Jump to content
Tuts 4 You

Leaderboard

  1. CodeExplorer

    CodeExplorer

    Moderator


    • Points

      312

    • Content Count

      3,020


  2. kao

    kao

    Full Member+


    • Points

      189

    • Content Count

      2,268


  3. Teddy Rogers

    Teddy Rogers

    Administrator


    • Points

      157

    • Content Count

      8,660


  4. Kurapica

    Kurapica

    Full Member


    • Points

      105

    • Content Count

      798



Popular Content

Showing content with the highest reputation since 04/07/2019 in all areas

  1. 13 points
    Hello, so I keep getting asked what’s the best obfuscators around so I am posting this so I don’t keep repeating it. I have decided to give my opinion on all obfuscators if I am missing any let me know If you are a developer of any of these obfuscators don’t take what I say as an insult use it to improve DNGuard - an obfuscator I used to say was Chinese crap however I’ve recently spent some time analysing this and can say that the HVM technology is very strong and makes unpacking a lot harder. However when not using the HVM setting it makes unpacking extremely simple with jit dumping and can use codecrackers unpacker for this. Compatibility on this obfuscator is its biggest flaw (along with price) which can be a big NO for a lot of people as this protector can cause files to not run on certain .NET frameworks if they fixed this issue and improved compatibility across systems it would make this obfuscator much better. Price is extremely high but I suppose has worked in its favour with not many files around and extremely hard to get test files to test features. Eazfuscator - a .NET VM that has been around for a while now with the last unpacker for version 4.8 I think from saneki on GitHub. Since then Eazfuscator has improved a lot however the concept stays the same and sanekis unpacker is still a brilliant base to start from. Meaning that an unpacker for this isn’t extremely difficult. The compatibility and performance of this obfuscator is actually fairly good for a VM and tells the user not to overuse the VM and only apply on secret methods as to save performance. The problem with Eazfuscator is that any protection method apart from the VM isn’t good, de4dot handles the control flow perfectly and the strings can be easily decrypted by either updating de4dot code which isn’t too hard or simply invoke. So if you’re app is sensitive on performance then maybe avoid this one as for all VMs performance is hurt no matter how efficient it is. In conclusion I do think this obfuscator is one of the top of its game as even with the old unpackers it’s still a lot of work to update ILProtector - An obfuscator I really do like the concept of keeping performance and security balanced, however in recent times with the release of dynamic unpackers it has kind of died as it seems the developer is applying small patches instead of fixing this properly so each unpacker only requires a few changes. In terms of static unpacking they have this down well, it’s actually a very hard job to statically unpack this protector so if they were to patch the dynamic flaws it would quickly appear back at the top but it’s credibility has been stumped due to the release of unpackers that I think may still work on the latest version (something I haven’t checked). Compatibility and performance on this obfuscator are good but one flaw of this obfuscator is that if the dynamic method is decrypted the original ilcode is there, they apply no MSIL mangling which in my eyes they should do both. Agile.Net another .NET VM however I haven’t analysed this myself that much but a few things I have noticed is that updating de4dot to support the latest version is not all that challenging however it is time consuming, a few modifications to de4dot can make it supply all the data you need to update it for the VM. the method encryption can be removed by jit dumpers from codecracker, from what I’ve seen in de4dot the obfuscator isn’t to hard to completely unpack but we have to thank 0xd4d for all he has done on this obfuscator he has done all the hard work for us so it’s just a matter of taking his code and updating, yes this takes a very long time to do Netguard - Now this is one I’m very familiar with, as most people know netguard is a modified confuserex however a fairly heavy modification. Now the actual protection isn’t that strong however for its price it’s very good, the base of netguard is still the same concept as confuserex and many of its protections can be defeated in the exact same way, the only real changes are the native stub and mutations. However once you remove these protections like control flow and constants can be removed in the same theory as I use in my confuserex unpacker2. This obfuscator like I said is the best for its price however if you’re looking for something better there are other options if you’re willing to pay, now compatibility and performance on netguard are something that it’s known for and not in a good way, it has improved a lot recently however they still add lots of junk that adds no real benefit and just slows down code. Appfuscator - now I don’t know why people don’t use this obfuscator anymore. In my eyes it’s still extremely powerful, codecrackers tools are not stable and if you’re tool is larger than a crackme then it will fail, appfuscator uses opaque predicates and CFG to generate its control flow both of which have no public solvers for so is an extremely powerful obfuscator especially if you mix it with something custom. Performance wise this is actually negligible effect so still to this day one of the higher rated obfuscators. Babel.Net - this is similar to ilprotector in the way it makes dynamic methods however in a different approach. The good thing about this obfuscator is that it provides you with more options than just encrypt msil where you have cflow constants and other expected protections making it not as simply as dumping the dynamic method. The dynamic methods itself are not tricky to solve dynamically similar to ilprotector, invoke the correct method and you have the dynamic method ready to read with dnlib. Statically it gets slightly more complex however a few hours debugging with dnspy and some static analysis will reveal its secrets of how it decrypts the encrypted bodies. Performance and compatibility wise I don’t really know enough about it but I’ve not really seen many complaints about it ArmDot - a relatively new .NET VM which I’m fairly interested in. At its current stage it needs polishing, they currently put the whole vm into each method it’s encrypted making it extremely slow. I explained to the developer that it holds no real benefit as to devirtualize it follows the same concept as all vms which is find the instruction handlers and convert back as most are 1:1 with CIL it makes this step relatively easy once you have detected all handlers however if this obfuscator works on your file and performs well I do recommend it especially as its new and being actively worked on and the developer is always interested in seeing ways to improve which is a good thing. KoiVM - another magical creation from yck so do we expect anything other than greatness. Now this was something he sold to customers until he left the scene and trusted XenoCodeRCE with and gave it him to improve and use. Xeno decided that he would sell this to others and ended up causing it to be leaked on GitHub however let’s ignore that. KoiVM is absolutely insane and different to all other VMS we talked about so far. This doesn’t relate 1:1 with CIL and actually converts it to a form of ASM meaning if you manage to get all the code back you then need to translate ASM to CIL which again is no easy task. People think because it’s opensource it makes it not worth it. Remember confuser/ex was open source and undefeated for a long time. KoiVM is on another level compared to those. Compatibility and performance does take a hit and has limitations which you can read on koivm website now if you’re app works fine and you’re happy with performance then I would strongly suggest sticking with it. You can even make modifications to confuserex and use it with that as after all it’s a confuserex plugin. These are just my thoughts and personal opinions on these obfuscators. I do not mean any disrespect to the developers apart from what I think is good and bad. If you would like further explanation on anything let me know or any specific obfuscator that I haven’t covered as I most likely have some sort of opinion on it feel free to ask Regards Cawk
  2. 11 points
    Many years ago I wrote a software protector called MyAppSecured. Somewhere in the middle of porting it from Delphi to C++ I lost my interest in this project. Just found it on my HDD so I thought it might be helpful for someone. In short, the GUI of this protector is written in C++ and the protection stub in written in MASM. The C++ code loads a target in memory and adds 2 PE sections to it. One for the TLS callback code and one for the main code. The MASM stub will be written to those 2 sections. This protector has just 2 protection features: Analyze Immunity (anti-debug) and Memory Shield (anti debug-tools, OEP relocation). Note this is not a download-and-use-right-away protector. The code is written years ago so it's not very well written and also for some unknown reason the MASM stub could not be written into the 2 created sections. It did work very well years ago but I don't have the time to investigate why it doesn't work now. To be clear, the compiled exe file you will find in the package should run nicely but once you try to secure a exe file, that exe file is gonna be corrupted. This project is free for personal and commercial purposes. If you have any questions please ask, but keep in mind I abandoned this project and removed it from my HDD right after posting it here. Even if you are not gonna use this project it might be interesting to check the code. Some interesting stuff you might find there for your own project, such as emulating the CreateThreadW function in pure MASM, adding PE sections & relocation of OEP. MyAppSecured v1.00 Beta source.zip
  3. 10 points
    - version 4.0: 1- add RegexSearch form. 2- New GUI after replace DataGridView with RichTextBox to easy deal and fast coding. 3- edit CustomBuildStep to Auto copy files (AdvSconfig.txt , HelpAdvancedScript.txt). 4- add AutocompleteMenu.dll . 5- add copy AutocompleteMenu.dll to x64dbg root . 6- add AdvSconfig.txt for AutoComplete list for define Commands and variables. 7- update AutocompleteMenu.dll. 8- add comments_ to Variables class to add it next to the description of the variables when call them by Ctrl+j 9- call list var's by Ctrl+j 10- add ReFill_FunctionsAutoComplete_AtLoad. 11- highlight_system done for good look and analyze. 12- add autoCompleteFlexibleList to handle commands defined in AdvSconfig.txt. 13- add open Script from out side. 14- refresh by menu and F5 to refresh highlight_system. 15- add var of x64dbg system. note : by AdvSconfig.txt u can define the commands in AdvancedSecript . AdvancedScript_4.0.zip
  4. 9 points
    Download: https://github.com/horsicq/pex64dbg/releases Sources: https://github.com/horsicq/pex64dbg More Info: http://n10info.blogspot.com/2019/05/pe-viewer-plugin-for-x64dbg.html
  5. 8 points
  6. 8 points
    I created a spinner type control to add to the ModernUI controls (based on an my original version a few years ago: http://masm32.com/board/index.php?topic=1179.0) - typically used when loading, pre-loading or processing something and to hint or indicate to the user something is occurring - similar in that regard to progress bar controls. Download The control can be downloaded via the ModernUI repository or downloaded directly from this link: https://github.com/mrfearless/ModernUI/blob/master/Release/ModernUI_Spinner.zip?raw=true Example I created an example project to demonstrate it. The example (which includes a Radasm project) can be downloaded via the ModernUI repository or downloaded directly from this link: https://github.com/mrfearless/ModernUI/blob/master/Release/MUISpinner1.zip?raw=true There are a number of ways of adding image frames to the ModernUI_Spinner control. The most basic level is to add individual images to construct the spinner animation. This can be done with the MUISpinnerAddFrame or MUISpinnerLoadFrame - using an image handle that is already loaded or using a resource id of an image. For example, the first spinner it is comprised of 8 separate bitmap images: For images that are circular, it can be more convenient to use the MUISpinnerAddImage or MUISpinnerLoadImage functions, as these only require one image. The image is copied a number of times into frame images - as specified by the dwNoFramesToCreate parameter. Each new frame image is incrementally rotated - based on the angle calculated for each new frame image. The bReverse parameter if set to TRUE will set the spinner animation to counter-clockwise. Note: the MUISpinnerAddImage or MUISpinnerLoadImage functions only work with png images or png's stored as RCDATA resources. The far right spinner on the top row is created via loading a single png image: Once loaded it is rotated and new frames are created to enable it to look like this: For more complicated spinners, or spinners that are not circular in nature, the MUISpinnerAddSpriteSheet and MUISpinnerLoadSpriteSheet functions are provided. These allow you to provide a long (wide) image (bitmap, icon or png) handle (or resource id) that contains all the spinner frames in the one image. The image frames are extracted out of this image. The amount of frame images in the spritesheet is passed via the dwSpriteCount parameter. The clock spinner is a good example of this, as it can't be rotated due to the buttons around its edge: So either it can be constructed by manually adding each frame or by using a spritesheet like so: Which looks like this once all the individual frames are extracted: I put some compile time conditions to allow for using of TimerQueue, Multimedia Timer or WM_TIMER for the animation of the spinner. There is also a ModernUI_Spinner.h file for c/c++ - but as I don't actively use that language there may be some typos or mistakes or wrong types specified (I haven't tested it). The Icons8 website is a good source for spinners, and they can be adjusted for size and color etc before downloading - including under the additional download options button as a spritesheet (using apng format). Take note of the frames value, as you will need to use this so that the spritesheet can be divided up into the correct individual frames. https://icons8.com/preloaders/en/search/spinner
  7. 7 points
    What makes you question either of these? Private: There are occasionally some techniques, practices (and tools) kept private to stay ahead of the game. Nothing has changed much over the years in this regard as far as I can tell. Knowledge: As @kao already mentioned most of the core techniques and information is out there to be discovered (in these forums for example). It only needs a willing and proactive individual to expand and develop on this information. As everyone seems to have their own blog (or YouTube channel) these days these generally seem to be the new format for tutorials. One day... when all my children have grown up and left home I can get my life back and get back to RCE and making traditional tutorials. Hopefully the RCE world will be an entirely new and interesting place to explore... 👍 Ted.
  8. 7 points
    .NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch. Here is unpacked version of your file unpackme -cleaned.exe
  9. 7 points
    I used this in my MyAppSecured exe protector project. This code emulates the winAPI CreateThread using ZwCreateThread, in pure MASM, compiled in WinASM studio. Feel free to use it for your own projects. ZwCreateThread example.rar
  10. 7 points
    Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00
  11. 7 points
    At least they made him look cute!
  12. 7 points
    Everyone can see the code because Cawk's ConfuserEx unpacker works just fine.
  13. 6 points
    Hey guys, After a long time I started writing on my blog again. https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-1 Best regards
  14. 6 points
    [.NET]实战UnpackMe.mp4 -> https://mega.nz/#!YxwQSAxA!Lwd9XStVyue8fdYKZXmYkoDxE0Y7ftsyNYtBKLTRrGM
  15. 6 points
    @mdj: 使用x64dbg暴打非托管强壳.mp4 -> https://mega.nz/#!Y5JBTaCS!hJXzN5ssvUyRHW8VgpGxINEVrW1zJ2Up96vqqJVG5co I can upload the second video tomorrow, if you need that too. @all: Please be nice and don't abuse the link, it is a free Mega account and has traffic limitations.
  16. 5 points
    https://github.com/GautamGreat/Scylla_Delphi_Plugin
  17. 5 points
    Hello guys, I'm proud to announce the beta release of AMED (an Advanced Machine Decoder). It's extremely fast, lightweight and supports the following architectures : - x86(with all its extensions including xeon instruction set). - aarch32(arm, thumb, neon, ARMv8+). - aarch64(with all its extensions including SVE). I also released the new version (v3) of opcodesDB. https://github.com/MahdiSafsafi/AMED https://github.com/MahdiSafsafi/opcodesDB What do you think guys ?
  18. 5 points
    Posted a write-up about solving the keygenme. https://0xec.blogspot.com/2020/02/finally-solving-weasel-keygenme.html
  19. 5 points
    @Teddy Rogers: from what I was able to gather, this version was still being maintained and improved. Only original repo was taken down, forks are all up. For example, this one is fully up to date: https://github.com/Deteriorator/winrar-keygen.git
  20. 4 points
    Please people do not take any "cure" for COVID before consulting an specialist (medical man). They are a lot of so called "cures" for COVID which are actually all fake. There is no cure for COVID at this moment.
  21. 4 points
    My personal belief is that the entire world around is fake - just a simulation. Our universe does have a creator and that creator may or may not be God. The pain & and struggles we face means nothing in the greater sense. We are nothing more than a programmed object. Even the pain or happiness is nothing but programmed feelings. For example, we design computer games with their own story-lines. In one such game there may be a person who is put under immense pain. There are many movies in which innocents die due to no fault of theirs. However we are not concerned since we know the pain is virtual. It's how we designed the game or movie. In a similar sense, our creator knows the pain we humans/animals face is also virtual. In the real world (which is not this world) this doesn't matter. Even the concept of life and death is fake. Death is simply a way of putting an expiry date. Is is possible to know the real truth? I guess it is. But once humans try to understand the real truth there will be no wars anywhere. There will be no struggle for wealth, fame and power. After all why run after wealth, fame & power in a fake world. If there is something that needs to be done is to try to find out the real truth and escape from this fake world.
  22. 4 points
    Console example x64plgmnrc.exe -G "C:\x64dbg_root" // Set root path for x64dbg x64plgmnrc.exe -U // Update list from server x64plgmnrc.exe -S // Show list of plugins x64plgmnrc.exe -i x64core // Install last version of x64dbg x64plgmnrc.exe -i AdvancedScript // install AdvancedScript https://github.com/horsicq/x64dbg-Plugin-Manager
  23. 4 points
    I think a lot of public knowledge sharing is going on, especially in the field of malware analysis with many good YouTube channels and blogs covering basics. It just looks like people move to social media (Twitter/Reddit/Discord) to discuss things and traditional forums start to show their age. There is also a very active CTF scene with many techniques and tools being shared (tools on GitHub) and it appears that the cheating scene is also still very active. If you look at more academic sources there are a lot of techniques published (frameworks like miasm/angr/triton or LLVM-based techniques) and there are still many things to be learned, you just have to be willing to put in the time. Obviously nobody is sharing tools for VMProtect/Themida/whatever, in my view simply because there is a lot of money to be made there, but a very similar thing has been going on in the dongle scene for years and that's nothing new.
  24. 4 points
    I think that to add to this, many apps worth reversing nowadays tend to use more sophisticated techniques in the past. In older times, things could be cracked often in mere minutes which was a motivating factor. Most people start with a target in mind, and their patience to learn is quite thin. Nowadays, you may have to learn to unpack, advanced cryptography, anti-debugger techniques, details of security permissions, etc. Windows itself has evolved into a much more complicated beast making the learning curve much steeper. I remember the days of SoftIce and what a wonderful tool that was. Nothing even compares to it to this day. Although there are suitable alternatives, it was trivial to install and get started immediately. Now its a lot of complicated details to get going with tools. We had websites like +Fravia which were simply fantastic reading and offering fun challenges designed to make people think more deeply about reversing, not merely reversing of computer code. How to search was emphasized so much, and this is part of the reason that people became independent solvers. But we have tools like IDA Pro and Ghidra that have also made analysis quite a bit easier. We have faster and more powerful computers and an internet even more full of knowledge, if one knows how to find it. Some knowledge has become obscured by certain mainstreaming and politicizing of information designed to bury other information, and it would be nice to have better searching capability again, not just some commercialized nonsense that has decayed. So high learning curve and people with low patience, and usually choosing their initial motivation as an out of reach target that will require learning a variety of reversing disciplines has raised the bar. My prediction is that when the older generation retires, there will eventually be a new generation who will revitalize the whole thing in their own style. There may even be a generation skip here, as a pretty dead and flat generation can often lead to a really good generation after. One generation trying to make up for their mistakes by raising children better. The rapid spread of technology and social media caught the prior generation by surprise, and has led to a correction generation. If they really need YouTube videos and auto-magic tools, then they will make them and get them. We really have a different style and culture from them, and whether we respect this new way or not, supply and demand will eventually work itself out.
  25. 4 points
    I blame high speed internet and HD porn ! << just kidding The knowledge is out there, as my friends already said, you just need the motivation to learn and explore, it's time-consuming and the new generation wants everything ready and they want it quickly.
  26. 4 points
    This forum is overrun by lazy-ass noobs who don't really want to learn. They want to have a youtube video and automagic tool for everything. Ready-made tools are private for this exact reason. People who want to learn will find the necessary information to learn the basics. And once you show you've done your homework, knowledge and techniques are being shared freely. Maybe not 100% public but via PMs and chat.
  27. 4 points
    Phew! It has been close to 4 years and after a lot of wandering here and there I can proudly announce that I'm now able to calculate a valid serial for any name. Here are a couple. kao GCZ4B-QTD22 0xec FZNUL-THK22 Time taken to generate a key can vary from 2-5 minutes and takes about 12 GB of Physical RAM running on a Nvidia Tesla T4 GPU (2560 CUDA cores). Providing more RAM and CUDA cores may further reduce the time but I ran it on Google Colab and that's what they offer. I plan to do a write-up on my blog later but here it is in short. Initially, I felt the only way to solve the system of equations within a feasible time frame is through a quantum computer using something like Grover's search but the quantum computers available for public use (IBM Q Experience) at this time do not have enough qubits. So this approach had to be discarded. On deeper analysis, I found the system of equations is nothing but a system of Multivariate Quadratic (MQ) Polynomials. There's a field of Crypto related to this - Multivariate cryptography. Such cryptosystems are considered hard even for a Quantum Computer to attack let alone a classical machine. Luckily, there's an ongoing challenge based on the exact same idea - Fukuoka MQ challenge. It turns out small MQ systems particularly which are under-determined (more unknowns than equations) are solvable by classical machines within an accepting time frame and people have posted tools/algorithms to solve them. One of them is libFES . There's also a GPU implementation of FES which I have used here. So that's how it went. Thanks @kao for the challenge. Really learned a lot!!! Its a silver medal for now. Considering such systems of equation are solvable, generating a key within 1 sec could also be possible given the MQ challenge site posts that this cryptosystem is based on a signature scheme (Type -IV). Once we calculate the private key, generating the signature within 1s should be possible.
  28. 4 points
    Simple Polymorphic Engine (SPE32) is a simple polymorphic engine for encrypting code and data. It is an amateur project that can be used to demonstrate what polymorphic engines are. SPE32 allows you to encrypt any data and generate a unique decryption code for this data. The encryption algorithm uses randomly selected instructions and encryption keys. https://github.com/PELock/Simple-Polymorphic-Engine-SPE32 Sample polymorphic code in x86dbg window: Another polymorphic code mutation, this time with code junks
  29. 4 points
    The password is: Explanation: To apply VMProtect properly, you need to understand how each and every option works. Specifically, packing option just compresses data, it doesn't add any real protection. And if you do not use "VMProtect.SDK.DecryptString", strings are not encrypted. It's enough to run protected software under any debugger and search for strings in memory: As for proper unpack and/or devirtualization, it's something I have on my todo list. But I haven't got a "proper" solution that I could share at the moment.
  30. 4 points
    Actually Winrar was a kind of an earl adopter of ECDSA licensing, but they made a mistake in the implementation, much like level 10 armadillo. I still remember when I first came across this release - i thought, man, not another hardcoded-pseude-keygen ... then I saw "SeVeN/FFF". I was like "ahh shit here we go". Problem for Winrar is that their license is tied to archive signatures - if they change it they will break the signature mechanism.
  31. 4 points
  32. 4 points
    I have unpacked most of the protections just need someone to complete the last part of it, the calls/delegates!! Instructions: 1. Jit-dump the executable with JitDumper3/4 enable the checkbox (Dump MD). 2. Clean the (String And Flow) with SimpleAssemblyExplorer(SAE) checking the checkbox (Delegates} as well. 3. De4dot. Files.rar
  33. 4 points
    https://github.com/DefCon42/op-mutation decided to release the source because it's a neat example of a practical application of linear algebra yes, i know the code does not look great and there's blatant violations of like every standard ever no, i won't change that :^) note: only works with relatively simple operations. add, sub, not, etc will work but higher order operators like multiplication and exponentiation will not
  34. 4 points
    There is definitely room for a good modification of ConfuserEx to eventually happen and be posted here. ConfuserEx itself was the successor/fork of Confuser itself, which has greatly improved the original. ConfuserEx has completely changed how the .NET protection field has worked as well, with it completely influencing every other obfuscator on the market. Especially the ones made from people in the RE scene all using ConfuserEx as a base to work from. (Whether they want to admit to it or not.) Since ConfuserEx and now KoiVM are open source, they tend to be the most used and modified. No other real protection system for .NET is open source let alone offers the kind of features that they do. While it does mean a lot of terrible rebrands and mods will happen, it doesn't mean every single one is going to be trash in the future. Given that KoiVM is open source, it leaves a lot of room for others to take that concept and run with it to make their own VMs with much more in depth features, better C# language support for newer features, and so on. I don't think out-right banning it from existing on the site is a good idea either. There shouldn't be a reason to further divide what little of the RE scene is left. Some thoughts of mine on how to approach this going forward: 1. Make a new section/sub-forum specifically for ConfuserEx mods. This way the general .NET unpack section can focus on other non-ConfuserEx related challenges and not be drowned out with the various customizations/mods people want to post. 2. In the new section, have some type of guidelines/rules on what is considered a valid challenge. Mods to ConfuserEx that do nothing to the actual core and just add 1-2 new things should be rejected because the base/core has not been touched, therefore all the existing tools will work against said mod. Simply renaming the ConfuserEx attribute is not a valid means to try and deter tools from working etc. Focus on making sure people have actually put time/effort into their mods vs. just renaming the project and adding 1 thing to it. 3. Avoid belittling people that are coming here to learn and making an effort to work on modifications. Rather than people just shitting on someone or leaving a few word replies telling the person they suck, their mod is shit, etc. encourage people responding to the threads to actually give feedback in a friendly manner. Everyone started somewhere, knowing nothing, so putting egos aside and encouraging new comers to go back and learn certain things, showing them why a certain protection/mod doesn't work/help, etc. goes a long way. (Simply put, if your objective is just to be a dick when responding, just don't respond.) 4. If moderators are added, would really suggest making sure that there is some rules/guidelines on how they should moderate the new section/topics. Basically to avoid power-tripping, egos, and other nonsense that doesn't need to exist here. Another thing is to understand everyone has different skill levels when it comes to unpacking/cracking things, and while person A may think a given mod is weak/easy/crap, person B who is just learning may see the given challenge as a great learning experience and a way to enhance their skills. So avoiding skill sets being the end-all judgement of how something is moderated. Of course there are situations where things like this will have trolls or people posting challenges that have their own issues with pride/ego as well. Which is something seen already with a few people posting ConfuserEx mods that do not really understand the base project, how .NET operates, etc. For example, there is someone on a specific Discord community that keeps making 1-2 line edits to ConfuserEx and deeming it uncrackable. Every time, someone will use the existing tools, unpack his app and prove him wrong, but he refuses to be wrong and keeps spamming the Discord with modifications constantly. In a case like this I would say preventing them from posting new challenges for a given period of time may be warranted to avoid them from posting 100 different mods in a day. All in all though, I wouldn't recommend banning it altogether. The RE scene is so small anymore as it is, banning discussions on given topics at all is just going to further divide things than they already are. As it is, there are people on this site that land up driving new comers away already which most land up joining one of the various Discord communities instead that are focused on RE/.NET RE etc.
  35. 4 points
    I have never used it before, but from the first look - it installs offline, doesn't require any activation or license key, you can create more than one sandbox (which was a limitation in unregistered versions) and "Forced programs" also works. Looks good to me. EDIT 2x: direct download links (REMOVED, as they apparently are time-limited)
  36. 4 points
    If that's the case, that's breakable. For RAR the most efficient attacks are bruteforce, and it's much much faster to bruteforce 6-symbol password than 12... You can try freeware cRARk (http://www.crark.net) or pirated Passware Kit to crack your passwords. Depending on your CPU/GPU, it might take few hours/days but that's certainly doable. EDIT: just to give you an example, my (quite outdated) PC can try 4500 passwords/second using cRARk. For the example, there are 26 capital letters, 26 lowercase letters and 10 numbers. So, 62 different characters. If it's a 4-symbol password, it's 62*62*62*62=14776336 possibilities. To try them all, it would take 3283 seconds, or 54 minutes. If it's a 6-symbol password, it's 62*62*62*62*62*62=56800235584 possibilites. That would be 144 days to try them all. If you know you used a word from dictionary, it's much easier to try all words from dictionary. If you used l33t sp34k, that's also a good information. If you know that you always put first capital letter, that's useful. And so on. Read the manual, make the most efficient rules for bruteforce and just try..
  37. 4 points
    I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies. If you can not understand it, you can reply me. Best wish.
  38. 4 points
    Hmmmm... Could it be because you didn't do time travel and never experienced 4th of May 2019 before? The expired certificate is inside your outdated copy of Firefox 56. And, as you said it yourself - you refuse to update it. So, how on earth do you expect Mozilla to fix something that's on your computer? Should they send Santa with magic powers to your home? Solution: download the XPI file from above. Extract files from it. Base64-decode new certificate from api.js. Add new certificate into your old Firefox (Tools-Options-Certificates). Done. Takes less time than writing those whiny posts. Full disclaimer: I couldn't test it 100% because I don't use Firefox on a daily basis and I couldn't find portable Firefox 56 with 3rd party addons.
  39. 4 points
    And here is the fully deobfuscated file with strings decrypted i havent ran through de4dot since this will simplify your button click method to one messagebox.show Unpacked.exe
  40. 4 points
    Here is the code without strings decrypted more to show that i havent just remade the method from scratch but have actually devirtualised the file obfuscator is not that good in all honesty once you get your head around everything in one method its just like any other vm private void button1_Click(object sender, EventArgs e) { int num = 0; if (num != 0) { object obj; char[] value = obj = new char[16]; obj[0] = (2049885642 ^ 2049885579); obj[1] = (721969625 ^ 721969580); obj[2] = (1722827470 ^ 1722827450); obj[3] = (675984423 ^ 675984463); obj[4] = (1647779473 ^ 1647779505); obj[5] = (1793770717 ^ 1793770638); obj[6] = (640259843 ^ 640259958); obj[7] = (959731082 ^ 959731177); obj[8] = (1744869780 ^ 1744869879); obj[9] = (237600744 ^ 237600653); obj[10] = (492056264 ^ 492056251); obj[11] = (327956409 ^ 327956426); obj[12] = (688741927 ^ 688741953); obj[13] = (658212064 ^ 658211989); obj[14] = (454212694 ^ 454212666); obj[15] = (28756323 ^ 28756290); MessageBox.Show(new string(value)); } else { object obj; char[] value2 = obj = new char[10]; obj[0] = (1435200779 ^ 1435200842); obj[1] = (853162666 ^ 853162719); obj[2] = (2119875586 ^ 2119875702); obj[3] = (712244489 ^ 712244577); obj[4] = (1541140050 ^ 1541140082); obj[5] = (2107783153 ^ 2107783095); obj[6] = (1703953462 ^ 1703953495); obj[7] = (1864360465 ^ 1864360568); obj[8] = (2035746888 ^ 2035746852); obj[9] = (620298057 ^ 620298088); MessageBox.Show(new string(value2)); } }
  41. 3 points
    I have not read through the entirety of what has been posted here and I really do not want to have to for moderating purposes. I kindly ask that if other people have opinions (what ever that evidence is based upon) respect them and debate them without having to degenerate your posts in to personal attacks. Try to influence each other through debate and not impose or mandate your view point on everyone else. The Covid-19 has been a fast flowing series of events that even the best governments and scientists around the world are struggling to understand and resolve. If you are unable to discuss appropriately my advice is to not to reply or post at all... Ted.
  42. 3 points
    aSqtsozBxQKKn5BC.mp4
  43. 3 points
  44. 3 points
    i remember also the cracktro https://defacto2.net/f/b42719a and that core stole the release https://defacto2.net/f/b22ed7a
  45. 3 points
    Regardless of the borderline-spam that we have been observing in the challenges sections, I think .NET is still a valid platform to write reverse engineering challenges for. Look how obfuscators like DNGuard still seem to be a challenge for a lot of people. Also, even though KoiVM is more or less defeated nowadays, it used to be a very difficult task as well for the majority of people around here. There are many tricks one could pull off to make a challenge interesting, and this includes the ones written in .NET. I think the difficulty of a challenge does not always rely on the platform it is running on. For example, some rely on interesting or flawed cryptographic algorithm implementations that the reverse engineer needs to exploit in some way or another. Others might use an uncommon model of a virtualization that people haven't seen before all too often. Furthermore, writing these kinds of challenges in .NET could make the challenge actually more fun, as the reverser doesn't have to worry too much about the imperfect decompiled code of IDA or Ghidra or whatever tool people use. Rather, they can focus more on the actual problem that the challenge is about. Granted, I might be talking a bit more about KeygenMes now rather than "simple" unpackme's, but I think you get my point. Creativity is the key to success in my opinion, but you are right this is hard to benchmark. Banning challenges that are protected by a specific (potentially modded) obfuscator sounds like a bad idea as well in my opinion, and could hurt the forum more than it would do good. It might be a good idea however to limit the number of challenges per obfuscator, although I am not entirely sure how to limit this or when to decide when this limit is reached. Perhaps one or two per version/update or maybe per feature that an obfuscator might offer?
  46. 3 points
    Everything: https://www.epicgames.com/store/en-US/download/everything/home Metro 2033 Redux: https://www.epicgames.com/store/en-US/download/metro-2033-redux/home
  47. 3 points
    ...or just use MSDN key that's available on the net and avoid all that insanity. NYWVH-....
  48. 3 points
    Which is a bloody stupid idea in the first place. Just don't do it. To answer the question - the cause of your problem is MUI files that were introduced in Windows Vista. They enable you to have Windows UI in your own (non-English) language. If you copy some of the Windows built-in executables, you also need to copy the corresponding MUI file to correct subfolder, otherwise it won't be able to load correct resources and you'll see the error you mentioned. Example: Further reading: https://docs.microsoft.com/en-us/windows/win32/intl/mui-fundamental-concepts-explained https://afana.me/archive/2016/06/27/restoring-classic-calculator-in-windows-10.aspx/ https://ntcore.com/?p=266
  49. 3 points
    Hi New Update with more features : https://github.com/Ahmadmansoor/AdvancedScript AdvancedScript version 4.3 https://github.com/Ahmadmansoor/AdvancedScript/releases * Add new commands and fix some bugs * fix error load of the Auto Commands when there is no ; * Fix AutoRun and stepson ( wait command to finish). * Fix color variable name. * Add ReadFile , Write2Mem , ReadMem * Add GoToByBase Form ( https://www.youtube.com/watch?v=gQxlbC8RnRg ) * Assigne variable directly no need to Setx Command. Sample : Varx str,memory // var will hold the hex value Varx int,rax_,0 // read rax value +1 Varx str,ourStr // read test string ReadMem $memory,{rax},5 $rax_={rax} +1 $rax_=ads.exebase ReadStr $ourStr,{rdx}
  50. 3 points
    That is most likely not your crackme. But what the hell.. Load it in IDA, decompile serial check and it will look like this: if ( ++idx >= 29 ) { if ( count_of_sevens == 1 && String[6] == '7' ) { v5 = (unsigned __int8)entered_key[0]; if ( entered_key[0] ) { LOBYTE(v5) = entered_key[4]; if ( v5 ) { LOBYTE(v5) = entered_key[8]; if ( v5 ) { LOBYTE(v5) = entered_key[12]; if ( v5 ) { LOBYTE(v5) = entered_key[16]; if ( v5 ) { LOBYTE(v5) = entered_key[21]; if ( v5 ) { part1 = getintfromkey(0, 4, 0); part2 = getintfromkey(0, 4, v6); part3 = getintfromkey(0, 4, v7); part4 = getintfromkey(0, 4, v8); part5 = getintfromkey(0, 5, v9); part6 = getintfromkey(0, 8, v10); v11 = part1 * (unsigned __int8)entered_key[7]; v12 = part1 * (unsigned __int8)entered_key[6]; v13 = part1 * (unsigned __int8)entered_key[4]; if ( v11 == part5 && v12 == part3 && !(part1 * (unsigned __int8)entered_key[5]) && v13 == part4 && 1000 * v13 + 10 * v12 + v11 == part6 ) { ...show good boy message... There are some checks for specific character values: * char 6 must be "7", there may not be any other "7" in the key; * char 5 must be "0"; * chars 4,8,12,16,21 may not be "0"; Key is split into in several parts: part1 = first 4 chars part3 = chars 8..11 part4 = chars12..15 part5 = chars16..20 part6 = chars21..28 Then it does some simple multiplication and checks the result. At this point you have 2 options: - make a tool that will randomly choose part1 and chars 4 and 7, do the multiplication to calculate parts 3, 4, 5, 6 and see if it passes all checks. - remember math lessons from school and figure out the only possible combination that will pass all checks. First one is much faster, second one will be .. challenging. Either way, you should arrive at the only possible solution: Well, in fact, there is infinite number of valid keys. You can append random characters to the key above, they are not checked..
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...