Jump to content
Tuts 4 You


Popular Content

Showing content with the highest reputation since 03/26/2019 in all areas

  1. 4 points
    Hey all! I recently came across this neat paper here: https://tel.archives-ouvertes.fr/tel-01623849/document where they used what they called "Mixed-Boolean Arithmetic" to obfuscate arithmetic expressions, and then showed ways to deobfuscate them. Looking a the deobfuscation methods, they seemed largely either pattern-based or wouldn't work when bigger numbers were involved. So I thought to myself, "How can I mess with this?" Well, first things first, they have no concrete method there for creating these expressions. There are two pages total dedicated to the creation of these expressions, so I had to get creative to make it work. They describe using numpy to solve the matrix equation created and using a hack-y method to circumvent not having a square matrix, but I thought that I could do a bit better... Enter two painstaking days of learning linear algebra and figuring out exactly what I needed to do. They start by computing the truth tables of some expressions, putting them into a matrix as columns, then solving for the vector that, when using the dot product on the vector and the matrix, returned zero. After that, they filtered out various "rewrite rules" from the matrix generated. You can read more about this in the paper, though there's not much to go off of. They use numpy's linalg.solve to do this, but that only works with square matrices and produced results with constants that were a tad small for my taste :^) After a bit of research I found a python module called cvxpy, designed to find values that satisfy an expression under certain constraints. Even cooler was that you could specify matrix equations and integer-only solutions, which is exactly what I needed. After tinkering with it for a bit, I was able to reliably create expressions like these (representing a xor b): -27540 * (~a & b) + 373574 * (~a ^ ~b) + -27541 * (a & ~b) + -27541 * (~a & b) + -11 * (a + b) + -30436 * (~a & ~b) + -30436 * (~a * ~b) + 137712 * (a * ~b) + -27544 * (~a) + 1 * (b) + 3 * (~a + ~b) + -221347 * (~a - ~b) + 13 * (a + b) + -2 * (a) + -30454 * (~a + ~b) + -30454 * (~a + ~b) + -3 * (b) + -30449 * (a | b) + -27546 * (~b) 3672455 * (~a * b) + -362611 * (a ^ b) + 78113 * (a) + -524636 * (~b) + -524636 * (a ^ ~b) + 78113 * (a) + -524636 * (~a | b) + -362611 * (a ^ b) + -959545 * (a | b) + -78113 * (a - b) + -959545 * (~a + ~b) + -524636 * (~a) + 142249 * (a + b) + -959544 * (~a + ~b) + 142249 * (a + b) + -524637 * (a - ~b) + -524637 * (~a) + -524637 * (a & ~b) + 3241246 * (~a ^ ~b) Using truth tables modulo 4 instead of modulo 2 I was also able to compute equivalencies for multiplication, which was pretty neato. However, using the same method of computing the truth table and finding an equivalent expression you can reverse this sort of operation. I'll leave that as an exercise to the reader. EDIT: As a friend of mine pointed out, this will work with any operation that can be reducible to boolean math (i.e. xor, addition, subtraction, multiplication), not just arithmetic operations.
  2. 3 points
    https://github.com/LisaDziuba/Awesome-Design-Tools#no-code-tools bonus (free -> add to cart -> mailinator -> 498mb) - hxxps://fusionretrobooks.com/collections/pdf/products/the-story-of-the-commodore-amiga-in-pixels_pdf
  3. 3 points
    Used protector (I've forget to specify): https://www.52pojie.cn/thread-652274-1-1.html http://distro.crack.vc/index.php?dir=RceTools/Packers/ Finally made scripts and a tutorial on how to restore stolen bytes: https://forum.tuts4you.com/topic/41211-obsidium-olly-scripts/ BR.
  4. 2 points
    I really, really disagree. Not all websites are valuable. And not all passwords should chosen to be secure. In fact, this was something I wanted to write about for a long time already, so here it goes: https://lifeinhex.com/my-password-is-password/ (shameless self-promo, I know! )
  5. 2 points
    I knocked up a quick example, you could do something similar to this... Declare.i WinProc(hWnd, Msg, wParam, lParam) Declare.i SetMenuItemBold(MenuNum) Global hMenu If OpenWindow(0, 0, 0, 250, 100,"Right click in the window...", #PB_Window_SystemMenu | #PB_Window_ScreenCentered) If SetWindowCallback(@WinProc()) hMenu = CreatePopupMenu(0) If hMenu ; Create a text array for the menu item text. Global Dim menutext.s(4) menutext(0) = " MenuItem 0" menutext(1) = " MenuItem 1" menutext(2) = " MenuItem 2" menutext(3) = " End" ; Create the menu items and point to the array containing the text. MenuItem(0, menutext(0)) MenuItem(1, menutext(1)) MenuItem(2, menutext(2)) MenuItem(3, menutext(3)) ; Set menu items to #MFT_OWNERDRAW For a = 0 To 3 With tag.MENUITEMINFO \cbSize = SizeOf(MENUITEMINFO) \fMask = #MIIM_TYPE \fType = #MFT_OWNERDRAW \dwTypeData = @menutext(a) SetMenuItemInfo_(hMenu, a, #True, @tag) EndWith Next EndIf ; PureBasic window event loop. Repeat Event = WaitWindowEvent() Select Event Case #PB_Event_RightClick DisplayPopupMenu(0, WindowID(0)) ; When a menu item is clicked on set it to bold. Case #PB_Event_Menu Select EventMenu() Case 0 : SetMenuItemBold(EventMenu()) Case 1 : SetMenuItemBold(EventMenu()) Case 2 : SetMenuItemBold(EventMenu()) Case 3 : End EndSelect EndSelect Until Event = #PB_Event_CloseWindow EndIf EndIf Procedure.i WinProc(hWnd, Msg, wParam, lParam) Static hbrush Select Msg Case #WM_DESTROY ; Delete created objects once the window is destroyed. DeleteObject_(hbrush) Case #WM_MEASUREITEM ; lParam - Pointer to a MEASUREITEMSTRUCT structure that contains the dimensions of the owner-drawn control or menu item. *lpm.MEASUREITEMSTRUCT = lParam ; Define the width and height for the menu item to be created. *lpm\itemWidth = 200 *lpm\itemHeight = 30 Case #WM_DRAWITEM: ; lParam - Pointer to a DRAWITEMSTRUCT structure containing information about the item to be drawn and the type of drawing required. *lpd.DRAWITEMSTRUCT = lParam ; If a menu item is selected, use #COLOR_MENUHILIGHT. If *lpd\itemState & #ODS_SELECTED hbrush = CreateSolidBrush_(GetSysColor_(#COLOR_MENUHILIGHT)) SelectObject_(*lpd\hDC, hbrush) EndIf ; Set the background mix mode of the specified device context to #TRANSPARENT. ; This sets the text background to #TRANSPARENT (otherwise its background will be filled a different colour from that of the menu). SetBkMode_(*lpd\hDC, #TRANSPARENT) ; Set the device context boundary pen colour, the null pen draws nothing. SelectObject_(*lpd\hDC, GetStockObject_(#NULL_PEN)) ; A rectangle that defines the boundaries of the control to be drawn. ; When drawing menu items, the owner window must not draw outside the boundaries of the rectangle defined by the rcItem member. Rectangle_(*lpd\hDC, *lpd\rcItem\left, *lpd\rcItem\top, *lpd\rcItem\right, *lpd\rcItem\bottom) If menutext(*lpd\itemID) = menutext(1) SetTextColor_(*lpd\hDC, #Green) DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #Null) ElseIf menutext(*lpd\itemID) = menutext(2) ; Calculate the length of the menu item text. DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #DT_CALCRECT) ; Set the menu item text colour and then draw it. SetTextColor_(*lpd\hDC, #Blue) DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #Null) ; Save the old right co-ordinate so we can offset the additional menu item text. oldRight = *lpd\rcItem\right ; Calculate the length of the additional menu item text. DrawText_(*lpd\hDC, " Tuts4You", -1, @*lpd\rcItem, #DT_CALCRECT) ; Calculate the offset to add the new text in the menu. *lpd\rcItem\left = oldRight *lpd\rcItem\right + oldRight ; Set the menu item text colour and then draw it. SetTextColor_(*lpd\hDC, #Red) DrawText_(*lpd\hDC, " Tuts4You", -1, @*lpd\rcItem, #Null) Else DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #Null) EndIf EndSelect ProcedureReturn #PB_ProcessPureBasicEvents EndProcedure Procedure SetMenuItemBold(hMenuNumSel) bold.MENUITEMINFO bold\cbSize = SizeOf(bold) bold\fMask = #MIIM_STATE bold\fState = #MFS_DEFAULT SetMenuItemInfo_(hMenu, hMenuNumSel, #True, bold) EndProcedure Ted. Coloured Menu Item.exe
  6. 2 points
    Check Ted's answer again: So if you want colors (any at all) or mix normal/bold then you will need to draw the items yourself using the GDI api SetTextColor and TextOut and those functions after responding to the draw item event by setting the owner draw flag.
  7. 2 points
    Here is a working sample (in PureBasic) for you. This sets one of the menu items to be bold... If OpenWindow(0,0,0,250,100,"Right click in the window...", #PB_Window_SystemMenu | #PB_Window_ScreenCentered) If CreatePopupMenu(0) MenuItem(0,"MenuItem 0") MenuItem(1,"MenuItem 1") MenuItem(2,"MenuItem 2") MenuItem(3,"MenuItem 3") bold.MENUITEMINFO bold\cbSize = SizeOf(bold) bold\fMask = #MIIM_STATE bold\fState = #MFS_DEFAULT SetMenuItemInfo_(MenuID(0), 2, #True, bold) ;"2" is the MenuItem to be made bold EndIf Repeat Event = WaitWindowEvent() If Event = #WM_RBUTTONUP DisplayPopupMenu(0, WindowID(0)) EndIf Until Event = #PB_Event_CloseWindow EndIf If you want to add colours and the like you will have to consider using #MFT_OWNERDRAW and manually draw the menu items on #WM_DRAWITEM event... Ted. Bold Menu Item.exe
  8. 2 points
    I use something like this if I want to make a menu item bold... bold.MENUITEMINFO bold\cbSize = SizeOf(bold) bold\fMask = #MIIM_STATE bold\fState = #MFS_DEFAULT SetMenuItemInfo_(MenuID(0), 2, #True, bold) ;"2" is the MenuItem to be made bold https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-setmenuiteminfow https://docs.microsoft.com/en-au/windows/desktop/api/winuser/ns-winuser-tagmenuiteminfoa Ted.
  9. 2 points
    9.0.2 released with the source which notes can be found on their site: https://ghidra-sre.org/releaseNotes.html With the source, they did include the decompiler's source code which some were concerned with being released. It's there and is coded in C/C++ so there is potential for things to get better as time goes on with community help/support. Would love to see it become on par with IDA's and better in the long run. Given how Ghidra is setup too, if it does start to become on par/better of a decompiler someone could essentially turn it into an IDA plugin if they wanted.
  10. 2 points
    Is an action-strategy shoot 'em up game developed by Sensible Software and published by Virgin Interactive. The game is military-themed and based on shooting action but with a strategy game-style control system. The player directs troops through numerous missions, battling enemy infantry, vehicles and installations. http://openfodder.com/ https://github.com/OpenFodder/openfodder online (WebAssembly) https://s3.amazonaws.com/openfodder/OpenFodder.html -- -- https://emscripten.org/ Is a toolchain for compiling to asm.js and WebAssembly, built using LLVM, that lets you run C and C++ on the web at near-native speed without plugins. @atom0s
  11. 2 points
    Found a olly modification that I've created that works ok with Obsidium; I called it OLLY_(Orig_Safengine).rar since it also works for Safengine. A tutorial by Nieo is the most recent: https://tuts4you.com/e107_plugins/download/download.php?view.3678 Let the cracking begin! OLLY_(Orig_Safengine).rar
  12. 2 points
    AdvancedScript version 3.0 releases 1- add help file and command help on the form. 2- add ads lib like ("GetAPIName","GetArraySize","ReadStr","GetdesCallJmp","isInArray","isAddrBelongSection"). 3- Write2File_ can write array directly. 4- add commentset command. 5- replace Script:ebug::Wait(); with waitPauseProcess(); 6- at ret command . 7- AutoComplete for Functions and variables and ads lib. 8- add log box for future work. 9- add AutoUpdate checkbox for enable disable update of variables list. 10- fix some bug and improve some others like (findallmemx) . 11- add tuts how to use. AdvancedScript How to Script How to fix IAT Themida API Comment Script Good for Static Analyzing
  13. 2 points
    Language : Delphi XE Platform : Microsoft Windows x32/x64 OS Version : XP/Vista/7/8/8.1/10 Packer / Protector : ArmoredBinary - Modern Binary Obfuscation Tool. Description : Attached file was protected with full version of armoredbinary obfuscator ( with medium protection approach ) , make sure unpacked file will execute successfully in any environment. You will dealing with OEP hiding , Resource Protection , Simple IAT Protection , AntiDump Tricks. Screenshot : Protected file after execution will be similar to Thanks. ArmoredBinary_Official_UnpackMe.rar
  14. 1 point
    https://www.bleepingcomputer.com/news/microsoft/windows-10-start-menu-gets-its-own-process-in-build-1903/ This should have happened a long time ago though it could be an indication Start is becoming bloated under Windows 10... Ted.
  15. 1 point
    If you have a look at my DrawTextColoured procedure in my previous example and the one below you can see how I change the text colour and calculate the required positioning in the menu. The example (below) uses AppendMenu function to add items in to the owner drawn menu. It then adds the new item in to the menu array. You can also see how to add an icon/image in to these menu items. I included an example on how you can process menu events from WM_COMMAND. I suggest having a read through the Windows developers documents regarding menus, particularly the About section. https://docs.microsoft.com/en-au/windows/desktop/menurc/menus I have compiled the example for you this time in x32... Ted. Appended Menu Items.exe
  16. 1 point
    If you want to display an icon in the menu you can use something like DrawIconEx. If it is a bitmap you can BitBlt or similar. The icon needs to be placed at the beginning of the menu, you then offset the placement of any subsequent text in the menu after the icon. I am not entirely sure what you mean by dynamic icons or what you are trying to achieve - I'll have a guess... The menu will be drawn each time it is requested to be shown, any icons can be reloaded and used in any preferred order. You will need to keep a track of your images and icons as you will need to free up these resources at some time otherwise you will risk GDI leaks. If I am guessing at what you are trying to do with dynamic icons (and if I guessed correctly) there is no way around it, you will have to track your icons handles. I have had to do something similar in the past and used structured arrays with defined types. A dynamic example would be tracking windows; titles, position, order, icon, window handle, etc. This information is captured and stored in a structured array and then the necessary information is displayed in the menu. In the below example I have expanded on the previous code I posted and added icons in to the menu. Code is a bit crude though it gives you the idea... Ted. Coloured Menu Item + Icon.exe
  17. 1 point
    your password is tesfaw https://gyazo.com/37e85be8307829270736eb42156ed9f5 as kao said this isnt unbreakable at all
  18. 1 point
    @Kazura: That's nonsense. Cloak.NET been broken before and can be broken now. See It's just that people who can unpack that, are not really interested in a very basic crackme.
  19. 1 point
    Hi, can you please check your OS and .NET versions? I only tested it on .NET 4.6.2 EDIT: It seems you will also need the C/C++ runtime library from Microsoft Let me know if you are still facing issues. For me and some other people who tested it, it seems to work.
  20. 1 point
    MFT_OWNERDRAW flag should get the messages sent. It should be set on creation as in Ted's example above or possibly other ways like SetStyle API.
  21. 1 point
    Opera is a Chromium-based browser IE is a Chromium-based browser Brave is a Chromium-based browser man use the #1 browser, brave ...
  22. 1 point
    Hi again, ok thanks again for the info.I have test it now with TextOut and ExtTextOut + new color function and it seems to work. Now I got a small another problem to receive WM_DRAWITEM and WM_MEASUREITEM messages.So in my case I did create a contextmenu by button press and not via right mouse.How to handle this problem now to get triggered at the 2 messages? greetz
  23. 1 point
    Hi LCF-AT, usually you have to use owner-drawn menus: you just tell windows you would take the burden to measure and draw the content by yourself. A very very quick Google search takes you to http://winapi.freetechsecrets.com/win32/WIN32Example_of_OwnerDrawn_Menu_Items.htm https://www.codeproject.com/Articles/8715/Owner-drawn-menus-in-two-lines-of-code https://www.codeguru.com/cpp/controls/menu/article.php/c3719/The-Easiest-Way-to-Code-the-Owner-Drawn-Menu.htm Don't know if there's available an example in pure ASM, I'm afraid. Regards, Tony
  24. 1 point
    Probably have to create your own control with a WS_POPUP window and use DrawText for the individual parts in the different colors. And have to calc the 'menu item' positions, and store the 'menu text' strings in an array or structures etc. Also calc position of the control relative to where mouse/cursor position was, for the placement to show it at.
  25. 1 point
    https://youtu.be/Sv8yu12y5zM bonus - VSCodium - Binary releases of VS Code without MS branding/telemetry/licensing - hxxps://github.com/VSCodium/vscodium
  26. 1 point
    Program cannot start because VMprotect dll is missing Are you sure this is using no packer or protector?
  27. 1 point
    Compiling it is certainly for serious developers and paranoid reversers
  28. 1 point
    Hmm think the forums are bugging out.. your post wasn't there for me @Progman when I made mine. But shows it was posted an hour ago now.
  29. 1 point
    @atom0s and @deepzero we now also have a version 9.02 with some more fixes: https://ghidra-sre.org/ghidra_9.0.2_PUBLIC_20190403.zip Since serious reversers will want to download the source and not merely browse it, here is a directly link (and it weighs in at ~66mb, smaller than the distribution package even): https://github.com/NationalSecurityAgency/ghidra/archive/master.zip
  30. 1 point
    Source Code of Ghidra Released:
  31. 1 point
    The following Kindle e-books are free at the moment. You will need to amend the URL for your specific region if you are not in Australia... Command Line Kung Fu: Bash Scripting Tricks, Linux Shell Programming Tips, and Bash One-liners Linux Administration: The Linux Operating System and Command Line Guide for Linux Administrators Python Programming for Beginners: An Introduction to the Python Computer Language and Computer Programming (Python, Python 3, Python Tutorial) High Availability for the LAMP Stack: Eliminate Single Points of Failure and Increase Uptime for Your Linux, Apache, MySQL, and PHP Based Web Applications Machine Learning For Absolute Beginners: A Plain English Introduction (Second Edition) (Machine Learning For Beginners Book 1) Shell Scripting: How to Automate Command Line Tasks Using Bash Scripting and Shell Programming Ted.
  32. 1 point
  33. 1 point
    9.0.1 was released recently: https://ghidra-sre.org/releaseNotes.html
  34. 1 point
    Hi! This is my first post on tuts4 you I hope that this is the right section, if not, please delete this post! Ok so... Few months ago I have made public my internal project called REDasm on GitHub. Basically it's a cross platform disassembler with an interactive listing (but it's still far, if compared to IDA's one) and it can be extended with its API in order to support new formats, assemblers and analyzers. Currently it supports: Portable Executable VB5/6 decompilation . It can detect Delphi executables, a decompiler is WIP. .NET support is WIP. Debug symbols are displayed, if available. ELF Executables Debug symbols are displayd, if available. DEX Executables Debug symbols are displayed, if available. x86 and x86_64 is supported. MIPS is supported and partially emulated. ARM support is implemented but still WIP. Dalvik assembler is supported. Most common assemblers are implemented by using Capstone library, Dalvik assembler is written manually and even the upcoming MSIL/CIL assembler will be implemented manually. The entire project is written in C++ and its UI is implemented with Qt5, internally, the disassembler is separated in two parts: LibREDasm and UI. LibREDasm doesn't contains any UI related dependencies, it's just pure C++, one day I will split it in two separate projects. Some links with source code, nightlies and wiki: Source Code: https://github.com/REDasmOrg/REDasm Nightly Builds (for Windows and Linux): https://github.com/REDasmOrg/REDasm-Builds Wiki: https://github.com/REDasmOrg/REDasm/wiki And some screenshots:
  35. 1 point
    I heard that Mr Exodia joined Denuvo very recently as an employee. Very hearty congratulations to our very much beloved Mr Exodia!!!! 🍻 I just hope that there would be no "conflict of interest" with his reversing hobby and that he would continue to post and release great work for all of us! 😁
  36. 1 point
    How To Fix Debugger Detected In x64dbg Picture ProtectionID Scan
  37. 1 point
    AdvancedScript beta version it is beta version it could have bug, so please report and if u like to add more features let me know. version 2.5 beta : 1- Script window is sperate. 2- Create Folder for script,form Load script with category. 3- add more mirror Functions (xorx - pushx ...), and Functions like ( if , goto,writestr ) to shortcut the work. 4- show all variables in a list with it's values. 5- edit script onfly. 6- enable to define array with range like z[n]. 7- writestr Function. 8- run from anyware in the script. 9- rest variables list in case maintenance. 10- insert rows as much as you need. 11- insert from clipboard replace all script. 12- insert from clipboard inside the script. 13- copy separated lines to used in other script. 14- insert description without confusing . 15- add the dll file of c++ runtime for each package. 16- add some scripts samples. 17- as it is beta version so it support one step not auto step , use F12 for step, sorry for that I need to check if it work then I will add auto step :} note : I forget to say use (Scriptw) command to show the Script window , but git has stop working and copy the script sample to ur script folder in x64dbg folder and pls read the help first AdvancedScript_2.5beta.zip
  38. 1 point
    I think it's the best idea, you can later share your findings with the rest of the community, I'm sure we can learn from this.
  39. 1 point
    What if i reverse engineer an existing antivirus and develop my own. Thanks for your comment.
  40. 1 point
    Tools: dnSpy, ConfuserEx Tools, de4dot ConsoleApplication3_unpacked.exe
  41. 1 point
    Thanks much Teddy... Any ideas why I keep getting error that I have exceeded download quota? I can download 4mb's and get that error every time... Then have to wait until tomorrow, and hope it continues it. Frustrating as heck lol... Thank you for taking time to put the link. ËÞIãLèS666
  42. 1 point
    Assembly Language: Assembly Language P1: Construction of a 32 bits processor Assembly Language P2: The construction of Executable Windows files Assembly Language P3: Processor Instructions Assembly Language P4: Coprocessor Instructions Assembly Language P5: Global variable Assembly Language P6: Functions and local variables I know they aren't perfect. Please report any bug or misleading you may find. Assembly.Language.zip
  43. 1 point
    @ramjane I'm sharing my private script to reach OEP on all 5.xx (and maybe 4.xx). First it tries to find static OEP address in Enigma VM section. If failed, it tries to dynamically reach OEP. lc log "Enigma 5.xx OEP Finder by PC-RET v 1.1 started" bc dbh bphwc gmi eip, MODULEBASE MOV IMAGEBASE, $RESULT //gmi eip, CODEBASE //MOV CODEBASE, $RESULT //gmi eip, CODESIZE //MOV CODESIZE, $RESULT pusha mov eax, IMAGEBASE mov edi, eax add eax, 3C mov eax, edi+[eax] mov SECTIONS, [eax+06], 02 mov esi, eax+0F8 mov edi, 28 mov ebp, SECTIONS mov ecx, edi mul edi, 1 // second section add edi, esi sub edi, 28 mov CODEBASE, [edi+0C] add CODEBASE, IMAGEBASE mov CODESIZE, [edi+08] popa GPA "VirtualAlloc", "kernel32.dll" mov VirtualAlloc, $RESULT GPA "VirtualProtect", "kernel32.dll" mov VirtualProtect, $RESULT GPA "VirtualQuery", "kernel32.dll" mov VirtualQuery, $RESULT bphws VirtualAlloc run rtr esti bphwc VirtualAlloc gmemi eip, MEMORYBASE mov ENIGMA_SECTION, $RESULT mov startsearch, ENIGMA_SECTION find startsearch, #8945F8EB0C8BCF8BD68B45FCE8????????F6C304740B8B55F88B45FC# // structure cmp $RESULT, 0 je dynamic_find static_find: bp $RESULT esto gmemi esi, MEMORYBASE mov startsearch, $RESULT gmemi esi, MEMORYSIZE mov searchend, $RESULT add searchend, startsearch alloc 100 mov eval_section, $RESULT mov [eval_section], #609CB8AAAAAAAABBBBBBBBBBB9CCCCCCCCBADDDDDDDD3BC20F831F0000003918740D813800004000740583C004EBE73948100F840800000083C004EBD99D61908B70F803F39D6190# mov [eval_section+3], startsearch mov [eval_section+8], IMAGEBASE mov [eval_section+D], CODESIZE mov [eval_section+12], searchend bp eval_section+3f bp eval_section+45 bp eval_section+47 mov bakeip, eip mov eip, eval_section esto cmp eip, eval_section+3f je notfound_static cmp eip, eval_section+45 je found_static jmp error found_static: ///////////////////////You can stop here and see OEP in ESI register/////////////////////// mov oep, esi esto mov eip, bakeip bc free eval_section gmemi oep, MEMORYBASE cmp $RESULT, 0 jne not_invalid_oep eval "Invalid OEP found: {oep}. Now script will try another method." msg $RESULT jmp dynamic_find not_invalid_oep: mov oepbytes, [oep], 2 cmp oepbytes, 25ff je risc_oep cmp $RESULT, CODEBASE je good_oep eval "Some weird OEP found: {oep}. Do you want to continue or try using another method? \r\n\r\n\r\nContinue: NO\r\nAnother method: YES" msgyn $RESULT cmp $RESULT, 01 je dynamic_find good_oep: bphws oep esto msg "OEP found!" bphwc ret risc_oep: eval "It seems that OEP: {oep} is RISC-protected. Continuing in another mode." msg $RESULT jmp dynamic_find notfound_static: mov eip, bakeip bc free eval_section dynamic_find: bphws VirtualProtect esto bphwc VirtualProtect bphws VirtualQuery mov hits, 0 VirtualQueryloop: esto cmp [esp+4], IMAGEBASE je checkhits jmp VirtualQueryloop checkhits: inc hits cmp hits, 2 jne VirtualQueryloop bc bphwc bprm CODEBASE, CODESIZE run bpmc msg "Possible OEP(near OEP) found." ret error: msg "Fatal error occured." ret
  44. 1 point
    Read the FULL ARTICLE HERE . Full SOURCES and set of tools can be DOWNLOADED FROM HERE . A PDF created from the website article is attached for the convenience of the readers. PRACTICAL uses : The principles discussed can be used for reversing the firmware of Routers, Dongles etc etc. Please note that while the author has focussed on firmware which is Open Source, the same principles can also be used for Closed-Source Firmware. Firmware Hooking - Using Capstone and Keystone.pdf
  45. 1 point


    Uret Pirate Girl <3 GFX BY ANEES KHAN
  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up
  • Create New...