Jump to content
Tuts 4 You


Popular Content

Showing content with the highest reputation since 03/15/2019 in Posts

  1. 6 points
    Strings plugin for x64dbg. Download: https://github.com/horsicq/stringsx64dbg/releases Sources: https://github.com/horsicq/stringsx64dbg/ More Info: http://n10info.blogspot.com/2019/03/strings-plugin-for-x64dbg.html
  2. 5 points
    Hi there, With few guys we made a zoo dedicated to malware targeting ATM platforms, as far as i know nobody has made a similar public project so voila. You will find here malwares that specifically targets ATMs, and reports (notice) about them. Files of interest got harvested from kernelmode.info, but also virustotal and various other services and peoples interested about the project. I'm using binGraph, pedump, Python, bintext, for the engine on reports. Some samples exist in 'duplicate' on the wall (we also provide unpacks for few files), if it is the case: it's mentioned on the report. We have hashs who are without references (i mean not associated in a white paper or something) thoses files are regrouped on the statistics page, we tried to make the stat page interesting enough for everyone to have fun exploring the zoo from the stats. We have IoCs that others seem to don't have, e.g kaspersky report about winpot, that leaded also to funny react from ppl selling it no worry, everyone have it now. We have also a page that includes some yara rules for detecting some of these malwares, and a page with goodies, voila! Everything provided in old skool style, intro also available! CyberCrime quality http://atm.cybercrime-tracker.net/ Feedback welcome, enjoy the ride ! 💳🏧
  3. 2 points
    Just to clarify as well, I'm not saying Ghidra is bad or to not use it. Sorry if what I'm saying is coming across like that, that isn't my intention or what I mean to imply. I do actually like Ghidra and I am happy to see something finally be on par with IDA's feature set. Given that Ghidra is new and has a small team of like 2? people, there is a lot of room for improvement. And the better part is that they do plan to open source it fully, which is nothing but even better for it. Something I do foresee though with it becoming open source is that people will port it to a different language because of how slow Java is in general. I'd guess we'll see a C# port at some point or eventually a C++ port depending on how decides to tackle it which I'm all for seeing happen. Overall, it is a nice tool and I'm glad to see it happen, I just hope to see it get better over time, especially with speed improvements.
  4. 1 point
    https://stackoverflow.com/questions/7057501/x86-assembler-floating-point-compare https://c9x.me/x86/html/file_module_x86_id_88.html This part looks weird to me, why if is bigger will jump to @EQUAL ???
  5. 1 point
    @CyberGod your Problem is not Problem of plugin from @hors, its bug of x64dbg , try to move other Tabs and you will see the same error!
  6. 1 point
    Here is a yara rule as it seem to rain samples according to mcafee /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP { meta: description = "Generic rule for hostile ACE archive using CVE-2018-20250" author = "xylitol@temari.fr" date = "2019-03-17" reference = "https://research.checkpoint.com/extracting-code-execution-from-winrar/" // May only the challenge guide you strings: $string1 = "**ACE**" ascii wide $string2 = "*UNREGISTERED VERSION*" ascii wide // $hexstring1 = C:\C:\ $hexstring1 = {?? 3A 5C ?? 3A 5C} // $hexstring2 = C:\C:C:.. $hexstring2 = {?? 3A 5C ?? 3A ?? 3A 2E} condition: $string1 at 7 and $string2 at 31 and 1 of ($hexstring*) } so far it matched all my know files. ================================================================================================================================================================ ---------- MATCH: CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP FILE >>>>> C:/SBOX/temp/ace/0312885f07b5a028e64c6a2a440a8584c67adf2c0986e99447328c4bede4e102 FILE >>>>> C:/SBOX/temp/ace/0a8d46694dcd3c817ca507d3004366352926bed39897aa19c605bf407841605e FILE >>>>> C:/SBOX/temp/ace/4bde9006a960da9388d3c45cbebb52ff5015e0fbe0c4d80177b480cba8abd5a0 FILE >>>>> C:/SBOX/temp/ace/642018f0cc2afa550f51516db2015d25f317be8dd8cdf736428dfc1e8d541909 FILE >>>>> C:/SBOX/temp/ace/7871204f2832681c8ead96c9d509cd5874ed38bcfc6629cbc45472b9f388e09c FILE >>>>> C:/SBOX/temp/ace/a49d55cd7ca0dab2d84308d56bf3f7d6b3903135b9eccd8924ab1b695bb18d93 FILE >>>>> C:/SBOX/temp/ace/dcda4a01ab495145ba56c47ff2fe28dbd0b1088fb5c102577a75d9988e8e7203 FILE >>>>> C:/SBOX/temp/ace/e6e5530ed748283d4f6ef3485bfbf84ae573289ad28db0815f711dc45f448bec
  7. 1 point
    Had some more time with Ghidra last night to compare speed to IDA. So this is a small comparison to IDA 7, default settings, minimal plugins loaded (none that should affect load times) and Ghidra also stock settings, default analyaze options. Target Executable: A game .exe close to 200MB in size, no protection, no packer, no special tricks/obfuscation or anything. IDA: Took about 15-20mins to load into IDA and be considered ready. (The initial autoanalysis has been finished.) Ghidra: Still analyzing, 9 hours later. Be it poor coding, poor optimization, or just the fact that its coded in Java, Ghidra is extremely slow when compared to IDA in this regard. For simple/small targets like malware samples, it may be fine to use on a daily basis, but for larger scale targets like full applications, games, etc. this is definitely going to need work to be considered a viable option to use at all. For this thing to still be going 9 hours later is a bit ridiculous.
  8. 1 point
    thx for plug bug: an error occurs if I move the tab
  9. 1 point
    The vulnerability might have put millions "at risk", but realistically most likely affected not one single person at all.
  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up
  • Create New...