION TO POST IT , AT FIRST BEFORE POST U SHOULD HAVE YCK1509 TAKE PERMISSION FROM YCK1509 . THIS SOFTWARE SRC I HAVE . YCKPERMITTED ME TO SHARE THIS APP binary only not src, UNTIL POST U SHOULD SEARCH WITH MY USER ID I ALREADY POSTED JITDUMPER DNLIB EDTION CREATE BY YCK1509 . SEARCH BY FOLLOWING MY USER ID U GET LATEST FIXED BINARY JITDUMPER LAST EDITION WHICH HE LAST MODIFIED FOR ME

As It is a Crack Me and the Goal is to get the key of obfuscated file So I am going to find the Key without actually Unpacking It. Methodology - Valid Key - Image -

View File ILVirtualization (Custom Scratch VM) PLEASE NOTE THIS NOT MODDED PUBLIC VM, THANKS Difficulty : 4/10 Language : C# / .NET Windows OS Version : All Protection : ILVirtualization v1.0 Goals: Silver Medal: Clean Mutations. Gold Medal: Devirtualize The Code. WInners: Golden Medal : @BataBo

Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00

I do not release the decoder but the code optimizer (not immediately), this is not specific to the oream vm, it is only far more effective than others. What do you say about angr or miasm or optimice or codedoctor ?? do we eliminate them all the tools for binary code analysis ?? I do not issue the decoder code because my hobby is a hobby and I do not want to give anybody a damn but reversing is sharing (I unfortunately belong to the old old reverser school). If I spoke good English I would probably share a lot more info and would not like others who just write for self-celebration. Do you know Scherzo or Softworm ?? I'm an old man who now deals with reversing and my only good luck is that the day they will all program in python or javascript I will not be there anymore..hahahahaha

I went to the office for the first time. I fornicationing hated it (lol) www.reddit.com/r/cscareerquestions/comments/oosru6/i_went_to_the_office_for_the_first_time_i_fornicationing/ Windows 96 windows96.net Developers at Activision Blizzard say they'll walk out Wednesday www.axios.com/activision-blizzard-walkout-harassment-lawsuit-fefa807b-107e-41e2-a6e2-78a086119e04.html Curated list of personal blogs refined.blog/ Docker in Production: A History of Failure (2016) thehftguy.com/2016/11/01/docker-in-production-an-history-of-failure/ WeChat suspends new user registration for security compliance www.reuters.com/technology/tencents-wechat-suspends-new-user-registration-cites-technical-upgrade-2021-07-27/ Analysis of large binaries and games in Ghidra-SRE kiwidog.me/2021/07/analysis-of-large-binaries-and-games-in-ghidra-sre/

Shadow is in hole other level he unpacked exe fully packed with pelock 2.x In half hour

@BataBo : Impressive work man

^fantastic job @BataBo I have to say, when @SHADOW_UAreplied, the same day, sent me also the naked file via PM.

If you not saving (and need to use) JavaScript and other client side assets than HTML you could use something like WinCHM. Numerous PDF editors can import and categories HTML. Even Word and open source variants can do a similar job... Ted.

Metal 3D printing company Fabric8Labs raises $19M techcrunch.com/2021/07/20/metal-3d-printing-company-fabric8labs-raises-19m DuckDuckGo launches new Email Protection service to remove trackers www.theverge.com/2021/7/20/22576352/duckduckgo-email-protection-privacy-trackers-apple-alternative Norway women's beach handball team fined for wearing shorts instead of bikini bottoms www.bbc.com/sport/handball/57890430 70% of EU’s charging stations are found in just 3 countries thenextweb.com/news/70-percent-eu-charging-stations-are-in-just-three-countries How to Make a Minecraft Server www.amongtech.com/how-to-make-a-minecraft-server Kyndryl is IBM’s wacky new name for its dry IT spinoff www.theverge.com/tldr/2021/4/12/22380114/kyndryl-ibm-it-spinoff-name-infrastructure-branding www.kyndryl.com/ Bloomberg: Apple decides to postpone return to office by at least a month 9to5mac.com/2021/07/19/bloomberg-apple-decides-to-postpone-return-to-office-by-at-least-a-month/ Tomato fruits send electrical warnings to the rest of the plant when attacked by insects www.eurekalert.org/pub_releases/2021-07/f-tfs071421.php Microsoft Quietly Released Its Own Linux Distro github.com/microsoft/CBL-Mariner Saudi Aramco (oil) data breach sees 1 TB stolen data for sale www.bleepingcomputer.com/news/security/saudi-aramco-data-breach-sees-1-tb-stolen-data-for-sale/ Rapid7 acquires threat intelligence platform IntSights for $335M venturebeat.com/2021/07/19/rapid7-acquires-threat-intelligence-platform-intsights-for-335m Should I Get a House? shouldigetahouse.com/ More than 160,000 people sign petition to stop Jeff Bezos from returning to Earth (#haha) www.indy100.com/science-tech/jeff-bezos-blue-origin-space-petition-b1887139 powered by upstract.com

View File Enigma Protector v6.9 I have protected a simple file with the Enigma Protector 6.9. Try to unpack. For a skilled reverser will not be as hard as it seems. HWID: A7707-65A71-43529-A59E1-41C2F-C5AA0-EB308-3F774 Name: tuts4you Key: BG8QC4UMZW3QMTH99U6ZTF8FJJNDAPKY5E2XNL3CMHRVUMLSB2QWRBSYBGF4RNHX7WC26W2GQMNBNPUU3YUTDXDS387A2UURMUVJ88P5PPC9ZCEQHFHW4J6ZQRAK7GW6DRK4QH4CGCEQM7F9K39J89S4CRARX3L3LPABBXU23M8QXP6A85L2CZFJZF66KF5NFTZ557872DA3 Submitter GIV Submitted 07/20/2021 Category UnPackMe  

For question 1, here's two ways to do it: // Using pointer casting.. DWORD eax = 0xF96A872D; *(WORD*)&eax = ~(WORD)eax; // Using bitwise operations.. DWORD eax = 0xF96A872D; eax = (eax & 0xFFFF0000) | (WORD)~(WORD)eax; For question 2, you are seeing the wrong result because of using an unsigned type. The math being performed is expecting the value to be a signed type instead. Instead of using 'DWORD' use a signed type instead. (ie. 'long', 'int32_t', etc.)

and in the end, what is the bad to open the windows explorer folder, where the htmls are save and double click the needed file!?

smthing like these :? addons.mozilla.org/en-US/firefox/addon/local-filesystem-links/ chrome.google.com/webstore/detail/local-explorer-file-manag/eokekhgpaakbkfkmjjcbffibkencdfkl

@LCF-ATplease do this (follow the last paragraph only : If you have Windows 10 Pro, though, you have access to Group Policy Editor) betanews.com/2020/09/08/how-to-pause-updates-windows-10/ and never update again...

VeraCrypt "Automatic Repair" issue on Windows www.ghacks.net/2021/07/14/fix-the-veracrypt-automatic-repair-issue-on-windows/ Ex-Nissan boss Carlos Ghosn: How I escaped Japan in a box www.bbc.com/news/business-57760993 Nokia E63 phone converted into LoRa messenger for secure www.cnx-software.com/2021/07/09/nokia-e63-phone-converted-into-lora-messenger-for-secure-off-the-grid-communication/ github.com/TrevorAttema/OTGMessenger Microsoft names Chinese group as source of new attack on SolarWinds www.theregister.com/2021/07/14/dev_0322_solarwinds_serv_u_zero_day/ arstechnica.com/gadgets/2021/07/microsoft-says-hackers-in-china-exploited-critical-solarwinds-0-day/ Hackers Move to Extort Gaming Giant EA www.vice.com/en/article/m7e57n/hackers-extort-ea-fifa Microsoft acquires cybersecurity firm RiskIQ for $500M venturebeat.com/2021/07/13/microsoft-acquires-cybersecurity-firm-riskiq-for-500m/ Is π the same in every universe? www.askamathematician.com/2020/12/q-is-%CF%80-the-same-in-every-universe/ How to Install Windows 3.1 on an iPad www.howtogeek.com/739100/how-to-install-windows-31-on-an-ipad/ John McAfee's wife: he didn't commit suicide, claims massive cover up www.tweaktown.com/news/80440/john-mcafees-wife-he-didnt-commit-suicide-claims-massive-cover-up/index.html Amazon has acquired Facebook's satellite internet team www.engadget.com/amazon-has-acquired-facebooks-satellite-internet-group-115312282.html Germany Fines YouTube Six Figures for Removing Video of Anti-Lockdown Protest www.mediaite.com/news/germany-fines-youtube-six-figures-for-removing-video-of-anti-lockdown-protest/

Hi, I had also to change this setting.... ....to this above.Now my exception for T4Y keeps saved.The settings at all are a little confusing.Now you would think that you do allow to keep all Cookies but as I can see only T4Y cookie keeps alive and all others are gone on restart also with unchecked Cookie.So at the moment it works to keep login in T4Y & to re-login after logout without getting that VR NAG anymore. greetz

90% of Apple employees reportedly say WFH indefinitely is 'important' www.yahoo.com/news/nearly-90-surveyed-apple-employees-181447469.html AMD Ryzen 7 5700G Review: Fastest Integrated Graphics Ever www.tomshardware.com/news/amd-ryzen-7-5700g-review EmberGen 0.7.5 (gfx - real time fluid simulations) www.youtube.com/watch?v=rVfFX02Rl3Q Understanding REvil: The Ransomware Gang Behind the Kaseya Attack unit42.paloaltonetworks.com/revil-threat-actors/ A simple lazy Python Calculation Engine (with spreadsheet demo) github.com/bsdz/calcengine Reverse Engineer the BL602 WiFi Driver lupyuen.github.io/articles/wifi When static makes your C code 10 times faster mazzo.li/posts/c-performance-anecdote.html We Got the Phone the FBI Secretly Sold to Criminals www.vice.com/en/article/n7b4gg/anom-phone-arcaneos-fbi-backdoor Firefox with by-default DNS-over-HTTPS rollout in Canada (with local DoH provider CIRA) blog.mozilla.org/en/mozilla/news/firefox-by-default-dns-over-https-rollout-in-canada/ New Python Linter github.com/guilatrova/tryceratops Google /bought off Samsung/ to limit app store competition arstechnica.com/tech-policy/2021/07/google-bought-off-samsung-to-limit-app-store-competition-36-states-allege Technology behind Facebook (+ GraalVM vs OpenJDK) medium.com/graalvm/graalvm-at-facebook-af09338ac519 Gmail is blocking emails with links to Tutanota (lol) twitter.com/TutanotaTeam/status/1413408730092384260 German region to fine Tesla for illegal construction www.reuters.com/business/retail-consumer/german-region-fine-tesla-illegal-construction-2021-07-08/ VzLinux (RHEL Rebuild) vzlinux.org/ Ransomwhere ransomwhe.re/index.html FlocBloc: Obfuscate Your FLoC ID github.com/NilsIrl/FlocBloc I want to make a real programming language (call him ASAP! #haha) news.ycombinator.com/item?id=27781132 How SHA-256 Works Step-By-Step qvault.io/cryptography/how-sha-2-works-step-by-step-sha-256/ Turkish bank Akbank is disrupted for 2 days after COBOL system upgrade twitter.com/barisakin/status/1412704767747444738 EU Parliament Approves Mass Surveillance of Private Communications european-pirateparty.eu/parliament-approves-chatcontrol/ Tor Project Receives $670K from ZOMG for Rust Re-Write www.coindesk.com/tor-project-zcash-open-major-grants-zomg-arti-coding-language-upgrade XDA member unknowingly bought a Pixel phone with an FBI backdoor www.xda-developers.com/fbi-backdoor-pixel-arcaneos-anom Fake Chips Proliferating in China Market, Spreading Overseas www.tomshardware.com/news/the-rise-of-fake-chips Monodraw – macOS ASCII art editor monodraw.helftone.com/ Birds are dying in the United States and no one knows why www.dw.com/en/birds-are-dying-in-the-united-states-and-no-one-knows-why/a-58163063 Google Play services discontinuing updates for Jelly Bean (API levels 16/17/18) (haha, they are really funny @ G) android-developers.googleblog.com/2021/07/google-play-services-discontinuing-jelly-bean.html

Nothing has changed here. It works exactly the same, over the same duration, providing you do not delete cookies. When you login a unique key is assigned to the browser and stored as a cookie. When you next login, and if the unique key matches, it is treated as a known and approved device. If you delete cookies you lose that unique information. Nothing wrong with Firefox. My suggestion would be in Firefox settings add "https://forum.tuts4you.com/" to your whitelist so that cookies are not deleted when you exit the browser... Ted.

Not all controls will use all of the window styles, or some of them might use them differently or ignore them. The edit control creates its own frame instead of using the WS_BORDER style, probably due to window theme and the ability to change the frame color to indicate the current focus or lost focus status.

I have enforced 2FA for newly logged in devices. If you do not want to keep seeing this message please make an exception not to delete/ clear Tuts 4 You site data/ cookies... Ted.

Playing SID from memory works just fine in my test app.. Attached an extra simple example. sid_from_mem.zip

Thanks mate for the support with the procedure. Have a nice day.

Hello, tarequl.hassan! I think he used this https://processhacker.sourceforge.io/downloads.php To get straight to the Memory Strings you should do folowing: 1. Open obfuscated app 2. Open process hacker 3. Find your process in Process Hacker and right click on it 4. Select "Properties" and navigate to tab called "Memory" 5. You will see button in top-right called "Strings..." That's it, I hope it helped. Have a nice day!

lol lol why you even here !!! search in google !!!

There are a few slightly different methods to do this, one is like this... GetWindowInfo_(hWnd, @pwi) If pwi\dwStyle & #WS_VISIBLE ; Window has WS_VISIBLE EndIf You could do it something like this... ; Remove only WS_VISIBLE from the window whilst keeping its other styles. SetWindowLongPtr_(hWnd, #GWL_STYLE, GetWindowLongPtr_(hWnd, #GWL_STYLE) & ~#WS_VISIBLE) If you only want to change WS_VISIBLE use SetWindowPos. Also make sure you only use SetWindowLongPtr and GetWindowLongPtr as per the API notes explain... Ted.

Hello, so I have created & protected a new UnpackMe for you. I added also some detect stuff [medium level]. Just start the exe file and press the splash. Have fun again. ENIGMA 2.33 UnpackMe.rar

Hi, if your file is a NET target then script does fail to unpack your target because its a NET one.If you can bypass the RegNag successfully and your target does run (press run in Olly after you get "Found no valid API call or Jump commands") like it should then you can start to do some NET dump & fixing by using NET tools.Just try this.Dont remember anymore about that NET stuff. PS: Script does check the first section RVA address for 1000.In case of NET the first section start at 2000.But as I said, script isnt a NET Enigma unpacker. greetz

Hi, so you do see that this topic is more than 10 years old already right. The NetFrameWork infos should be wrong because the file is not NFW.Problem should be the Windows OS you are running and the arch.. (x64) where you can get diffrent results by using the script because the unpacking conditions are not same as you would try to unpack the target on XP x86 system.What you can try it running the script under VM & XP SP2 OS.Otherwise you need to debug the script itself and analyze the Error messages and trying to fix / bypass it manually. greetz

Generally wav is the best format for import/export as it's lossless and almost all tools support it. So there won't be any quality loss when exporting it from one tool and importing it in another. Converting the final wav to a suitable format (mp3/aac/etc) is best done at the last stage when no further post-processing work is required. For inter-converting audio formats there's always ffmpeg, Handbrake, Avidmux.

Passwords: 1. Remove Hide Methods, Remove Calli and Cflow 2. Remove Math 3. Decrypt Base64 That's about it. For new guys, figure it out yourself first. 😁

Hello, I unpacked the file completely (including VM). Here is how I did it (simplified a bit): 1. After a bit of analysis we can notice that Agile.NET hooks into the Just In Time compiler in order to restore the method code. This can be undone by hooking into the JIT before Agile.NET. 2. Update de4dot to be able to remove simple protections like string encryption, control flow, and reference proxy. This just requires you to update some detections. 3. Spend some time analyzing Agile.NET VM, we find out that it's VM is somewhat different to others as it creates "combined" handlers for multiple opcodes. In order to remove the VM we can utilize de4dot devirtualizer. In order to add support we have to track down the original runtime dll that's shipped with the protector to extract the non-merged handler information. After some manual cleanup the result is the following, unpacked file attached. UnpackMe-unpacked.exe

It's a decent writeup, thanks for the effort! However, you stopped 2 steps too early: 1) The undetected file ("df65l1.l56") is not malicious per-se. It contains encrypted code - but without matching decryption code it's harmless. No wonder it gets only 3/60 detections on VirusTotal. Autoit script ("df65l") is the one that decrypts it. 2) Inside the AutoIt script, there's a DLL called "u0bhc83.dll". This DLL has only one real purpose - to decrypt and execute malicious code from "C:/p8yqa7ux6/df65l1.l56". VT detection of the DLL 22/69. 3) Final malicious code is a banking trojan called Mispadu (https://malpedia.caad.fkie.fraunhofer.de/details/win.mispadu). VT detection 46/70.