Jump to content
Tuts 4 You


Popular Content

Showing content with the highest reputation since 06/21/2019 in all areas

  1. 8 points
    I created a spinner type control to add to the ModernUI controls (based on an my original version a few years ago: http://masm32.com/board/index.php?topic=1179.0) - typically used when loading, pre-loading or processing something and to hint or indicate to the user something is occurring - similar in that regard to progress bar controls. Download The control can be downloaded via the ModernUI repository or downloaded directly from this link: https://github.com/mrfearless/ModernUI/blob/master/Release/ModernUI_Spinner.zip?raw=true Example I created an example project to demonstrate it. The example (which includes a Radasm project) can be downloaded via the ModernUI repository or downloaded directly from this link: https://github.com/mrfearless/ModernUI/blob/master/Release/MUISpinner1.zip?raw=true There are a number of ways of adding image frames to the ModernUI_Spinner control. The most basic level is to add individual images to construct the spinner animation. This can be done with the MUISpinnerAddFrame or MUISpinnerLoadFrame - using an image handle that is already loaded or using a resource id of an image. For example, the first spinner it is comprised of 8 separate bitmap images: For images that are circular, it can be more convenient to use the MUISpinnerAddImage or MUISpinnerLoadImage functions, as these only require one image. The image is copied a number of times into frame images - as specified by the dwNoFramesToCreate parameter. Each new frame image is incrementally rotated - based on the angle calculated for each new frame image. The bReverse parameter if set to TRUE will set the spinner animation to counter-clockwise. Note: the MUISpinnerAddImage or MUISpinnerLoadImage functions only work with png images or png's stored as RCDATA resources. The far right spinner on the top row is created via loading a single png image: Once loaded it is rotated and new frames are created to enable it to look like this: For more complicated spinners, or spinners that are not circular in nature, the MUISpinnerAddSpriteSheet and MUISpinnerLoadSpriteSheet functions are provided. These allow you to provide a long (wide) image (bitmap, icon or png) handle (or resource id) that contains all the spinner frames in the one image. The image frames are extracted out of this image. The amount of frame images in the spritesheet is passed via the dwSpriteCount parameter. The clock spinner is a good example of this, as it can't be rotated due to the buttons around its edge: So either it can be constructed by manually adding each frame or by using a spritesheet like so: Which looks like this once all the individual frames are extracted: I put some compile time conditions to allow for using of TimerQueue, Multimedia Timer or WM_TIMER for the animation of the spinner. There is also a ModernUI_Spinner.h file for c/c++ - but as I don't actively use that language there may be some typos or mistakes or wrong types specified (I haven't tested it). The Icons8 website is a good source for spinners, and they can be adjusted for size and color etc before downloading - including under the additional download options button as a spritesheet (using apng format). Take note of the frames value, as you will need to use this so that the spritesheet can be divided up into the correct individual frames. https://icons8.com/preloaders/en/search/spinner
  2. 6 points
    Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00
  3. 6 points
    [.NET]实战UnpackMe.mp4 -> https://mega.nz/#!YxwQSAxA!Lwd9XStVyue8fdYKZXmYkoDxE0Y7ftsyNYtBKLTRrGM
  4. 6 points
    @mdj: 使用x64dbg暴打非托管强壳.mp4 -> https://mega.nz/#!Y5JBTaCS!hJXzN5ssvUyRHW8VgpGxINEVrW1zJ2Up96vqqJVG5co I can upload the second video tomorrow, if you need that too. @all: Please be nice and don't abuse the link, it is a free Mega account and has traffic limitations.
  5. 4 points
    Hello, so I keep getting asked what’s the best obfuscators around so I am posting this so I don’t keep repeating it. I have decided to give my opinion on all obfuscators if I am missing any let me know If you are a developer of any of these obfuscators don’t take what I say as an insult use it to improve DNGuard - an obfuscator I used to say was Chinese crap however I’ve recently spent some time analysing this and can say that the HVM technology is very strong and makes unpacking a lot harder. However when not using the HVM setting it makes unpacking extremely simple with jit dumping and can use codecrackers unpacker for this. Compatibility on this obfuscator is its biggest flaw (along with price) which can be a big NO for a lot of people as this protector can cause files to not run on certain .NET frameworks if they fixed this issue and improved compatibility across systems it would make this obfuscator much better. Price is extremely high but I suppose has worked in its favour with not many files around and extremely hard to get test files to test features. Eazfuscator - a .NET VM that has been around for a while now with the last unpacker for version 4.8 I think from saneki on GitHub. Since then Eazfuscator has improved a lot however the concept stays the same and sanekis unpacker is still a brilliant base to start from. Meaning that an unpacker for this isn’t extremely difficult. The compatibility and performance of this obfuscator is actually fairly good for a VM and tells the user not to overuse the VM and only apply on secret methods as to save performance. The problem with Eazfuscator is that any protection method apart from the VM isn’t good, de4dot handles the control flow perfectly and the strings can be easily decrypted by either updating de4dot code which isn’t too hard or simply invoke. So if you’re app is sensitive on performance then maybe avoid this one as for all VMs performance is hurt no matter how efficient it is. In conclusion I do think this obfuscator is one of the top of its game as even with the old unpackers it’s still a lot of work to update ILProtector - An obfuscator I really do like the concept of keeping performance and security balanced, however in recent times with the release of dynamic unpackers it has kind of died as it seems the developer is applying small patches instead of fixing this properly so each unpacker only requires a few changes. In terms of static unpacking they have this down well, it’s actually a very hard job to statically unpack this protector so if they were to patch the dynamic flaws it would quickly appear back at the top but it’s credibility has been stumped due to the release of unpackers that I think may still work on the latest version (something I haven’t checked). Compatibility and performance on this obfuscator are good but one flaw of this obfuscator is that if the dynamic method is decrypted the original ilcode is there, they apply no MSIL mangling which in my eyes they should do both. Agile.Net another .NET VM however I haven’t analysed this myself that much but a few things I have noticed is that updating de4dot to support the latest version is not all that challenging however it is time consuming, a few modifications to de4dot can make it supply all the data you need to update it for the VM. the method encryption can be removed by jit dumpers from codecracker, from what I’ve seen in de4dot the obfuscator isn’t to hard to completely unpack but we have to thank 0xd4d for all he has done on this obfuscator he has done all the hard work for us so it’s just a matter of taking his code and updating, yes this takes a very long time to do Netguard - Now this is one I’m very familiar with, as most people know netguard is a modified confuserex however a fairly heavy modification. Now the actual protection isn’t that strong however for its price it’s very good, the base of netguard is still the same concept as confuserex and many of its protections can be defeated in the exact same way, the only real changes are the native stub and mutations. However once you remove these protections like control flow and constants can be removed in the same theory as I use in my confuserex unpacker2. This obfuscator like I said is the best for its price however if you’re looking for something better there are other options if you’re willing to pay, now compatibility and performance on netguard are something that it’s known for and not in a good way, it has improved a lot recently however they still add lots of junk that adds no real benefit and just slows down code. Appfuscator - now I don’t know why people don’t use this obfuscator anymore. In my eyes it’s still extremely powerful, codecrackers tools are not stable and if you’re tool is larger than a crackme then it will fail, appfuscator uses opaque predicates and CFG to generate its control flow both of which have no public solvers for so is an extremely powerful obfuscator especially if you mix it with something custom. Performance wise this is actually negligible effect so still to this day one of the higher rated obfuscators. Babel.Net - this is similar to ilprotector in the way it makes dynamic methods however in a different approach. The good thing about this obfuscator is that it provides you with more options than just encrypt msil where you have cflow constants and other expected protections making it not as simply as dumping the dynamic method. The dynamic methods itself are not tricky to solve dynamically similar to ilprotector, invoke the correct method and you have the dynamic method ready to read with dnlib. Statically it gets slightly more complex however a few hours debugging with dnspy and some static analysis will reveal its secrets of how it decrypts the encrypted bodies. Performance and compatibility wise I don’t really know enough about it but I’ve not really seen many complaints about it ArmDot - a relatively new .NET VM which I’m fairly interested in. At its current stage it needs polishing, they currently put the whole vm into each method it’s encrypted making it extremely slow. I explained to the developer that it holds no real benefit as to devirtualize it follows the same concept as all vms which is find the instruction handlers and convert back as most are 1:1 with CIL it makes this step relatively easy once you have detected all handlers however if this obfuscator works on your file and performs well I do recommend it especially as its new and being actively worked on and the developer is always interested in seeing ways to improve which is a good thing. KoiVM - another magical creation from yck so do we expect anything other than greatness. Now this was something he sold to customers until he left the scene and trusted XenoCodeRCE with and gave it him to improve and use. Xeno decided that he would sell this to others and ended up causing it to be leaked on GitHub however let’s ignore that. KoiVM is absolutely insane and different to all other VMS we talked about so far. This doesn’t relate 1:1 with CIL and actually converts it to a form of ASM meaning if you manage to get all the code back you then need to translate ASM to CIL which again is no easy task. People think because it’s opensource it makes it not worth it. Remember confuser/ex was open source and undefeated for a long time. KoiVM is on another level compared to those. Compatibility and performance does take a hit and has limitations which you can read on koivm website now if you’re app works fine and you’re happy with performance then I would strongly suggest sticking with it. You can even make modifications to confuserex and use it with that as after all it’s a confuserex plugin. These are just my thoughts and personal opinions on these obfuscators. I do not mean any disrespect to the developers apart from what I think is good and bad. If you would like further explanation on anything let me know or any specific obfuscator that I haven’t covered as I most likely have some sort of opinion on it feel free to ask Regards Cawk
  6. 3 points
    Which is a bloody stupid idea in the first place. Just don't do it. To answer the question - the cause of your problem is MUI files that were introduced in Windows Vista. They enable you to have Windows UI in your own (non-English) language. If you copy some of the Windows built-in executables, you also need to copy the corresponding MUI file to correct subfolder, otherwise it won't be able to load correct resources and you'll see the error you mentioned. Example: Further reading: https://docs.microsoft.com/en-us/windows/win32/intl/mui-fundamental-concepts-explained https://afana.me/archive/2016/06/27/restoring-classic-calculator-in-windows-10.aspx/ https://ntcore.com/?p=266
  7. 3 points
    I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies. If you can not understand it, you can reply me. Best wish.
  8. 3 points
    https://github.com/x64dbg/x64dbg/releases https://github.com/wwh1004/ExtremeDumper/releases
  9. 2 points
    I led you astray when I stated getting the higher privileged window to change the lower privileged window. Apologies for that! What you need to do is have the higher privileged window change its own handles (window, gadget, etc.) to accept specified messages. In the example below a lower window wants to send #WM_SETTEXT to a higher window. It will not be able to complete this because of UIPI... EnableExplicit Enumeration Windows #Window #Gadget EndEnumeration Declare ChangeWindowMessageFilter() If OpenWindow(#Window, 0, 0, 300, 60, "Window1 - Sender (Low UIPI)", #PB_Window_ScreenCentered | #PB_Window_SystemMenu) ButtonGadget(#Gadget, 5, 5, 290, 50, "CLICK ME!") Repeat Select WaitWindowEvent() Case #PB_Event_Gadget Select EventGadget() Case #Gadget ChangeWindowMessageFilter() EndSelect Case #PB_Event_CloseWindow End EndSelect ForEver EndIf Procedure ChangeWindowMessageFilter() Protected Window, Child Window = FindWindow_(#Null, "Window2 - Receiver (High UIPI)") Child = GetWindow_(Window, #GW_CHILD) SendMessage_(Child, #WM_SETTEXT, 0, "Some text") EndProcedure The example below is the higher window. It wants to receive #WM_SETTEXT from the lower window to change the text of a gadget. Note that I am getting the handle of the gadget and using ChangeWindowMessageFilterEx to allow window messages to be sent from the lower window. EnableExplicit Enumeration Windows #Window #Gadget EndEnumeration Declare ChangeWindowMessageFilter() Global User32 = OpenLibrary(#PB_Any, "user32.dll") Prototype.i ChangeWindowMessageFilterEx(hwnd, message, action, pChangeFilterStruct) Global ChangeWindowMessageFilterEx.ChangeWindowMessageFilterEx ChangeWindowMessageFilterEx = GetFunction(User32, "ChangeWindowMessageFilterEx") If OpenWindow(#Window, 0, 0, 300, 60, "Window2 - Receiver (High UIPI)", #PB_Window_ScreenCentered | #PB_Window_SystemMenu) ButtonGadget(#Gadget, 5, 5, 290, 50, "CLICK ME!") Repeat Select WaitWindowEvent() Case #PB_Event_Gadget Select EventGadget() Case #Gadget ChangeWindowMessageFilter() EndSelect Case #PB_Event_CloseWindow End EndSelect ForEver EndIf Procedure ChangeWindowMessageFilter() #MSGFLT_ALLOW = 1 ; Modifies the User Interface Privilege Isolation (UIPI) message filter for a specified window. If ChangeWindowMessageFilterEx(GadgetID(#Gadget), #WM_SETTEXT, #MSGFLT_ALLOW, #Null) SetGadgetText(#Gadget, "Sender Can Now Change This Text") Else SetGadgetText(#Gadget, "Something Went Wrong!") EndIf EndProcedure 1) Run both executables. 2) Click "CLICK ME!" in Window1 a few times and you will notice nothing changes in Window2 3) Click "CLICK ME!" in Window2 and it will update the message filter of its gadget to accept WM_SETTEXT. Button text should change now. 4) Click "CLICK ME!" in Window1 and the button (gadget) text in Window2 should now change. Ted. ChangeWindowMessageFilterEx.zip
  10. 2 points
    ...or just use MSDN key that's available on the net and avoid all that insanity. NYWVH-....
  11. 2 points
    or simply use tools like RunAsDate
  12. 2 points
    I am mostly wondering why an unpackme needs an anti VM mechanism in place. I am not running any foreign binaries on my host machine. Yes I can patch it myself, but what is the point? Given the fact that it also takes a huge amount of time to even start up, I find it a little unsettling if I have to be honest.
  13. 2 points
    Got a chance to check out Ghidra 9.0.4 (released in May) to compare again and will say they have really optimized the disassembler compared to before. A file I work with often in IDA for a specific game now takes around the same time to disassemble in Ghidra which is a lot better than before. (The previous 9hr post was not for this file, will test that one again in the future.) The decompiler has seen some improvements as well which for this file results in some nice output, a bit cleaner than HexRays even at times. Would say in the short time of it being open source, things have shaped up pretty well for this tool.
  14. 2 points
    There is no reason to copy cmd.exe outside the windows directory, and I very much doubt this is supported or even something Microsoft ever considered. Maybe you can get rid of t he error by setting its current-working-directory to c:\windows\system32, but the real solution here is to not copy cmd.exe outside the system folder.
  15. 2 points
    https://www.uperesia.com/hancitor-packer-demystified Ted.
  16. 2 points
    View File Imports Fixer - Legacy Archives This is a complete collection of public and private builds of Imports Fixer (mainly a collection of private builds). I am uploading all of these for posterity reasons before they are deleted and for those people who like to look over this stuff. Most of these old builds will not work on modern Windows OS's and IF is no longer being developed so do not expect them to function correctly. If you need to use an imports fixer I suggest turning to a publically accessible imports builder such as Scylla. It is more feature complete, supports modern OS builds and is open source - so you can fix any bugs. In advance of questions regarding IFv1.7, this version was never completed and no private builds were released. Version 1.6 is where all the fun ended... Ted. Submitter Teddy Rogers Submitted 06/28/2019 Category Tools & Utilities  
  17. 2 points
    Hi New Update with more features : https://github.com/Ahmadmansoor/AdvancedScript AdvancedScript version 4.3 https://github.com/Ahmadmansoor/AdvancedScript/releases * Add new commands and fix some bugs * fix error load of the Auto Commands when there is no ; * Fix AutoRun and stepson ( wait command to finish). * Fix color variable name. * Add ReadFile , Write2Mem , ReadMem * Add GoToByBase Form ( https://www.youtube.com/watch?v=gQxlbC8RnRg ) * Assigne variable directly no need to Setx Command. Sample : Varx str,memory // var will hold the hex value Varx int,rax_,0 // read rax value +1 Varx str,ourStr // read test string ReadMem $memory,{rax},5 $rax_={rax} +1 $rax_=ads.exebase ReadStr $ourStr,{rdx}
  18. 2 points
    This is the same as #2...Rename 'JNE' to 'JMP' and it will automatically become registered. As the same for my #2 I also created a patch for this but using a different patcher. I used AT4RE's Patcher. Simple CrackMe #1 Patch.exe
  19. 2 points
    Download: https://github.com/horsicq/pex64dbg/releases Sources: https://github.com/horsicq/pex64dbg More Info: http://n10info.blogspot.com/2019/05/pe-viewer-plugin-for-x64dbg.html
  20. 1 point
    Make sure the higher privileged application is the one changing the message filter of the lower privileged window. Ensure you have the correct window handle of the lower privileged window. Have a read through the remarks for ChangeWindowMessageFilterEx. Another thing to be mindful of is if you allow multiple instances of the same application. You may need to consider using mutex's or assigning unique identifiers to each application... Ted.
  21. 1 point
    https://visualstudio.microsoft.com/es/vs/support/community-edition-expired-buy-license/ really need login for unlock the ide, only that Community Edition is free. You just need to sign-in with your Microsoft account and everything will be fine again. im was using from 2017 to today..never i was need a licence .. only login BR, Apuromafo
  22. 1 point
    Visual Studio Community also expires: I mean you still have to register online: https://www.quora.com/Visual-Studio-Community-Edition-2017-is-alerting-me-that-Your-30-day-free-trial-has-ended-activate-license-or-close-Why-would-this-be-happening
  23. 1 point
    Just be mindful of UIPI and process elevation levels if you plan on using SendMessage. Otherwise you will need to look at changing window message filters (ChangeWindowMessageFilterEx) of lower privileged windows. You can check if your messages are being blocked by calling GetLastError and checking for access denied (5)... Ted.
  24. 1 point
    Another option is to use WM_COPYDATA https://docs.microsoft.com/en-us/windows/win32/dataxchg/wm-copydata The following example demonstrates how to send information between two applications using the WM_COPYDATA message: https://docs.microsoft.com/en-us/windows/win32/dataxchg/using-data-copy
  25. 1 point
    Depends on how much data you intend on exchanging as there are a number of different options. This link explains some of them... https://docs.microsoft.com/en-au/windows/win32/ipc/interprocess-communications Ted.
  26. 1 point
    pleas explain how u unpack it?
  27. 1 point
    I'd be sure that they made a devirt only if i saw the koivmhelper.dll without dnguard, for some reason i think that they check the parameters and the calls with the handle invoker Why would i think of that? well i've searched the 'devirted' file and i've only seen this change (on vcall opcodes) which basically changes the methodinfo.invoke to be invoked from the .dll? (which makes it easy to change the result and also check the parameters and the call) Another thing i found is that they load all the stuff from the resources instead of the metadata stream (the stuff that cant be preserved with dnspy saving) which makes me think the same thing. Final thing, i had the original vpnhunter exe with koivm and the types and methods were not differently named... which means that it hadn't been koivm'ed on top of the devirt
  28. 1 point
    I dont have access to a win10 right now, but cant you create hard-links or soft-links to the version in system32? I am not sure I understand your use case for copying it, if you explain it we can probably find a suitable workaround... Good night.
  29. 1 point
    Overcooked is free this week on Epic. Good fun for local multiplayer
  30. 1 point
    few files KoiVMHelper.dll fccbdd69174505c71a36a93193b27e5b0ed63244d36ca327438d960a0e62cd24 330 KB - 2019-06-05 KoiVMHelper.dll 76660a5a1a66d60353176edaf1f80cb08d9bec80ef583e19155913c2e89c6bbc 343 KB - 2019-05-14 KoiVMHelper.dll 5d64eecb9fcbae1bb8c23391fc8e37e2e3528d196661a1ea9719065a9f136c61 330.5 KB - 2019-05-11 KoiVMHelper.dll d2a8a294f524c54d00a3087946bfe08675c16accc93f2fbc2bc21ee67e598e36 163 KB - 2019-05-02
  31. 1 point
    and spread like this because of the loser called BEDS.
  32. 1 point
    Could be a number of things. Using GlobalFree on a memory location that has already been freed previously but the variable still holds the old reference location and another GlobalFree was called on it. Or could be stack issues or buffer overflows. Hard to chase down those sort of bugs. But at a guess its probably GlobalFree or accesing heap memory that was allocated and freed (allocated via GlobalAlloc, GlobalRealloc or VirutalAlloc etc)
  33. 1 point
    Cracked. Using: IDA Pro v7.0 Search for 'Unregistered' -> Find Verification Function -> Patch JNE to JMP using IDA's patch function -> Save -> Cracked Sadly, i couldn't find the original password. CrackMe.exe
  34. 1 point
    Its actually a PyInstaller generated executable. The first sign of this is the relatively large overlay 0x5e014c bytes ~ 6 MB. Further, you can search for one of the strings ("Failed to convert executable path to UTF-8.") on the PyInstaller GitHub repo and you would get a hit. For extracting PyInstaller binaries you can use my script pyinstxtractor.py There are also wrapper scripts on top of this for the same purpose https://github.com/countercept/python-exe-unpacker
  35. 1 point
    Should .NET unpackme's be split and separated in to their own category? If you have another suggestion or idea please explain here... Ted.
  36. 1 point
    .NET forum has been created and .NET challenges moved over. Thank you to everyone who voted... Ted.
  37. 1 point
    Hello password is : How I did it : debug used modded dnspy ((obvfuscator checks for dnspy !) or any other native debugger, and look at memory strings, the real password appears multiple times in memory due to how ConfuserEx handle strings in memory 😕 0x2a39cd8 and 0x2a88ff0
  38. 1 point
    Please can you try again and report back. If there is no improvement can you take a screenshot with the 'size' column visible so I can see what is being cached from your end. I would also be interested to know if you are using some form of HTTPS filtering (e.g. for ad-blocking)... Ted.
  39. 1 point
    Yes, i wrote some of that information on v3. Well, if it's entirely online-based that of course takes away much of the fun...
  40. 1 point
    def main(): Read: https://docs.python.org/2/howto/sockets.html https://www.tutorialspoint.com/python/python_networking.htm From my very limited python knowledge there is a problem in the way you declare the Main Method: https://www.guru99.com/learn-python-main-function-with-examples-understand-main.html So instead of: def Main(): try lower case mode: def main():
  41. 1 point
    Cannot see your image, code looks ok. Its python2 maybe u run it with 3? If you run it on linux, dont use capitals on function names - ur case Main.
  42. 1 point
    - version 4.0: 1- add RegexSearch form. 2- New GUI after replace DataGridView with RichTextBox to easy deal and fast coding. 3- edit CustomBuildStep to Auto copy files (AdvSconfig.txt , HelpAdvancedScript.txt). 4- add AutocompleteMenu.dll . 5- add copy AutocompleteMenu.dll to x64dbg root . 6- add AdvSconfig.txt for AutoComplete list for define Commands and variables. 7- update AutocompleteMenu.dll. 8- add comments_ to Variables class to add it next to the description of the variables when call them by Ctrl+j 9- call list var's by Ctrl+j 10- add ReFill_FunctionsAutoComplete_AtLoad. 11- highlight_system done for good look and analyze. 12- add autoCompleteFlexibleList to handle commands defined in AdvSconfig.txt. 13- add open Script from out side. 14- refresh by menu and F5 to refresh highlight_system. 15- add var of x64dbg system. note : by AdvSconfig.txt u can define the commands in AdvancedSecript . AdvancedScript_4.0.zip
  43. 1 point
    see here: https://forum.tuts4you.com/topic/41035-advancedscript-x64dbg-plugin/?tab=comments#comment-199721
  44. 1 point
  45. 1 point
    - version 2.8 : 1- fix a lot of bugs in calculations and get values. 2- F11 run/stop script now Enabled, F12 step script. 3- get values for nasted variables like $x[$z+1] 4- add new commands (ret ,GetAPIName ,ResizeArray ,GetArraySize ,Write2File ,inputbox). 5- add Dependency and samples Script as separate package. releases 2.8 this is sample to write a tracer: varx str,path,"E:\temp1\log.txt" varx str,addr varx str,APIname varx int,OEP,0000000140226B80 varx array,temp[1] varx int,i,0 if {rip}=$OEP,int,14d,7d resizearray $temp,1 setx $addr,{rax} GETAPIName $APIname,$addr setx $temp[$i],$addr $APIname setx $i,$i + 1 go goto 6d varx int,sizeArray,0 GetArraySize $temp,$sizeArray if $sizeArray=0,int,19d,17d write2file $path,1,$temp[$sizeArray] setx $sizeArray,$sizeArray -1 goto 16d AdvancedScript_2.8.zip
  46. 1 point
    AdvancedScript beta version it is beta version it could have bug, so please report and if u like to add more features let me know. version 2.5 beta : 1- Script window is sperate. 2- Create Folder for script,form Load script with category. 3- add more mirror Functions (xorx - pushx ...), and Functions like ( if , goto,writestr ) to shortcut the work. 4- show all variables in a list with it's values. 5- edit script onfly. 6- enable to define array with range like z[n]. 7- writestr Function. 8- run from anyware in the script. 9- rest variables list in case maintenance. 10- insert rows as much as you need. 11- insert from clipboard replace all script. 12- insert from clipboard inside the script. 13- copy separated lines to used in other script. 14- insert description without confusing . 15- add the dll file of c++ runtime for each package. 16- add some scripts samples. 17- as it is beta version so it support one step not auto step , use F12 for step, sorry for that I need to check if it work then I will add auto step :} note : I forget to say use (Scriptw) command to show the Script window , but git has stop working and copy the script sample to ur script folder in x64dbg folder and pls read the help first AdvancedScript_2.5beta.zip
  47. 1 point
    intel x86 / x64 opcode reference manuals (i think you can download them in pdf form on their site somewhere) then writing some apps in asm to get a grip for masm etc, or in c and then debug them to see how things work then lena's tuts (i've never used them though, i taught myself a long time ago, where i'd dl the opcode ref's and study them offline (inet connection was a rarity at the time for me)) pencil (to undo mistakes) and paper, to make notes, and lots of them tools like hiew, ida (never really liked ida too much as i thought it was slow), olly, x64dbg etc etc and referencing sites like this one, the masm32 site, woodmann and some others time and patience, and doing some homework before asking for help / pointers (i usually wont help people who want to get everything spoonfed to them or ask for videos etc or think they're somehow entitled)
  48. 1 point
    Unpackers tools - source code C# My source code: https://gitlab.com/CodeCracker https://github.com/CodeCrackerSND https://bitbucket.org/CodeCrackerSND/ I will NOT share (anymore) the rest of my tools!
  49. 1 point
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
  • Create New...