Jump to content
Tuts 4 You

Leaderboard

Popular Content

Showing content with the highest reputation since 08/24/2021 in all areas

  1. https://githacks.org/vmp2/vmdevirt vmdevirt lifts vmp IL generated by vmemu to llvm ir which can then be optimized and compiled back to native instructions. I have released a pretty rough/early version of EasyAntiCheat devirtualized here: https://www.unknowncheats.me/forum/anti-cheat-bypass/468099-easyanticheat-sys-devirtualized-version-1-optimizations.html The goal has been to generate semantically correct native so that you can execute the binary... here is hello world devirtualized: https://githacks.org/-/snippets/45 If you have any input/suggestions for llvm you can reply or email me at _xeroxz@back.engineer P.S vmdevirt will also be used for vmp3 as the lifters/profiles are pretty much the same. All I need to do to support vmp3 is to recode some of vmemu...
    6 points
  2. This is a prime example of how combining obfuscators can only work in your favour if you actually use them properly. Spoiler alert: they are not used correctly in this unpackme Approach: TestCawkMod-cleaned.exe
    5 points
  3. Code of Main method is pre-compiled (AOT) and stored in assembly resource. It is not possible to restore original MSIL code from this but since algorithm is very simple it can just be rewritten. To get key we need to attach through x64dbg and analyze it dynamically. Final key is: 68 01 f6 c4 47 5b 04 ad ca 75 45 d2 2b f1 2c 28 or aAH2xEdbBK3KdUXSK/EsKA== in base64 format.
    3 points
  4. fixed src using @sama files and added also project file for winASM. + aboutbox spinning dna strand project alone because it's lovely. SND.Reverser.Tool.1.5b1.SRC.fixed.zip Spinning DNA strand.zip
    3 points
  5. Alternatively, you can use CyberChef. It has basically every encryption / encoding / hashing algorithm you can think of, and they are easily combined together with the drag n drop interface that they have: https://gchq.github.io/CyberChef/
    3 points
  6. @pepegaswiper69: the direction is right, just one of your assumptions is wrong.
    2 points
  7. A MUST HAVE COMPUTER.... greetz
    2 points
  8. You can get challenges from old REA here (under copy protection): https://github.com/Info-security/binary-auditing-training It was later transformed to binary auditor. Unfortunately no solutions / math + fun / crypto.
    2 points
  9. ProtonMail deletes 'we don't log your IP' boast from website after French climate activist reportedly arrested www.theregister.com/2021/09/07/protonmail_hands_user_ip_address_police/ ProtonMail received a legally binding order from Swiss authorities which obligated to comply with protonmail.com/blog/climate-activist-arrest/ Commodore 64 ads from the 1980s lunduke.substack.com/p/commodore-64-ads-from-the-1980s-still A Generation of American Men Give Up on College www.wsj.com/articles/college-university-fall-higher-education-men-women-enrollment-admissions-back-to-school-11630948233 Revolt: Open-source alternative to Discord written in Rust revolt.chat/ Automatically replace jQuery from existing projects and generate vanilla js alternatives (lol) github.com/sachinchoolur/replace-jquery Larry Page: I think we should look into acquiring YouTube (2005) twitter.com/TechEmails/status/1433837480449613839 Google introduces $50 4G smartphone www.globalvillagespace.com/google-introduces-50-4g-smartphone-to-enable-billions-of-people/ The number of legal chess positions estimated at 4.5x10^44 github.com/tromp/ChessPositionRanking Malware found preinstalled in classic push-button phones sold in Russia therecord.media/malware-found-preinstalled-in-classic-push-button-phones-sold-in-russia/ Today Sci-Hub is 10 years old. I'll publish 2M new articles to celebrate (05/09) twitter.com/ringo_ring/status/1434356217208623106 Melatonin: Much More Than You Wanted to Know (2018) slatestarcodex.com/2018/07/10/melatonin-much-more-than-you-wanted-to-know/ PayPal Mafia (haha good to know) en.wikipedia.org/wiki/PayPal_Mafia Back Orifice (1998) web.archive.org/web/20180715070715/http://www.cultdeadcow.com/tools/bo.html news.ycombinator.com/item?id=28413994 US Air Force chief software officer quits www.theregister.com/2021/09/03/usaf_chief_software_officer_quits_angry_post/ Dynamic visualization of your WiFi signal blog.ui.com/2021/08/19/wifiman-introduces-enhanced-signal-tracking-features/ git-cliff: generate changelog files from the Git history github.com/orhun/git-cliff news.ycombinator.com/item?id=28423843 El Salvador becomes first country to adopt Bitcoin as an official currency theverge.com/2021/9/7/22660457/el-salvador-bitcoin-legal-tender-currency-cryptocurrency-chivo-wallet
    2 points
  10. Since Firefox 69, you must go into about:config and set “toolkit.legacyUserProfileCustomizations.stylesheets” to “true” The userChrome.css file does not exist by default, you first have to create the file in the appropriate location inside your Firefox profile folder. howtogeek.com/334716/how-to-customize-firefoxs-user-interface-with-userchrome.css/ ---- latest #1# Go to about:support in Firefox. Search for Application Basics, find Profile Directory and click on Open Directory. Copy the userContent.css into the chrome folder (usually has -release at the end, and you should create the chrome folder if it doesn't already exist). #2# Go to about:config in Firefox. Search for toolkit.legacyUserProfileCustomizations.stylesheets and set it to true by clicking on the arrow button. Restart Firefox. src github.com/FirefoxCSSThemers/Natura-for-Firefox/tree/main/chrome *no tested*
    2 points
  11. Mozilla - uBlock Origin review addons.mozilla.org/blog/ublock-origin-everything-you-need-to-know-about-the-ad-blocker/ Flying a Stunt Plane Through TWO Tunnels (2.2km / 43.44sec) hyperlol www.facebook.com/RedBullMotorsports/videos/375390900880444/
    2 points
  12. Don't know of a tool that will do it all for you easily, but you can either make one or make use of a few separate tools and a bit of work. For finding things, you can use Cheat Engine: https://www.cheatengine.org/ Scan a programs memory for known patterns of file type headers. For example, PNG's header information can be found here: http://www.libpng.org/pub/png/spec/1.2/PNG-Structure.html Knowing the first 8 bytes are always '89 50 4E 47 0D 0A 1A 0A' you can scan for this array of bytes and find matches in a programs memory. Once found, you can use a tool like 010 Editor: https://www.sweetscape.com/010editor/ You can use this hex editor to remotely open memory of another process and map data structures via templates onto the memory. This can help with finding valid full images, as in this example PNGs, in memory. You can also then use this tool to know how much data to copy out and save to a new file as the templates will hold all the data needed for the PNG to be valid on disk once saved. Then rinse and repeat for all file types you want to do. Otherwise, you can make your own app to do all these steps as well: Open a remote target for reading. (OpenProcess) Dump the processes memory to a local buffer for faster scanning. (ReadProcessMemory) Scan for known byte patterns within the dumped data, like above, to find known file types you wish to find. At the start of each found entry, begin reading the file type like any other app would to determine if the full file is there/valid. (Use file header information for known file types and such to know how to read the various files you want to dump.) If a valid file is found, dump it from the local buffer into a new file with just the data needed to make said file valid. And so on. Rinse and repeat for each file type you want to scan for etc.
    2 points
  13. thx for uploading the DNA animation btw i've also made a mod for the Starfield effect coded by takerZ , just added some RGB effect and only static text :
    2 points
  14. i heard some files are missing? (all credits to the dev.) have a nice day MissingFiles.rar
    2 points
  15. There has been an update of Keygener Assistant from v2.1.0 to v2.1.1 March 1st, 2016 - Fixed bug with RSA Encrypt/Decrypt (buggy FGIntRSA changed). - Update Interface : - Skin removed Download: KeygenerAssistantV2.1.1Remix
    2 points
  16. My Delphi binding for Intel X86 Encoder-Decoder. https://github.com/Pigrecos/XED_Delphi
    2 points
  17. twitter.com/ForumCovid/status/1439893319048380419 Raspberry Pi gets $45M to meet demand for low-cost PCs and IoT techcrunch.com/2021/09/21/raspberry-pi-gets-45m-to-meet-demand-for-low-cost-pcs-and-iot/ Lithuanian government warns about secret censorship features in Xiaomi phones therecord.media/lithuanian-government-warns-about-secret-censorship-features-in-xiaomi-phones/ Distribution Of Global Wealth www.visualcapitalist.com/distribution-of-global-wealth-chart/ WHO global air quality guidelines 2021 apps.who.int/iris/handle/10665/345329 Reasons to Quit Social Media durmonski.com/life-advice/reasons-to-quit-social-media/ Why You Should Stop Reading News fs.blog/2013/12/stop-reading-news/ World War 3 To Be Fought Over Semiconductors? goldsilver.com/blog/world-war-3-to-be-fought-oversemiconductors-wealthion/ Waydroid – Run Android containers on Ubuntu waydro.id/ Authenticated Boot and Disk Encryption on Linux http://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html EU proposes mandatory USB-C on all devices www.theverge.com/2021/9/23/22626723 FDA Vaccine Panel Comes Out Against Deadly Injections infowars.com/posts/bombshell-testimony-from-fda-vaccine-hearing-reveals-injections-killing-more-than-saving-driving-variants/
    1 point
  18. @Darth Blue: you got this far, so you certainly have skills. I'm sure you'll figure it out. To answer your question - it's not strictly necessary but might help you with *something*. You'll know more once you analyze the binary.
    1 point
  19. Project Deluge: Xbox and Dreamcast hiddenpalace.org/News/Project_Deluge:_Xbox_and_Dreamcast University of Florida gets around $20M from Gatorade profits every year thehustle.co/why-the-university-of-florida-gets-a-20m-cut-of-gatorade-profits-every-year/ Bye YouTube, Hello PeerTube diode.zone/w/ooKHgZQnFkGjzbjZjRkZf7?autoplay=1&auto_play=true&start=4m19s Dot Browser – privacy-conscious web browser (Gecko based) github.com/dothq/browser www.dothq.co/ Revisiting Java in 2021 www.avanwyk.com/revisiting-java-in-2021-ii/
    1 point
  20. DOS Subsystem for Linux github.com/haileys/doslinux YouTube recommendation system blog.youtube/inside-youtube/on-youtubes-recommendation-system/ NEWScan files.rayogram.com/news/ freedomforum.org/todaysfrontpages/ A collection of modern games for the TI-99/4A http://tigameshelf.net/asm.htm India says Google abused Android dominance www.engadget.com/google-abused-android-dominance-india-antitrust-124019374.html AMD Chipset Vulnerability Leaks Passwords, Patch Available www.tomshardware.com/news/amd-chipset-vulnerability-leaks-passwords Library Genesis libgen.is/ Belgian ISP under 250 Gbps DDoS for days on end issues.edpnet.be/
    1 point
  21. Indian researchers create a Raspberry-Pi-based device to monitor health spectrum.ieee.org/rural-blood-test-analyser Russia fines Facebook, Twitter for not deleting banned content www.reuters.com/world/europe/russia-fines-facebook-not-deleting-banned-content-2021-09-14/ Ex-NSA cyberspies reveal how they helped hack foes of UAE www.reuters.com/investigates/special-report/usa-spying-raven/ Announcing .NET 6 RC1 devblogs.microsoft.com/dotnet/announcing-net-6-rc1/ DW - Why internet connections in Germany are so bad www.youtube.com/watch?v=_jIUFdCkueA Michelin's New Airless Tires interestingengineering.com/michelin-airless-tires-hit-public-streets-for-first-time A dive into the world of MS-DOS viruses blog.benjojo.co.uk/post/dive-into-the-world-of-dos-viruses Mailchimp acquired by Intuit for $12bn twitter.com/axios/status/1437515671223537669 Steve Jobs: Let's force Amazon to use our payment system (2010) twitter.com/TechEmails/status/1438188756738191362 Popular StackOverflow encryption code snippets coded it wrong littlemaninmyhead.wordpress.com/2021/09/15/if-you-copied-any-of-these-popular-stackoverflow-encryption-code-snippets-then-you-did-it-wrong/
    1 point
  22. Ray-Ban Stories - in partnership with Facebook, they discover first generation of smart sunglasses www.ray-ban.com/usa/discover-ray-ban-stories/clp Apple fires senior engineering program manager Ashley for leaking information www.theverge.com/2021/9/9/22666049/apple-fires-senior-engineering-program-manager-ashley-gjovik-for-allegedly-leaking-information Mastercard acquires CipherTrace to enhance crypto capabilities www.mastercard.com/news/press/2021/september/mastercard-acquires-ciphertrace-to-enhance-crypto-capabilities/ Exploring the Amiga (2018) www.thedigitalcatonline.com/blog/2018/05/28/exploring-the-amiga-1/ All about graphics on the following years youtube.com/watch?v=I0H7w06SxwA&list=PLHFiqDkNCp1g5AW0QO_g9xDK-R1bsPF_l&index=12 Ozzillate – Transfer Files via Sound www.ozzillate.com/ What Exactly Is This 'Great Reset' wakingtimes.com/what-exactly-is-this-great-reset-people-keep-talking-about/ A cross-platform GUI for youtube-dl github.com/jely2002/youtube-dl-gui
    1 point
  23. Hi, this seems to be yet another example of someone else using DNGuard as their own protector and stacking it over something else... In this CawkVM "mod" not a lot has changed so exploiting runtime implementation of dynamic methods is still possible. You can also reverse engineer the new changes using a debugger after bypassing the anti debugger checks and statically decrypt and parse the method data. Not much different from regular CawkVM just runtime obfuscated with a renamed DNGuard I have successfully dumped the CawkVM protected entry point method: TestCawkMod-Protected-unpacked.exe
    1 point
  24. This can be used to monitor any user login sessions that transpire on a Server or Standalone system using services API call (yes this could probably be coded as an ACTUAL service but that's left for another day) Compile and run (I've tested this on a basic user account with no ACL except their own profile folder ACLs and it gathers all logged in users maintaining an array and comparing it against the total number of logged in sessions) Note: various source codes were changed around I just don't remember all the sites i used to put this together There is an embedded smtp mailer that will connect to zoho (for this example) along with a way to email the alerts to a phone number for smtp->text youll need to find your cell phone carriers smtp and find an email service that allows smtp IMAP connections using System; using System.Collections.Generic; using System.Linq; using System.Windows.Forms; using System.Net.Mail; using System.Runtime.InteropServices; namespace SmtpWatch { static class Program { public const int WTS_CURRENT_SERVER_HANDLE = 0; public const int WTS_CURRENT_SESSION = -1; [DllImport("WTSApi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] public static extern bool WTSSendMessage(IntPtr hServer, int SessionId, string pTitle, int TitleLength, string pMessage, int MessageLength, int Style, int Timeout, out int pResponse, Boolean bWait); [DllImport("WTSApi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] public static extern bool WTSEnumerateSessions(IntPtr hServer, int Reserved, int Version, out IntPtr ppSessionInfo, out int pCount); [DllImport("WTSApi32.dll", SetLastError = true, CharSet = CharSet.Auto)] public static extern void WTSFreeMemory(IntPtr pMemory); [DllImport("WTSApi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] public static extern bool WTSQuerySessionInformation(IntPtr hServer, int SessionId, WTS_INFO_CLASS WTSInfoClass, out IntPtr ppBuffer, out uint BytesReturned); public enum WTS_INFO_CLASS { WTSInitialProgram, WTSApplicationName, WTSWorkingDirectory, WTSOEMId, WTSSessionId, WTSUserName, WTSWinStationName, WTSDomainName, WTSConnectState, WTSClientBuildNumber, WTSClientName, WTSClientDirectory, WTSClientProductId, WTSClientHardwareId, WTSClientAddress, WTSClientDisplay, WTSClientProtocolType, WTSIdleTime, WTSLogonTime, WTSIncomingBytes, WTSOutgoingBytes, WTSIncomingFrames, WTSOutgoingFrames, WTSClientInfo, WTSSessionInfo, WTSSessionInfoEx, WTSConfigInfo, WTSValidationInfo, WTSSessionAddressV4, WTSIsRemoteSession } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct WTS_SESSION_INFO { public int SessionId; // session id public string pWinStationName; // name of WinStation this session is connected to public WTS_CONNECTSTATE_CLASS State; // connection state (see enum) } public enum WTS_CONNECTSTATE_CLASS { WTSActive, // User logged on to WinStation WTSConnected, // WinStation connected to client WTSConnectQuery, // In the process of connecting to client WTSShadow, // Shadowing another WinStation WTSDisconnected, // WinStation logged on without client WTSIdle, // Waiting for client to connect WTSListen, // WinStation is listening for connection WTSReset, // WinStation is being reset WTSDown, // WinStation is down due to error WTSInit, // WinStation in initialization } public static string[] sysun; public static string allsysun = ""; //============================================================== [STAThread] static void Main() { usermanip(0); MessageBox.Show("CURRENT LOGGED IN USERS: " + allsysun); string emallsysun = "CURRENT LOGGED IN USERS: " + allsysun; sendmail(emallsysun); while (true) { //check for new logons usermanip(1); allsysun = ""; } } //============================================================== //============================================================== static void sendmail(string str) { try { MailMessage mail = new MailMessage(); SmtpClient SmtpServer = new SmtpClient("smtp.zoho.com"); mail.From = new MailAddress("xxxxxxx@zohomail.com"); mail.To.Add("XXXXXXXXXXX@tmomail.net"); mail.Subject = "SYSTEM ACTIVITY (USERS)"; mail.Body = str; SmtpServer.Port = 587; SmtpServer.Credentials = new System.Net.NetworkCredential("jmc31337", "XXXXXXXXXXXXXXXX"); SmtpServer.EnableSsl = true; SmtpServer.Send(mail); } catch (Exception) { MessageBox.Show("SendMail Error Occurred"); } } //============================================================== //============================================================== static void usermanip(int softplc) { IntPtr pSessions = IntPtr.Zero; int nSessions; if(WTSEnumerateSessions((IntPtr)WTS_CURRENT_SERVER_HANDLE, 0, 1, out pSessions, out nSessions)) { int nDataSize = Marshal.SizeOf(typeof(WTS_SESSION_INFO)); IntPtr pCurrentSession = pSessions; if(sysun == null) { Array.Resize(ref sysun,nSessions); softplc = 0; } for (int Index = 0; Index < nSessions; Index++) { WTS_SESSION_INFO si = (WTS_SESSION_INFO)Marshal.PtrToStructure(pCurrentSession, typeof(WTS_SESSION_INFO)); uint nBytesReturned = 0; IntPtr pUserName = IntPtr.Zero; bool bRet = WTSQuerySessionInformation((IntPtr)WTS_CURRENT_SERVER_HANDLE, si.SessionId, WTS_INFO_CLASS.WTSUserName, out pUserName, out nBytesReturned); string sUserName = Marshal.PtrToStringUni(pUserName); //Console.WriteLine("User Name: {0}", sUserName); if(softplc == 0) { sysun[Index] = sUserName; allsysun += sUserName + " "; } if(sysun.Length > nSessions) { Index = 0; sysun = null; break; } if(sysun.Length < nSessions && !sysun.Contains(sUserName)) { if (sUserName != null) { //sysun[Index] = sUserName; string usrmail = sUserName; usrmail += " (LOGGED ON)"; MessageBox.Show(sUserName + " LOGGED ON"); //DING! sendmail(usrmail); sysun = null; break; } } pCurrentSession += nDataSize; } WTSFreeMemory(pSessions); } } //============================================================== //============================================================== } } --just found out coding all that in the STATHREAD section of the .net app keeps the winapp icon from appearing in taskbar and alt-tab app switcher (couldnt find the shrugger emoji) thnx for the thnx
    1 point
  25. This requires knowledge of git internals. All versions of pyamor ever released can be found on their GitHub repo: https://github.com/dashingsoft/pyarmor-core/ Essentially what you need to do is hash search (md5/sha etc) your target pyarmor dll/pyd in that repo to find the file and thus the commit. However there's another point to keep note of. As mentioned in this thread, pyarmor now bundles the license data within the dll/pyd. Hence the license data would led to a different hash in-spite of the rest of the dll/pyd contents being the same. To solve this problem, instead of hashing the whole file you can hash only a part (say the last 10KiB of the target dll/pyd which excludes the license data) and search all blobs in the repo which have the same hash for the last 10 KiB bytes. You can use a library like gitdb for searching. Using this you should be able to pinpoint the exact commit and the corresponding file on the repo. As for the other question, the mode use can be deciphered from the numerical prefix. 0 => NONE (dll) 7 => JIT, ANTI-DEBUG, ADV (dll) 11 => JIT, ANTI-DEBUG, SUPER (pyd) 21 => VM, ANTI-DEBUG, ADV (dll) 25 => VM, ANTI-DEBUG, SUPER (pyd) For example, windows.x86_64.25.py39 implies VM + ANTI-DEBUG + ADV modes using the dll pyd.
    1 point
  26. 1 point
  27. reddit.com/r/FirefoxCSS/comments/p2chzn/bookmark_height_spacing_ff_910_update/
    1 point
  28. Samsung Is the Latest SSD Manufacturer Caught Cheating Its Customers www.extremetech.com/computing/326377-samsung-is-the-latest-ssd-manufacturer-cheating-its-customers Facebook Has Trackers in 25% of Websites and 61% of the Most Popular Apps slashdot.org/story/21/08/29/1758218/facebook-has-trackers-in-25-of-websites-and-61-of-the-most-popular-apps www.msn.com/en-us/news/technology/there-s-no-escape-from-facebook-even-if-you-don-t-use-it/ar-AANRTjr Mass exploitation of Atlassian Confluence CVE-2021-26084 - Please patch immediately if you haven’t already— this cannot wait until after the weekend twitter.com/CNMF_CyberAlert/status/1433787671785185283 Mushroom Cultivation Automation w/ Raspberry Pi www.youtube.com/watch?v=z41Wy5ZF4O8 OpenMoji: Open-source emojis openmoji.org RSA chief believed cryptographers’ warnings on Dual EC DRBG lacked merit (2014) http://jeffreycarr.blogspot.com/2014/02/six-cryptographers-whose-work-on-dual.html Visual Studio Code now available as Web based editor for GitHub repos docs.github.com/en/codespaces/developing-in-codespaces/web-based-editor GateBoy – a gate-level Game Boy simulator github.com/aappleby/MetroBoy Music Theory for the 21st-Century Classroom musictheory.pugetsound.edu/mt21c/MusicTheory.html Docker Desktop no longer free for large companies www.theregister.com/2021/08/31/docker_desktop_no_longer_free/ Windows 11 available on October 5 blogs.windows.com/windowsexperience/2021/08/31/windows-11-available-on-october-5/ Facebook open sources Glean: a scalable code search and query engine glean.software/?open China has forbidden under-18s from playing games for more than three hours/week www.reuters.com/world/china/china-rolls-out-new-rules-minors-online-gaming-xinhua-2021-08-30/ Reverse engineering software licensing from early-2000s abandonware yingtongli.me/blog/2021/08/29/drm5-1.html EU states looking for MS Teams/O365 alternatives news.ycombinator.com/item?id=28353718 8 Bits of history: My first game is still available on the internet - All we are is dust in the wind smackeyacky.blogspot.com/2021/08/8-bits-of-history-my-first-game-is.html Arctic Adventure: A lost 1981 TRS-80 adventure game by Harry McCracken www.arctic81.com/ Toyota halts all self-driving e-Palette vehicles after Olympic village accident www.reuters.com/business/autos-transportation/toyota-halts-all-self-driving-e-pallete-vehicles-after-olympic-village-accident-2021-08-27/ 'Worst cloud vulnerability you can imagine' discovered in Microsoft Azure arstechnica.com/information-technology/2021/08/worst-cloud-vulnerability-you-can-imagine-discovered-in-microsoft-azure/ A CSS framework to recreate Windows 7 GUI github.com/khang-nd/7.css Why Facebook Is Suddenly Afraid of the F.T.C. www.newyorker.com/news/daily-comment/why-facebook-is-suddenly-afraid-of-the-ftc AT&T Archives: The UNIX Operating System www.youtube.com/watch?v=tc4ROCJYbm0
    1 point
  29. Even if you set the paths right, you still won't be able to build it - because the following files are missing: SND Crypto Scanner\Includes\Engine.inc SND Crypto Scanner\Sigs\CryptoSigs.inc SND Crypto Scanner\Sigs\HashSigs.inc SND Crypto Scanner\Sigs\LibSigs.inc SND Crypto Scanner\Sigs\MiscSigs.inc SND Crypto Scanner\Includes\Engine.asm You could disable the entire crypto scanner feature and then try to build it but to me it's too much effort for too little benefit. (read - I'm lazy )
    1 point
  30. SND.Reverser.Tool.1.5b1 with sources https://mega.nz/file/EoFjmCjI#obPLdFKURn9JIF7uEKWVxqeN4OngWawjKtiEi2sZhKs SND.Reverser.Tool.1.5b1.zip
    1 point
  31. Hi again and thanks for the tool infos. All are working good so far (also that nice offline webpage tool).Only the old SND_RT tool gets deleted by Defender (Ransomeware). Anyway, the other tools also having pretty same functions included I can use there.Thank you. greetz
    1 point
  32. Here's the SND one you mentioned. SND_RT.zip
    1 point
  33. You can get this from our own forum and also read the fll thread in the process: Download it: https://forum.tuts4you.com/applications/core/interface/file/attachment.php?id=8499
    1 point
  34. Both of Your Challenges are Unpacked Successfully. How to Unpack ? Proof - HVM-hvm.exe HVM-cleaned_debug.exe
    1 point
  35. How to Unpack ? Solution - 3.9.5.3.zip
    1 point
  36. Hi! I think you are looking for something like this: Link: http://www.kahusecurity.com/tools.html Or something like "Keygener Assistant": Link: https://www35.zippyshare.com/v/ZcLY8Dxm/file.html
    1 point
  37. Yup. It is a Stolen DNGuard. You have to restore the Bodies from the Runtime and then append in the main assembly. After devirt you can remove the strings or proxies. There is nothing much to tell as the answer is already given. ! I was testing something. So I took this unpackme as test. Unpackme-cleaned.exe
    1 point
  38. Nirvana sued by Spencer Elden, who appeared on Nevermind’s album cover as a baby www.bbc.com/news/entertainment-arts-58327844 arstechnica.com/gaming/2021/08/adult-who-used-to-be-the-nevermind-baby-says-nirvana-album-cover-is-child-porn/ Scientists 3D bioprint Wagyu beef-like meat (WTF) eandt.theiet.org/content/articles/2021/08/scientists-3d-print-wagyu-beef-like-meat/ Samsung says it can remotely disable stolen TVs www.theverge.com/2021/8/25/22640876/samsung-television-block-function-stolen-tv-sets-south-africa
    1 point
  39. Fully unpacked V3: So I noticed that the dll and the executable are both protected with .NET Reactor. The dll has 5 virtualized methods. The purpose of that is probably to prevent people from cracking the unpackme. Since this is not a crackme, I have decided to fully unpack cuz I have a lot of free time to do it. I just dragged the files to my deobfuscator so I'll just explain the steps of what my deobfuscator did to deobfuscate the contents of the unpackme. 1. Get rid of the code flow obfuscation. You can use Hussaryn/NET-Reactor-Cflow-Cleaner-6.7.0.0 since this one is updated. I haven't tested this one though so I am not sure. 2. Detect necrobit and read encrypted method bodies in resources. The method bodies are stored in resources and the decryption routine has a part in the code that has a random generated mutation. The trick to that is using a CIL emulator. I use DNEmulator, but the repository is gone. I think De4dot emulator is good enough for this one. 3. Do step 1 again since it might have control flow obfuscation applied to some methods. You could also read this blog and use reflection to get the decrypted method bodies. It is explained where .NET Reactor stores its decrypted method bodies. But I am not a fan of using reflection, so I don't want that. I guess this should work on most unpackmes but not all since it is lacking something. 4. Detect obfuscated ldtokens. The obfuscated token is not really obfuscated. It is just stored as an integer and some function resolves the token and returns the runtimetypehandle of that. 5. Detect and devirtualize virtualized functions. I learned a lot from @TobitoFatito's explanation. The Instruction Set Architecture of .NET Reactor VM is almost the same as .NET CIL. So it should be easy to understand the VM if you already understand .NET CIL. 6. Do step 1 again since it might have control flow obfuscation applied to some devirtualized methods. 7. Detect and decrypt string encryption. The decryption routine is similar to necrobit decryption routine and the encrypted string data is stored in resources. Once the resources data is decrypted, you can find the calls that's using the decryption method and get the string data by acquiring the first argument and using that to go to the offset of the decrypted data and read the first 4 bytes and convert it to int32 to get the string length. Then read string data after the string length data. 8. Detect and decrypt resource encryption. The resources has more than 1 decryption mode and it is also compressed. I think the method that de4dot uses for this one still works. Code: ResourceResolver.cs 9. Use de4dot to clean the rest and fix names. Files: WindowsFormsApplication41-Deobfuscated-cleaned.exe WindowsFormsApplication41yippi-Deobfuscated-cleaned.dll
    1 point
  40. Language : C# .Net Platform : Windows x32/x64 OS Version : All Packer / Protector : Agile.Net v6.6 Description : Hi everyone, hope one of you friends can unpack the target and teach us how to unpack it Screenshot : Secured.rar
    1 point
  41. I am of the opinion that any solution posted here should be reproducible (hence the name tuts4you). Anyone reading my solution should be able to follow the steps and get to the same conclusion. For the case of a VM, since they are complicated beasts, it means it gives me only two options: I would have to release the source code of any type of devirtualizer that I would've made, or I would have to spend an entire blog post talking about how VMP's VM works and how to reverse it. While I genuinely enjoy doing both, both options take a lot of time, something I have very little of these days. But even if I had the time, it's arguably not really worth it. If I were to make a devirtualizer for VMP and release it, it will not take long for the VMP developers to catch on and update their software. Unless the devirtualizer was made in such a way that it would be resistant towards the kinds of changes (which again, takes more time), it means it is probably only going to be useful for a short period. Just doing this for a single unpackme posted on a forum does not really make it worth it for me. Also, while I generally don't have any problem with publishing articles or source code (unlike other people that post solutions here it seems), I do have a problem with potentially harming other people's businesses. I am not a fan of releasing devirtualizers or unpackers for protectors that are still in business and have customers. From a legal and ethical perspective, that's just not something I would do easily. Generally speaking though, with reverse engineering it is often not required to fully unpack anyways. You extract what you need and leave out the unimportant business. In a lot of cases that does not require a full deobfuscation. Especially not with keygenme's like these. Maybe someone else thinks differently about that, and does pick this up as a challenge though
    1 point
  42. Methodology - Since It is a CrackMe I won't bother myself to generate/find a Valid Serial by understanding the Algo. So I simply gonna patch it to accept any Key or show Valid Message from any of that. Thanks to RCE Community Members from all those diff Forums who shared their Knowledge with Public. Valid Key - Steps - Image - Method 2 - Since it is a Crack Me so these method makes sense but in Real World App, these are not so useful. We must need to Devirt the App to fully Read the Code. So You can follow my 1st Comment regarding Complete Unpacking of Your Code.
    1 point
  43. Hello, This isn't anything new... It's just DNGuard 3.9.6.2 with some additional attributes and slight attempts at rebranding. We can also see this in the native dll it drops This is not the first time NETProtect.IO is using other protectors under their own brand name. First it was NETGuard, then Agile.NET, CawkVM, and now DNGuard 😕 As for unpacking DNGuard, i have not done a lot of research into it. If anyone has and is willing to share the research and knowledge i think we all would be thankful
    1 point
  44. No, it really isn't. It stops 10-year olds from running ready made tools, and that's about it. Password is: There are 3 ways to solve it: Easy way (1/10) : open file in hex editor, check the strings and find solution there. Slightly harder (2/10): run crackme under any tracer/profiler, see what functions it calls, see correct string as one of the parameters. "Extremely hard" (3/10): open DnSpy and Visual Studio and fix OldRod source code. You'll need like 5 minutes for that. 1) Compare original KoiVM method handlers with DiamondVM method handlers: KoiVM: DiamondVM: As you can see, DiamondVM has 2 useless string arguments and "id" parameter has been moved from 2nd position to 1st. Side note - DiamondVM author tried to get rid of "id" parameter and use A_3.Length instead. However he/she failed miserably and "id" is still there.. Open OldRod file OldRod.Pipeline\Stages\VMMethodDetection\VMMethodDetectionStage.cs" and change method signatures + parameter count: //..around line 36.. /* private static readonly IList<string> Run1ExpectedTypes = new[] { "System.RuntimeTypeHandle", "System.UInt32", "System.Object[]" }; private static readonly IList<string> Run2ExpectedTypes = new[] { "System.RuntimeTypeHandle", "System.UInt32", "System.Void*[]", "System.Void*", }; */ private static readonly IList<string> Run1ExpectedTypes = new[] { "System.UInt32", // moved "System.String", // useless "System.RuntimeTypeHandle", "System.String", // useless "System.Object[]" }; private static readonly IList<string> Run2ExpectedTypes = new[] { "System.UInt32", // moved "System.String", // useless "System.RuntimeTypeHandle", "System.String", // useless "System.Void*[]", "System.Void*", }; // ...around line 158 ... switch (method.Signature.ParameterTypes.Count) { //case 3: case 5: if (HasParameterTypes(method, Run1ExpectedTypes)) info.RunMethod1 = method; break; //case 4: case 6: if (HasParameterTypes(method, Run2ExpectedTypes)) info.RunMethod2 = method; break; } Build your modified OldRod and run it with parameter "--koi-stream-name #VM " to work around other change in DiamondVM. Done! Devirtualized file attached. UnpackMe.exe_VM-cleaned.zip
    1 point
  45. Since the challenge description allows it, I'm going for the quick serial fish for now Approach:
    1 point
  46. Your topic has not been approved. You did not follow the correct posting format and/or provided enough information regarding the challenge. You have 48 hours to correct your topic before it will be moved to the Trashcan. For further details regarding the formatting of the topic please refer to the topic in the below link... [This is an automated reply]
    1 point
  47. [.NET]实战UnpackMe.mp4 -> https://mega.nz/#!YxwQSAxA!Lwd9XStVyue8fdYKZXmYkoDxE0Y7ftsyNYtBKLTRrGM
    1 point
  48. Hi, so why do you not include a new compiled titan.dll for users who don't work with any program language etc you know? Question: So why do you guys not start a project to create a almost all in one dll which has many features & functions of other dlls so this would be nice if there are already some sources to get. MultiFunction.dll -------------------------- Add Titan Add beaEngine Add Disasm Add Scylla Add etc... Add Custom functions by other users by request / ideas etc -------------------------- So at the end you will have a all in one dll.So I think this kind of project would be a very interesting one or?So I am no coder but for me it sounds to be a good idea and if I could do this then I would also try to do this if possible. greetz
    1 point
×
×
  • Create New...