Jump to content
Tuts 4 You

Leaderboard

  1. Dark_Bull

    Dark_Bull

    Junior+


    • Points

      18

    • Content Count

      13


  2. newhak

    newhak

    Full Member


    • Points

      12

    • Content Count

      63


  3. Teddy Rogers

    Teddy Rogers

    Administrator


    • Points

      10

    • Content Count

      8,954


  4. LCF-AT

    LCF-AT

    Full Member+


    • Points

      9

    • Content Count

      4,956


Popular Content

Showing content with the highest reputation since 08/18/2020 in all areas

  1. Fun challenge. I went for finding just the key algorithm rather than fully devirtualizing, but the code is pretty clear. Here some sample keys: Approach: Keygen.7z
    5 points
  2. Sure, i gonna release a unpacker for net reactor 6x soon.
    5 points
  3. Here are some of my keygen/crack GFX's / templates i've made on photoshop + WinASM studio these days : (1) https://imgur.com/vS71RaO (2) https://imgur.com/3fWUf30 (3) https://imgur.com/5YfB8Xg (4) https://imgur.com/2Bt54Ne (5) https://imgur.com/fDC4FfK (6) https://imgur.com/p4TBQ4J (7) https://imgur.com/gNOgPnR (8) https://imgur.com/vkwSQ01 Please note that PERYFERiAH team is not a warez group. It is actually a vlogging team since i was making vlogs in high school in the past. And the people of the PERYFERiAH (PRF for short) were actually my
    3 points
  4. Regexps are not particularly efficient here and simple string operations work much better. Anyways, I made a writeup on my blog (https://lifeinhex.com/deobfuscating-autoit-scripts-part-2/) and made a copy-paste below. Unfortunately, all the hyperlinks are gone and I just can't be bothered to go through each and every one of them. Also - it refers a lot to my old solution of another AutoIt crackme, so I really suggest to check that writeup as well: --------- Almost 4 years ago, I wrote a blogpost about deobfuscating a simple AutoIt obfuscator.
    3 points
  5. First of all, this crackme is version dependent, it only works with Python 3.8 x86. I don't have it installed, so I had to replace _pytransform.dll with the x64 equivalent downloaded from here to be able to run it with my x64 version of Python 3.8. By looking in the memory of python.exe and placing hardware breakpoints on write on an encrypted code of PyArmor (that starts with \x50\x59\x41\x52\x4d...) we can find a place in _pytransform.dll where it decrypts it to the actual marshalled code object of Python. It is a function at RVA 0x254D0. Then we have to deal with the second layer of Py
    2 points
  6. Yes exactly you should always have a good efficient organization system for your files. Documents and source code should even be backed up in a repo or the cloud. Downloads which are not personal and can be regotten should be put in a location you can curate from time to time. Of course certain items which might not be redownload able might need a more permanent backed up place. Apps or libraries can go somewhere easily disposable. Organization is key. It will save you from data loss and from difficulty with migrations. Usually you can delete all the files in the root folder
    2 points
  7. Why not reverse the scenario and ask yourself what it is you want to keep. Then back that up that data somewhere and format the drive. Ted.
    2 points
  8. Whoops you are completely right, I posted my reply to the wrong vmp crackme/unpackme challenge thread. @whoknows has made two threads This one is actually easier, since code is pretty much readable (after you dumped it from memory that is). And yea, the password for this one is indeed "duck" rather than tetris.
    2 points
  9. Its a unpack me file not a crack me, and i don't think you know anything about virtualization.
    2 points
  10. awesome_msil_Out.exe Approach: 1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker , and it shall be ran on NetBox 2. Code virtualization is a relatively new feature of .net reactor, added in version 6.2.0.0. Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)
    2 points
  11. 'thepiratebay.org' wasn't what was sold, just 'piratebay.org'. It's now up with an actual page stating they are looking to make a movie and the domain is purchasable for an affordable $1.9mil lol. https://piratebay.org/en
    1 point
  12. You have to place license data and transform key inside _pytransform.dll to be able to use dll that was downloaded from server. Check this source code file, specifically _patch_extension method. To decompile pyc file, you have to deal with some anti-decompiling features that PyArmor has. For example, uncompyle6 does not work on the piece of code with several "NOP" in a row. Check this opcodes reference, you can easily edit pyc file using your favourite hex editor.
    1 point
  13. View File Crypto obfuscator + IntelliLock (Hard) 1- Crypto obfuscator Fake Name Method Hide Calls Encrypt Strings Code Masking 2- IntelliLock Max Settings If you unpack this tell us how you did it and what programs you used. Submitter 2Face Submitted 09/11/2020 Category UnPackMe (.NET)  
    1 point
  14. International Day of The Programmer Free Bundle (Was $143.81) Learn Java 12 Programming Expert Python Programming - Third Edition Beginning C++ Game Programming - Second Edition https://www.fanatical.com/en/bundle/international-day-of-the-programmer-free-bundle Ted.
    1 point
  15. Registration is open
    1 point
  16. I would just like to point out that this is DNGuard Enterprise HVM 3.9.5.1 not 3.9.5.3
    1 point
  17. Just like SSDT can be checked and the 10 anti-DKOM API can be called. By the way it's funny that there are Denuvo discussions here and there are like a couple dozen Tut4you and SnD people working at Denuvo
    1 point
  18. View File DNGuard HVM Try to unpack or alternatively provide the secret key, URL, Name and Address Protections used: DNGuard Enterprice HVM 3.953 Good luck. Submitter Mohd Submitted 09/08/2020 Category UnPackMe (.NET)  
    1 point
  19. github.com/MantechUser/aes-finder bonus businessinsider.com/delete-social-media-phone-parasite-mental-health-instagram-twitter-facebook-2020-9
    1 point
  20. just packer, mutation and refh proxy.
    1 point
  21. If the HDD is on a different PC you can try with Hirens boot and if is Win7 i remember i wiped manual system files with the own cd of Win7 which has a utility to manage file explorer without running windows and able to delete anything you want.
    1 point
  22. If it is a slave drive you are going to use for storage then you do not need to keep any files Either select all & delete or format, as long as you leave the partitions intact then it will be accessible as is, however it might be worth checking your partitions to see if there is a Windows recovery partition which you could re-allocate for storage 😀
    1 point
  23. View File VMProtect v3.5.0.1213 Try to unpack or alternatively provide a serial. If there is no solution provided by Saturday 11am (GMT+0) I will attach the same without debugger detection. Protections used: Debugger detection (User-mode + Kernel-mode) Ultra (Mutation + Virtualization) Submitter whoknows Submitted 08/07/2020 Category UnPackMe (.NET)
    1 point
  24. clean mutations to fully complete
    1 point
  25. privacy-watchdog.io/protonmails-creation-with-cia-nsa/ + privacy-watchdog.io/ bonus krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/
    1 point
  26. Create Instance without calling constructor FormatterServices.GetUninitializedObject() will create an instance without calling a constructor. I found this class by using Reflector and digging through some of the core .Net serialization classes. using System; using System.Reflection; using System.Runtime.Serialization; namespace NoConstructorThingy { class Program { static void Main() { // does not call ctor var myClass = (MyClass)FormatterServices.GetUninitializedObject(typeof(MyClass)); Console.WriteLine(myClass.One
    1 point
  27. 1 point
  28. @XenocodeRCE: I have a huge respect for you as a RE guy but now you're just being a d*ck. If you have some personal issues with mamo/localhost0/whatever he calls himself this week, please resolve them privately and don't make a huge public drama out of it. No matter how I count, it's 3 months and 2 days max. If you're gonna whine, at least get your facts right. Umm, no. The requirement from law is to react on any reported copyright infringements, not to actively run around and search for any possible issues. See DMCA 512(c). So, if admins ignored a properly re
    1 point
  29. _PyEval_EvalFrameDefault executes a code object on the Python frame. To dump the code object to a file you need to use PyMarshal_WriteObjectToFile / PyMarshal_WriteObjectToString at an appropriate place within the function. DnSpy has nothing to do with Python. It's just a piece of string inserted there on purpose.
    1 point
  30. Bed_ControlFlow_Remover.rar x86_Retranslater.rar I can't give you the rest of em ( i don't have permission to share them, hope you understand me).
    1 point
  31. You'll probably need to use the "/nodefaultlib" switch. Assuming you used the ZIP file from here: check the make.bat for example command-line.
    1 point
  32. a key: i fixed de4dot for new reactor including method decryption, cflow etc... and finally devirt it. there are tutorials about fixing de4dot/devirt in this forum including this topic as well.
    1 point
  33. Steps: 1. Simple MSIL Decryptor by CodeCracker 2. Devirtualization tool i have been working on. .Net Reactor imo has a **basic** to intermediate VM. i suggest you give this a try! Tips on how to start: 1 Learn how CIL works / CIL fundamentals (there are some nice ebooks that i can't link here ) 2 Learn how the assembly reader/writer of your choice works (dnlib for example) 3 Learn how a simple VM works ( https://github.com/TobitoFatitoNulled/MemeVM (the original creator of this vm left so this is a fork to keep the project alive))
    1 point
  34. Who are you to say that it's shit? Have you made an unpacker for it? If you do, you are free to correct me but if you don't you shouldn't make these silly comments, in my opinion.
    1 point
  35. https://github.com/GautamGreat/Scylla_Delphi_Plugin
    1 point
  36. 10,775 downloads

    A collection of tutorials aimed particularly for newbie reverse engineers. 01. Olly + assembler + patching a basic reverseme 02. Keyfiling the reverseme + assembler 03. Basic nag removal + header problems 04. Basic + aesthetic patching 05. Comparing on changes in cond jumps, animate over/in, breakpoints 06. "The plain stupid patching method", searching for textstrings 07. Intermediate level patching, Kanal in PEiD 08. Debugging with W32Dasm, RVA, VA and offset, using LordPE as a hexeditor 09. Explaining the Visual Basic concept, introduction to SmartCheck and configurati
    1 point
  37. It's been a while i haven't did a video of malware reverse engineering, so here something new: Having a look on HelloWorld (ATM Malware)
    1 point
  38. 73 downloads

    You may wonder why I have chosen this topic, why write a tutor on .net components? Technically a .NET component is not different from an executable assembly, I mean that both are compiled to MSIL and you can usually view the source in Reflector and other tools, but when it comes to commercial components you have to understand that more and more complicated protection schemes are being implemented to protect them, and after analyzing many products I found so many points that all these components share to protect themselves. The second reason that pushed me to write this tutor is that
    1 point
  39. .NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, s
    1 point
  40. Ok, I have deobfuscated the file. Enjoy i guess. Btw some parts of the file uses "dynamic" so it wouldn't look like just "dynamic" it dnspy. There will be something like callsite stuff cuz that's how the compiler interprets the dynamic data type. sample(2)-SysMathCallFixed-DelegatesFixed-FieldToLocalFix-VarsUnmelted-StringDec_deobfuscated.exe
    1 point
  41. I created this experimental project. I hope someone can be useful. any collaboration and improvement is welcome thank you https://github.com/Pigrecos/Triton4Delphi
    1 point
  42. Hi New Update with more features : https://github.com/Ahmadmansoor/AdvancedScript AdvancedScript version 4.3 https://github.com/Ahmadmansoor/AdvancedScript/releases * Add new commands and fix some bugs * fix error load of the Auto Commands when there is no ; * Fix AutoRun and stepson ( wait command to finish). * Fix color variable name. * Add ReadFile , Write2Mem , ReadMem * Add GoToByBase Form ( https://www.youtube.com/watch?v=gQxlbC8RnRg ) * Assigne variable directly no need to Setx Command. Sample : Varx str,memory // var will hold the hex
    1 point
  43. AdvancedScript_3.1 - fix CheckHexIsValid ( fix length ). - add menu to (copy - follow - delete) variables . - add more check for StrAnalyze. - add MsgBox for if command in a case does not resolve arguments. note : copy can copy one value or all values in case Array variables AdvancedScript_3.1.zip Script.zip
    1 point
  44. everything moved to vimeo, download are enabled also. https://vimeo.com/album/5427366
    1 point
  45. Please friends, post your knowledge regarding themida x64 unpacking for x64dbg. please post your scripts also.
    1 point
  46. v1.1 Plugin menu not appear. after applied folder seting from also not working after restart. it resets the path OllyDBG.ini.
    1 point
  47. Hi there , does any body have "standardfunctions.asm" from SND-basic.coding.a.serial.fisher by Markus? Thank you
    1 point
  48. Here is the whole ASM source if any body wants it />http://forum.tuts4you.com/topic/14694-how-to-retrieve-value-in-registers/ Thank you again pseudonym!!!!
    1 point
  49. I hope the author of this tut does not take offense .... I re uploaded the tut with the source..... If you do let me know I will remove it snd-basic.coding.a.serial.fisher+SCR.rar
    1 point
  50. sorry can't upload here. _http://www20.zippyshare.com/v/12904004/file.html standardfunctions.rar
    1 point
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...