Jump to content
Tuts 4 You

Leaderboard


Popular Content

Showing content with the highest reputation since 06/23/2019 in all areas

  1. 8 points
    I created a spinner type control to add to the ModernUI controls (based on an my original version a few years ago: http://masm32.com/board/index.php?topic=1179.0) - typically used when loading, pre-loading or processing something and to hint or indicate to the user something is occurring - similar in that regard to progress bar controls. Download The control can be downloaded via the ModernUI repository or downloaded directly from this link: https://github.com/mrfearless/ModernUI/blob/master/Release/ModernUI_Spinner.zip?raw=true Example I created an example project to demonstrate it. The example (which includes a Radasm project) can be downloaded via the ModernUI repository or downloaded directly from this link: https://github.com/mrfearless/ModernUI/blob/master/Release/MUISpinner1.zip?raw=true There are a number of ways of adding image frames to the ModernUI_Spinner control. The most basic level is to add individual images to construct the spinner animation. This can be done with the MUISpinnerAddFrame or MUISpinnerLoadFrame - using an image handle that is already loaded or using a resource id of an image. For example, the first spinner it is comprised of 8 separate bitmap images: For images that are circular, it can be more convenient to use the MUISpinnerAddImage or MUISpinnerLoadImage functions, as these only require one image. The image is copied a number of times into frame images - as specified by the dwNoFramesToCreate parameter. Each new frame image is incrementally rotated - based on the angle calculated for each new frame image. The bReverse parameter if set to TRUE will set the spinner animation to counter-clockwise. Note: the MUISpinnerAddImage or MUISpinnerLoadImage functions only work with png images or png's stored as RCDATA resources. The far right spinner on the top row is created via loading a single png image: Once loaded it is rotated and new frames are created to enable it to look like this: For more complicated spinners, or spinners that are not circular in nature, the MUISpinnerAddSpriteSheet and MUISpinnerLoadSpriteSheet functions are provided. These allow you to provide a long (wide) image (bitmap, icon or png) handle (or resource id) that contains all the spinner frames in the one image. The image frames are extracted out of this image. The amount of frame images in the spritesheet is passed via the dwSpriteCount parameter. The clock spinner is a good example of this, as it can't be rotated due to the buttons around its edge: So either it can be constructed by manually adding each frame or by using a spritesheet like so: Which looks like this once all the individual frames are extracted: I put some compile time conditions to allow for using of TimerQueue, Multimedia Timer or WM_TIMER for the animation of the spinner. There is also a ModernUI_Spinner.h file for c/c++ - but as I don't actively use that language there may be some typos or mistakes or wrong types specified (I haven't tested it). The Icons8 website is a good source for spinners, and they can be adjusted for size and color etc before downloading - including under the additional download options button as a spritesheet (using apng format). Take note of the frames value, as you will need to use this so that the spritesheet can be divided up into the correct individual frames. https://icons8.com/preloaders/en/search/spinner
  2. 6 points
    Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00
  3. 6 points
    [.NET]实战UnpackMe.mp4 -> https://mega.nz/#!YxwQSAxA!Lwd9XStVyue8fdYKZXmYkoDxE0Y7ftsyNYtBKLTRrGM
  4. 6 points
    @mdj: 使用x64dbg暴打非托管强壳.mp4 -> https://mega.nz/#!Y5JBTaCS!hJXzN5ssvUyRHW8VgpGxINEVrW1zJ2Up96vqqJVG5co I can upload the second video tomorrow, if you need that too. @all: Please be nice and don't abuse the link, it is a free Mega account and has traffic limitations.
  5. 3 points
    ...or just use MSDN key that's available on the net and avoid all that insanity. NYWVH-....
  6. 3 points
    Hello, so I keep getting asked what’s the best obfuscators around so I am posting this so I don’t keep repeating it. I have decided to give my opinion on all obfuscators if I am missing any let me know If you are a developer of any of these obfuscators don’t take what I say as an insult use it to improve DNGuard - an obfuscator I used to say was Chinese crap however I’ve recently spent some time analysing this and can say that the HVM technology is very strong and makes unpacking a lot harder. However when not using the HVM setting it makes unpacking extremely simple with jit dumping and can use codecrackers unpacker for this. Compatibility on this obfuscator is its biggest flaw (along with price) which can be a big NO for a lot of people as this protector can cause files to not run on certain .NET frameworks if they fixed this issue and improved compatibility across systems it would make this obfuscator much better. Price is extremely high but I suppose has worked in its favour with not many files around and extremely hard to get test files to test features. Eazfuscator - a .NET VM that has been around for a while now with the last unpacker for version 4.8 I think from saneki on GitHub. Since then Eazfuscator has improved a lot however the concept stays the same and sanekis unpacker is still a brilliant base to start from. Meaning that an unpacker for this isn’t extremely difficult. The compatibility and performance of this obfuscator is actually fairly good for a VM and tells the user not to overuse the VM and only apply on secret methods as to save performance. The problem with Eazfuscator is that any protection method apart from the VM isn’t good, de4dot handles the control flow perfectly and the strings can be easily decrypted by either updating de4dot code which isn’t too hard or simply invoke. So if you’re app is sensitive on performance then maybe avoid this one as for all VMs performance is hurt no matter how efficient it is. In conclusion I do think this obfuscator is one of the top of its game as even with the old unpackers it’s still a lot of work to update ILProtector - An obfuscator I really do like the concept of keeping performance and security balanced, however in recent times with the release of dynamic unpackers it has kind of died as it seems the developer is applying small patches instead of fixing this properly so each unpacker only requires a few changes. In terms of static unpacking they have this down well, it’s actually a very hard job to statically unpack this protector so if they were to patch the dynamic flaws it would quickly appear back at the top but it’s credibility has been stumped due to the release of unpackers that I think may still work on the latest version (something I haven’t checked). Compatibility and performance on this obfuscator are good but one flaw of this obfuscator is that if the dynamic method is decrypted the original ilcode is there, they apply no MSIL mangling which in my eyes they should do both. Agile.Net another .NET VM however I haven’t analysed this myself that much but a few things I have noticed is that updating de4dot to support the latest version is not all that challenging however it is time consuming, a few modifications to de4dot can make it supply all the data you need to update it for the VM. the method encryption can be removed by jit dumpers from codecracker, from what I’ve seen in de4dot the obfuscator isn’t to hard to completely unpack but we have to thank 0xd4d for all he has done on this obfuscator he has done all the hard work for us so it’s just a matter of taking his code and updating, yes this takes a very long time to do Netguard - Now this is one I’m very familiar with, as most people know netguard is a modified confuserex however a fairly heavy modification. Now the actual protection isn’t that strong however for its price it’s very good, the base of netguard is still the same concept as confuserex and many of its protections can be defeated in the exact same way, the only real changes are the native stub and mutations. However once you remove these protections like control flow and constants can be removed in the same theory as I use in my confuserex unpacker2. This obfuscator like I said is the best for its price however if you’re looking for something better there are other options if you’re willing to pay, now compatibility and performance on netguard are something that it’s known for and not in a good way, it has improved a lot recently however they still add lots of junk that adds no real benefit and just slows down code. Appfuscator - now I don’t know why people don’t use this obfuscator anymore. In my eyes it’s still extremely powerful, codecrackers tools are not stable and if you’re tool is larger than a crackme then it will fail, appfuscator uses opaque predicates and CFG to generate its control flow both of which have no public solvers for so is an extremely powerful obfuscator especially if you mix it with something custom. Performance wise this is actually negligible effect so still to this day one of the higher rated obfuscators. Babel.Net - this is similar to ilprotector in the way it makes dynamic methods however in a different approach. The good thing about this obfuscator is that it provides you with more options than just encrypt msil where you have cflow constants and other expected protections making it not as simply as dumping the dynamic method. The dynamic methods itself are not tricky to solve dynamically similar to ilprotector, invoke the correct method and you have the dynamic method ready to read with dnlib. Statically it gets slightly more complex however a few hours debugging with dnspy and some static analysis will reveal its secrets of how it decrypts the encrypted bodies. Performance and compatibility wise I don’t really know enough about it but I’ve not really seen many complaints about it ArmDot - a relatively new .NET VM which I’m fairly interested in. At its current stage it needs polishing, they currently put the whole vm into each method it’s encrypted making it extremely slow. I explained to the developer that it holds no real benefit as to devirtualize it follows the same concept as all vms which is find the instruction handlers and convert back as most are 1:1 with CIL it makes this step relatively easy once you have detected all handlers however if this obfuscator works on your file and performs well I do recommend it especially as its new and being actively worked on and the developer is always interested in seeing ways to improve which is a good thing. KoiVM - another magical creation from yck so do we expect anything other than greatness. Now this was something he sold to customers until he left the scene and trusted XenoCodeRCE with and gave it him to improve and use. Xeno decided that he would sell this to others and ended up causing it to be leaked on GitHub however let’s ignore that. KoiVM is absolutely insane and different to all other VMS we talked about so far. This doesn’t relate 1:1 with CIL and actually converts it to a form of ASM meaning if you manage to get all the code back you then need to translate ASM to CIL which again is no easy task. People think because it’s opensource it makes it not worth it. Remember confuser/ex was open source and undefeated for a long time. KoiVM is on another level compared to those. Compatibility and performance does take a hit and has limitations which you can read on koivm website now if you’re app works fine and you’re happy with performance then I would strongly suggest sticking with it. You can even make modifications to confuserex and use it with that as after all it’s a confuserex plugin. These are just my thoughts and personal opinions on these obfuscators. I do not mean any disrespect to the developers apart from what I think is good and bad. If you would like further explanation on anything let me know or any specific obfuscator that I haven’t covered as I most likely have some sort of opinion on it feel free to ask Regards Cawk
  7. 3 points
    Which is a bloody stupid idea in the first place. Just don't do it. To answer the question - the cause of your problem is MUI files that were introduced in Windows Vista. They enable you to have Windows UI in your own (non-English) language. If you copy some of the Windows built-in executables, you also need to copy the corresponding MUI file to correct subfolder, otherwise it won't be able to load correct resources and you'll see the error you mentioned. Example: Further reading: https://docs.microsoft.com/en-us/windows/win32/intl/mui-fundamental-concepts-explained https://afana.me/archive/2016/06/27/restoring-classic-calculator-in-windows-10.aspx/ https://ntcore.com/?p=266
  8. 3 points
    I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies. If you can not understand it, you can reply me. Best wish.
  9. 3 points
    https://github.com/x64dbg/x64dbg/releases https://github.com/wwh1004/ExtremeDumper/releases
  10. 2 points
    Thanks for the nice words, I really hope peace returns soon This is a lose lose situation for all, no one is winning anything here Good Luck with your new website
  11. 2 points
    I am sorry to hear about the attacks on your forum site @Kurapica but in my opinion, they could be from random bots, as we also had been experiencing similar attacks on our TIRA forum over the past few months. Since you specifically mentioned that the attacks on your site started “since these incidents” I want to confirm that you had always treated us with respect and therefore neither me nor my “supporters” have anything at all to do with the attacks on your site. I also want to add that me and my friends hold the BlackStorm team (and the forum) in high regard and we will not think of anything in the way of harming the site. To avoid starting another flame-war, I will not comment anything else regarding the other forums. As many know, I am mostly busy for the past few months on the TIRA forum and I do not have time for all this nonsense anymore. Going by the past history of my posts on this forum, I have a feeling that this post will be removed soon, and so, I was in two minds whether to post it here at all. But I decided to post this anyway since I did not want @Kurapica or anyone else here to misunderstand me or my supporters.
  12. 2 points
    I led you astray when I stated getting the higher privileged window to change the lower privileged window. Apologies for that! What you need to do is have the higher privileged window change its own handles (window, gadget, etc.) to accept specified messages. In the example below a lower window wants to send #WM_SETTEXT to a higher window. It will not be able to complete this because of UIPI... EnableExplicit Enumeration Windows #Window #Gadget EndEnumeration Declare ChangeWindowMessageFilter() If OpenWindow(#Window, 0, 0, 300, 60, "Window1 - Sender (Low UIPI)", #PB_Window_ScreenCentered | #PB_Window_SystemMenu) ButtonGadget(#Gadget, 5, 5, 290, 50, "CLICK ME!") Repeat Select WaitWindowEvent() Case #PB_Event_Gadget Select EventGadget() Case #Gadget ChangeWindowMessageFilter() EndSelect Case #PB_Event_CloseWindow End EndSelect ForEver EndIf Procedure ChangeWindowMessageFilter() Protected Window, Child Window = FindWindow_(#Null, "Window2 - Receiver (High UIPI)") Child = GetWindow_(Window, #GW_CHILD) SendMessage_(Child, #WM_SETTEXT, 0, "Some text") EndProcedure The example below is the higher window. It wants to receive #WM_SETTEXT from the lower window to change the text of a gadget. Note that I am getting the handle of the gadget and using ChangeWindowMessageFilterEx to allow window messages to be sent from the lower window. EnableExplicit Enumeration Windows #Window #Gadget EndEnumeration Declare ChangeWindowMessageFilter() Global User32 = OpenLibrary(#PB_Any, "user32.dll") Prototype.i ChangeWindowMessageFilterEx(hwnd, message, action, pChangeFilterStruct) Global ChangeWindowMessageFilterEx.ChangeWindowMessageFilterEx ChangeWindowMessageFilterEx = GetFunction(User32, "ChangeWindowMessageFilterEx") If OpenWindow(#Window, 0, 0, 300, 60, "Window2 - Receiver (High UIPI)", #PB_Window_ScreenCentered | #PB_Window_SystemMenu) ButtonGadget(#Gadget, 5, 5, 290, 50, "CLICK ME!") Repeat Select WaitWindowEvent() Case #PB_Event_Gadget Select EventGadget() Case #Gadget ChangeWindowMessageFilter() EndSelect Case #PB_Event_CloseWindow End EndSelect ForEver EndIf Procedure ChangeWindowMessageFilter() #MSGFLT_ALLOW = 1 ; Modifies the User Interface Privilege Isolation (UIPI) message filter for a specified window. If ChangeWindowMessageFilterEx(GadgetID(#Gadget), #WM_SETTEXT, #MSGFLT_ALLOW, #Null) SetGadgetText(#Gadget, "Sender Can Now Change This Text") Else SetGadgetText(#Gadget, "Something Went Wrong!") EndIf EndProcedure 1) Run both executables. 2) Click "CLICK ME!" in Window1 a few times and you will notice nothing changes in Window2 3) Click "CLICK ME!" in Window2 and it will update the message filter of its gadget to accept WM_SETTEXT. Button text should change now. 4) Click "CLICK ME!" in Window1 and the button (gadget) text in Window2 should now change. Ted. ChangeWindowMessageFilterEx.zip
  13. 2 points
    or simply use tools like RunAsDate
  14. 2 points
    I am mostly wondering why an unpackme needs an anti VM mechanism in place. I am not running any foreign binaries on my host machine. Yes I can patch it myself, but what is the point? Given the fact that it also takes a huge amount of time to even start up, I find it a little unsettling if I have to be honest.
  15. 2 points
    Got a chance to check out Ghidra 9.0.4 (released in May) to compare again and will say they have really optimized the disassembler compared to before. A file I work with often in IDA for a specific game now takes around the same time to disassemble in Ghidra which is a lot better than before. (The previous 9hr post was not for this file, will test that one again in the future.) The decompiler has seen some improvements as well which for this file results in some nice output, a bit cleaner than HexRays even at times. Would say in the short time of it being open source, things have shaped up pretty well for this tool.
  16. 2 points
    There is no reason to copy cmd.exe outside the windows directory, and I very much doubt this is supported or even something Microsoft ever considered. Maybe you can get rid of t he error by setting its current-working-directory to c:\windows\system32, but the real solution here is to not copy cmd.exe outside the system folder.
  17. 2 points
    https://www.uperesia.com/hancitor-packer-demystified Ted.
  18. 2 points
    View File Imports Fixer - Legacy Archives This is a complete collection of public and private builds of Imports Fixer (mainly a collection of private builds). I am uploading all of these for posterity reasons before they are deleted and for those people who like to look over this stuff. Most of these old builds will not work on modern Windows OS's and IF is no longer being developed so do not expect them to function correctly. If you need to use an imports fixer I suggest turning to a publically accessible imports builder such as Scylla. It is more feature complete, supports modern OS builds and is open source - so you can fix any bugs. In advance of questions regarding IFv1.7, this version was never completed and no private builds were released. Version 1.6 is where all the fun ended... Ted. Submitter Teddy Rogers Submitted 06/28/2019 Category Tools & Utilities  
  19. 2 points
    Hi New Update with more features : https://github.com/Ahmadmansoor/AdvancedScript AdvancedScript version 4.3 https://github.com/Ahmadmansoor/AdvancedScript/releases * Add new commands and fix some bugs * fix error load of the Auto Commands when there is no ; * Fix AutoRun and stepson ( wait command to finish). * Fix color variable name. * Add ReadFile , Write2Mem , ReadMem * Add GoToByBase Form ( https://www.youtube.com/watch?v=gQxlbC8RnRg ) * Assigne variable directly no need to Setx Command. Sample : Varx str,memory // var will hold the hex value Varx int,rax_,0 // read rax value +1 Varx str,ourStr // read test string ReadMem $memory,{rax},5 $rax_={rax} +1 $rax_=ads.exebase ReadStr $ourStr,{rdx}
  20. 2 points
    This is the same as #2...Rename 'JNE' to 'JMP' and it will automatically become registered. As the same for my #2 I also created a patch for this but using a different patcher. I used AT4RE's Patcher. Simple CrackMe #1 Patch.exe
  21. 2 points
    Download: https://github.com/horsicq/pex64dbg/releases Sources: https://github.com/horsicq/pex64dbg More Info: http://n10info.blogspot.com/2019/05/pe-viewer-plugin-for-x64dbg.html
  22. 1 point
    I ran a very quick test and it looks like the following window messages below 0x0400 (on Windows 10) cannot be blocked... 003 / 0x0003 / WM_MOVE 005 / 0x0005 / WM_SIZE 013 / 0x000D / WM_GETTEXT 014 / 0x000E / WM_GETTEXTLENGTH 051 / 0x0033 / WM_GETHOTKEY 127 / 0x007F / WM_GETICON 773 / 0x0305 / WM_RENDERFORMAT 776 / 0x0308 / WM_DRAWCLIPBOARD 781 / 0x030D / WM_CHANGECBCHAIN 787 / 0x0313 / WM_POPUPSYSTEMMENU (Undocumented) 794 / 0x031A / WM_THEMECHANGED 795 / 0x031B / WM_UAHINIT (Undocumented) 799 / 0x031F / WM_DWMNCRENDERINGCHANGED (Undocumented) Ted.
  23. 1 point
    Run a fresh installation of an OS in a virtual machine. It is a simple and good way to test your programs across various OS's and configurations. New installs have UAC set at the second highest value. Check "default" UIPI value in your registry, I suspect there may be a value in "data". Delete this so that a value is not set. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI The code looks okay, just be sure you have the correct handle and the parameter being passed is correct. You can use GetLastError to check this. The remarks for ChangeWindowMessageFilterEx mention values lower than WM_USER can be, "passed through the filter, regardless of the filter setting"... Ted.
  24. 1 point
    Same group of children that got banned recently and refuse to grow up. The forums have quited down a lot since all the last drama and most releases are done elsewhere now anyway because of it. Everything they are dumping and mirroring is all public anyway.
  25. 1 point
    Here's how i'd access the media.. ZDF-Mediathek "Die Subway-Falle" -> grab the "master.m3u8" https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/master.m3u8 instead of: https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/index_776000_av.m3u8 use: https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/master.m3u8 now have a looksy with FFMpeg -i Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/index_229000_av.m3u8?null=0' for reading [https @ 00000000026807c0] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/index_476000_av.m3u8?null=0' for reading [https @ 00000000026807c0] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/index_776000_av.m3u8?null=0' for reading [https @ 00000000026807c0] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/index_1496000_av.m3u8?null=0' for reading [https @ 00000000026807c0] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/index_2296000_av.m3u8?null=0' for reading [https @ 00000000026807c0] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/index_3296000_av.m3u8?null=0' for reading [https @ 00000000026807c0] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/index_229000_a.m3u8?null=0' for reading [hls,applehttp @ 0000000002678c80] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment1_229000_av.ts?null=0' for reading [hls,applehttp @ 0000000002678c80] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment2_229000_av.ts?null=0' for reading [hls,applehttp @ 0000000002678c80] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment1_476000_av.ts?null=0' for reading [hls,applehttp @ 0000000002678c80] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment2_476000_av.ts?null=0' for reading [hls,applehttp @ 0000000002678c80] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment1_776000_av.ts?null=0' for reading [hls,applehttp @ 0000000002678c80] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment2_776000_av.ts?null=0' for reading [hls,applehttp @ 0000000002678c80] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment1_1496000_av.ts?null=0' for reading [hls,applehttp @ 0000000002678c80] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment2_1496000_av.ts?null=0' for reading [hls,applehttp @ 0000000002678c80] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment1_2296000_av.ts?null=0' for reading [hls,applehttp @ 0000000002678c80] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment2_2296000_av.ts?null=0' for reading [hls,applehttp @ 0000000002678c80] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment1_3296000_av.ts?null=0' for reading [hls,applehttp @ 0000000002678c80] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment2_3296000_av.ts?null=0' for reading [hls,applehttp @ 0000000002678c80] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment1_229000_a.ts?null=0' for reading [hls,applehttp @ 0000000002678c80] Opening 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment2_229000_a.ts?null=0' for reading Input #0, hls,applehttp, from 'https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/master.m3u8': Duration: 00:44:43.44, start: 0.100511, bitrate: 0 kb/s Program 0 Metadata: variant_bitrate : 226000 Stream #0:0: Video: h264 (Main) ([27][0][0][0] / 0x001B), yuv420p, 320x176 [SAR 1:1 DAR 20:11], 25 fps, 25 tbr, 90k tbn, 50 tbc Metadata: variant_bitrate : 226000 Stream #0:1: Audio: aac (LC) ([15][0][0][0] / 0x000F), 44100 Hz, stereo, fltp Metadata: variant_bitrate : 226000 Program 1 Metadata: variant_bitrate : 474000 Stream #0:2: Video: h264 (Main) ([27][0][0][0] / 0x001B), yuv420p, 480x272 [SAR 1:1 DAR 30:17], 25 fps, 25 tbr, 90k tbn, 50 tbc Metadata: variant_bitrate : 474000 Stream #0:3: Audio: aac (LC) ([15][0][0][0] / 0x000F), 44100 Hz, stereo, fltp Metadata: variant_bitrate : 474000 Program 2 Metadata: variant_bitrate : 775000 Stream #0:4: Video: h264 (Main) ([27][0][0][0] / 0x001B), yuv420p, 640x360 [SAR 1:1 DAR 16:9], 25 fps, 25 tbr, 90k tbn, 50 tbc Metadata: variant_bitrate : 775000 Stream #0:5: Audio: aac (LC) ([15][0][0][0] / 0x000F), 44100 Hz, stereo, fltp Metadata: variant_bitrate : 775000 Program 3 Metadata: variant_bitrate : 1495000 Stream #0:6: Video: h264 (Main) ([27][0][0][0] / 0x001B), yuv420p, 852x480 [SAR 1:1 DAR 71:40], 25 fps, 25 tbr, 90k tbn, 50 tbc Metadata: variant_bitrate : 1495000 Stream #0:7: Audio: aac (LC) ([15][0][0][0] / 0x000F), 44100 Hz, stereo, fltp Metadata: variant_bitrate : 1495000 Program 4 Metadata: variant_bitrate : 2297000 Stream #0:8: Video: h264 (Main) ([27][0][0][0] / 0x001B), yuv420p, 1024x576 [SAR 1:1 DAR 16:9], 25 fps, 25 tbr, 90k tbn, 50 tbc Metadata: variant_bitrate : 2297000 Stream #0:9: Audio: aac (LC) ([15][0][0][0] / 0x000F), 44100 Hz, stereo, fltp Metadata: variant_bitrate : 2297000 Program 5 Metadata: variant_bitrate : 3298000 Stream #0:10: Video: h264 (Main) ([27][0][0][0] / 0x001B), yuv420p, 1280x720 [SAR 1:1 DAR 16:9], 25 fps, 25 tbr, 90k tbn, 50 tbc Metadata: variant_bitrate : 3298000 Stream #0:11: Audio: aac (LC) ([15][0][0][0] / 0x000F), 44100 Hz, stereo, fltp Metadata: variant_bitrate : 3298000 Program 6 Metadata: variant_bitrate : 95000 Stream #0:12: Audio: aac (LC) ([15][0][0][0] / 0x000F), 44100 Hz, stereo, fltp Metadata: variant_bitrate : 95000
  26. 1 point
    Linux Evil Gnome pass: infected HUGE APT collection with others where this came from at: https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/ 7ffab36b2fa68d0708c82f01a70c8d10614ca742d838b69007f5104337a4b869.zip
  27. 1 point
    Make sure the higher privileged application is the one changing the message filter of the lower privileged window. Ensure you have the correct window handle of the lower privileged window. Have a read through the remarks for ChangeWindowMessageFilterEx. Another thing to be mindful of is if you allow multiple instances of the same application. You may need to consider using mutex's or assigning unique identifiers to each application... Ted.
  28. 1 point
    https://visualstudio.microsoft.com/es/vs/support/community-edition-expired-buy-license/ really need login for unlock the ide, only that Community Edition is free. You just need to sign-in with your Microsoft account and everything will be fine again. im was using from 2017 to today..never i was need a licence .. only login BR, Apuromafo
  29. 1 point
    Just be mindful of UIPI and process elevation levels if you plan on using SendMessage. Otherwise you will need to look at changing window message filters (ChangeWindowMessageFilterEx) of lower privileged windows. You can check if your messages are being blocked by calling GetLastError and checking for access denied (5)... Ted.
  30. 1 point
    Another option is to use WM_COPYDATA https://docs.microsoft.com/en-us/windows/win32/dataxchg/wm-copydata The following example demonstrates how to send information between two applications using the WM_COPYDATA message: https://docs.microsoft.com/en-us/windows/win32/dataxchg/using-data-copy
  31. 1 point
    Depends on how much data you intend on exchanging as there are a number of different options. This link explains some of them... https://docs.microsoft.com/en-au/windows/win32/ipc/interprocess-communications Ted.
  32. 1 point
    I'd be sure that they made a devirt only if i saw the koivmhelper.dll without dnguard, for some reason i think that they check the parameters and the calls with the handle invoker Why would i think of that? well i've searched the 'devirted' file and i've only seen this change (on vcall opcodes) which basically changes the methodinfo.invoke to be invoked from the .dll? (which makes it easy to change the result and also check the parameters and the call) Another thing i found is that they load all the stuff from the resources instead of the metadata stream (the stuff that cant be preserved with dnspy saving) which makes me think the same thing. Final thing, i had the original vpnhunter exe with koivm and the types and methods were not differently named... which means that it hadn't been koivm'ed on top of the devirt Edit: Checked deeper and found out that it compares 2 strings (which are different) but it returns that they are equal, so here is the 'devirt'
  33. 1 point
    i saw you on turkish forums you a good reverser selam kardes
  34. 1 point
    Overcooked is free this week on Epic. Good fun for local multiplayer
  35. 1 point
    few files KoiVMHelper.dll fccbdd69174505c71a36a93193b27e5b0ed63244d36ca327438d960a0e62cd24 330 KB - 2019-06-05 KoiVMHelper.dll 76660a5a1a66d60353176edaf1f80cb08d9bec80ef583e19155913c2e89c6bbc 343 KB - 2019-05-14 KoiVMHelper.dll 5d64eecb9fcbae1bb8c23391fc8e37e2e3528d196661a1ea9719065a9f136c61 330.5 KB - 2019-05-11 KoiVMHelper.dll d2a8a294f524c54d00a3087946bfe08675c16accc93f2fbc2bc21ee67e598e36 163 KB - 2019-05-02
  36. 1 point
    and spread like this because of the loser called BEDS.
  37. 1 point
    Could be a number of things. Using GlobalFree on a memory location that has already been freed previously but the variable still holds the old reference location and another GlobalFree was called on it. Or could be stack issues or buffer overflows. Hard to chase down those sort of bugs. But at a guess its probably GlobalFree or accesing heap memory that was allocated and freed (allocated via GlobalAlloc, GlobalRealloc or VirutalAlloc etc)
  38. 1 point
    That exception code seems to be STATUS_HEAP_CORRUPTION. So the corruption of the heap might occur long before you get the crash.
  39. 1 point
    Cracked. Using: IDA Pro v7.0 Search for 'Unregistered' -> Find Verification Function -> Patch JNE to JMP using IDA's patch function -> Save -> Cracked Sadly, i couldn't find the original password. CrackMe.exe
  40. 1 point
    Should .NET unpackme's be split and separated in to their own category? If you have another suggestion or idea please explain here... Ted.
  41. 1 point
    Hello password is : How I did it : debug used modded dnspy ((obvfuscator checks for dnspy !) or any other native debugger, and look at memory strings, the real password appears multiple times in memory due to how ConfuserEx handle strings in memory 😕 0x2a39cd8 and 0x2a88ff0
  42. 1 point
    virustotal at my door and a small graph about a mbr ransom generator, lot of samples, few itw urls. https://www.virustotal.com/graph/embed/g1eff513400894f7c8930f6e4200093ecd13d231f1d204b8e84e6c8c89481e2bb
  43. 1 point
    Code like this. You can copy dlls in OpenFileDialog. If you can't copy dlls (maybe anti dump?), you can use the code like "File.WriteAllBytes(@"I:\Downloads\Yes.dll2", File.ReadAllBytes(@"I:\Downloads\Yes.dll"));". ILProtector detects the first few bytes of the compiled machine code. You can fake it.
  44. 1 point
    1. dump ilprotector native runtime you can inject a dll to call OpenFileDialog and dump 2. decrypt method body fix ILProtectorUnpacker's hook, then it works Test.ip.exe.7z
  45. 1 point
    https://threatpost.com/unhackable-biometric-usb-passwords/144576/
  46. 1 point
    After you dump the main exe (.NET) with MegaDumper: Exception messages: Unable to load DLL 'Test32.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E) So you got to dump that dll with DllSaver. Enigma Only unpacked exes: https://www95.zippyshare.com/v/b0258Ft4/file.html
  47. 1 point
    AdvancedScript_3.1 - fix CheckHexIsValid ( fix length ). - add menu to (copy - follow - delete) variables . - add more check for StrAnalyze. - add MsgBox for if command in a case does not resolve arguments. note : copy can copy one value or all values in case Array variables AdvancedScript_3.1.zip Script.zip
  48. 1 point
    your password is tesfaw https://gyazo.com/37e85be8307829270736eb42156ed9f5 as kao said this isnt unbreakable at all
  49. 1 point
    intel x86 / x64 opcode reference manuals (i think you can download them in pdf form on their site somewhere) then writing some apps in asm to get a grip for masm etc, or in c and then debug them to see how things work then lena's tuts (i've never used them though, i taught myself a long time ago, where i'd dl the opcode ref's and study them offline (inet connection was a rarity at the time for me)) pencil (to undo mistakes) and paper, to make notes, and lots of them tools like hiew, ida (never really liked ida too much as i thought it was slow), olly, x64dbg etc etc and referencing sites like this one, the masm32 site, woodmann and some others time and patience, and doing some homework before asking for help / pointers (i usually wont help people who want to get everything spoonfed to them or ask for videos etc or think they're somehow entitled)
  50. 1 point
    I do not release the decoder but the code optimizer (not immediately), this is not specific to the oream vm, it is only far more effective than others. What do you say about angr or miasm or optimice or codedoctor ?? do we eliminate them all the tools for binary code analysis ?? I do not issue the decoder code because my hobby is a hobby and I do not want to give anybody a damn but reversing is sharing (I unfortunately belong to the old old reverser school). If I spoke good English I would probably share a lot more info and would not like others who just write for self-celebration. Do you know Scherzo or Softworm ?? I'm an old man who now deals with reversing and my only good luck is that the day they will all program in python or javascript I will not be there anymore..hahahahaha
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...