Jump to content
Tuts 4 You

Leaderboard


Popular Content

Showing content with the highest reputation since 11/08/2019 in all areas

  1. 5 points
  2. 3 points
    https://invidio.us/ src - https://github.com/omarroth/invidious
  3. 3 points
  4. 3 points
    I have unpacked most of the protections just need someone to complete the last part of it, the calls/delegates!! Instructions: 1. Jit-dump the executable with JitDumper3/4 enable the checkbox (Dump MD). 2. Clean the (String And Flow) with SimpleAssemblyExplorer(SAE) checking the checkbox (Delegates} as well. 3. De4dot. Files.rar
  5. 2 points
    I am glad you have a workaround for this in the end. You may find suspending operation for around ~10 milliseconds after setting the cursor position and before simulating the mouse down input, using the Sleep function, adds a little bit more reliability and may not require you to add a second call to SetWindowPos. If you are concerned about accidentally activating a menu when simulating the mouse down you can calculate the centre of the windows titlebar or populate NONCLIENTMETRICS structure. Just be mindful there may be occasions where this may still occur particularly with owner drawn windows and Windows 10 apps. I still recommend the timer option... ๐Ÿ˜Ž Ted.
  6. 2 points
    Another variation by detecting user input then sending the window back from the foreground... Global User32 = OpenLibrary(#PB_Any, "user32.dll") Prototype.i AddClipboardFormatListener_(hWnd) Global AddClipboardFormatListener_.AddClipboardFormatListener_ AddClipboardFormatListener_ = GetFunction(User32, "AddClipboardFormatListener") Procedure LastInput(cWnd) Protected plii.LASTINPUTINFO Protected lastTime plii\cbSize = SizeOf(LASTINPUTINFO) If GetLastInputInfo_(@plii) lastTime = plii\dwTime Repeat GetLastInputInfo_(@plii) Delay(10) Until plii\dwTime > lastTime SetWindowPos_(WindowID(0), cWnd, #Null, #Null, #Null, #Null, #SWP_NOSIZE | #SWP_NOMOVE | #SWP_ASYNCWINDOWPOS) EndIf EndProcedure Procedure WindowToFocus(hWnd, uMsg, wParam, lParam) Static cOnr, cWnd #WM_CLIPBOARDUPDATE = $031D Select uMsg Case #WM_CLIPBOARDUPDATE If IsClipboardFormatAvailable_(#CF_TEXT) ; Find the last clipboard owner then bring our window to the foreground. cOnr = GetClipboardOwner_() cWnd = GetParent_(cOnr) SetWindowPos_(cWnd, hWnd, #Null, #Null, #Null, #Null, #SWP_NOSIZE | #SWP_NOMOVE | #SWP_ASYNCWINDOWPOS) ; Save the current mouse pointer coordinates. CreateThread(@LastInput(), cWnd) EndIf EndSelect ProcedureReturn #PB_ProcessPureBasicEvents EndProcedure If OpenWindow(0, 0, 0, 300, 200, "WindowToFocus", #PB_Window_ScreenCentered | #PB_Window_SizeGadget | #PB_Window_MaximizeGadget) AddClipboardFormatListener_(WindowID(0)) SetWindowCallback(@WindowToFocus()) Repeat Until WaitWindowEvent() = #PB_Event_CloseWindow EndIf Ted. LastInput.exe
  7. 2 points
    This seems to solve your problem. Give it a try, hopefully all good for you... Global User32 = OpenLibrary(#PB_Any, "user32.dll") Prototype.i AddClipboardFormatListener_(hWnd) Global AddClipboardFormatListener_.AddClipboardFormatListener_ AddClipboardFormatListener_ = GetFunction(User32, "AddClipboardFormatListener") Procedure WindowToFocus(hWnd, uMsg, wParam, lParam) Static lpPoint.POINT, tagINPUT.INPUT Static cOnr, cWnd, Timer #WM_CLIPBOARDUPDATE = $031D Select uMsg Case #WM_CLIPBOARDUPDATE If IsClipboardFormatAvailable_(#CF_TEXT) ; Find the last clipboard owner then bring our window to the foreground. cOnr = GetClipboardOwner_() cWnd = GetParent_(cOnr) SetWindowPos_(cWnd, hWnd, #Null, #Null, #Null, #Null, #SWP_NOSIZE | #SWP_NOMOVE | #SWP_ASYNCWINDOWPOS) ; Save the current mouse pointer coordinates. GetCursorPos_(@lpPoint.POINT) ; Find our window position then activate our window. GetWindowRect_(hWnd, @lpRect.RECT) SetCursorPos_(lpRect\left + 10, lpRect\top + 10) ; Simulate mouse down. tagINPUT\type = #INPUT_MOUSE tagINPUT\mi\dwFlags = #MOUSEEVENTF_LEFTDOWN SendInput_(1, @tagINPUT, SizeOf(INPUT)) ; Simulate mouse up. tagINPUT\mi\dwFlags = #MOUSEEVENTF_LEFTUP SendInput_(1, @tagINPUT, SizeOf(INPUT)) ; Return mouse pointer to original position. SetCursorPos_(lpPoint\x, lpPoint\y) EndIf EndSelect ProcedureReturn #PB_ProcessPureBasicEvents EndProcedure If OpenWindow(0, 0, 0, 300, 200, "WindowToFocus", #PB_Window_ScreenCentered | #PB_Window_SizeGadget | #PB_Window_MaximizeGadget) AddClipboardFormatListener_(WindowID(0)) SetWindowCallback(@WindowToFocus()) Repeat Until WaitWindowEvent() = #PB_Event_CloseWindow EndIf Ted. WindowToFocus.exe WindowToFocus x32.exe
  8. 2 points
    Injector uses VB P-Code, you'll need to use VB decompiler or some P-Code disassembler for analysis. It's pretty funky code using shellcode, resolving APIs by hash and what not. Or you can simply put breakpoint on RtlDecompressBuffer and then dump decompressed payload from memory. It's an old shitty backdoor called XpertRAT. BTW, injector works just fine in my VMWare (32bit Win7).
  9. 2 points
    @Washi has finally made his writeups public: https://github.com/Washi1337/ctf-writeups/tree/master/FlareOn/2019/ Some of his solutions make me green with envy. Great job!
  10. 1 point
  11. 1 point
    Starting from the smallest: IrfanView, XNView Classic, Paint.NET. Rotate works in all 3; Saving transparency info is slightly crappy in IrfanView, works perfectly in all others; Resize on mouse scroller - haven't seen in any editor ever. Works in all 3 by entering resize % (eg. 200%) or target dimensions;
  12. 1 point
    Hi all: Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86) and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server. By the way, the VC runtime library and .NET framework 2&4 are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet. Can anyone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, thks a lot... The password of the sample zip package is "infected". Do not run or debug on the real machine! ANY.RUN report (PC-side access): https://app.any.run/tasks/2be96389-5c11-4541-b3b2-bb027f445add/ Hybrid Analysis report: https://www.hybrid-analysis.com/sample/0e0a3f5fa2d7e092dbb9e31b55e8f1dc6879673d9af92735577522dc504e7af9?environmentId=120 VB_Injector_password_infected.zip
  13. 1 point
    Hi again, I changed the code a little... invoke GetClipboardOwner mov cOnr,eax invoke GetParent,cOnr mov cWnd,eax invoke SetWindowPos,cWnd,hWin,0,0,0,0,SWP_NOSIZE or SWP_NOMOVE or SWP_ASYNCWINDOWPOS invoke GetCursorPos,addr lp invoke GetWindowRect,hWin,addr rc mov eax, rc.left add eax, 30 mov ecx, rc.top add ecx, 10 invoke SetCursorPos,eax,ecx invoke SetWindowPos,hWin,HWND_TOPMOST,0,0,0,0,SWP_NOSIZE or SWP_NOMOVE or SWP_ASYNCWINDOWPOS invoke SetWindowPos,hWin,HWND_NOTOPMOST,0,0,0,0,SWP_NOSIZE or SWP_NOMOVE or SWP_ASYNCWINDOWPOS mov INP.INPUT._type,INPUT_MOUSE mov INP.INPUT.mi.dwFlags, MOUSEEVENTF_LEFTDOWN invoke SendInput,1,addr INP,sizeof INP mov INP.INPUT.mi.dwFlags, MOUSEEVENTF_LEFTUP invoke SendInput,1,addr INP,sizeof INP invoke SetCursorPos,lp.x,lp.y ...adding SetWindowPos x2.Now it works better.Also moved mouse more to left to prevent to open that menu.But also in this case its not working all over.When I do copy something from browser or other sources then WM_CLIPBOARDUPDATE seems to fail.Before I used WM_DRAWCLIPBOARD with SetClipboardViewer functon etc and there it was working.Strange is that its now no more working.Maybe using AddClipboardFormatListener function and RemoveClipboardFormatListener isnt a good choice or doing change something on my system = WM_DRAWCLIPBOARD fails.Now I need to reboot PC to check this out.Hhmm!!!So thats pretty bad,dont wanna each time do a reboot just to get my old stuff working again.Otherwise I will just using SetWindowPos x2 alone without getting the avtive window status if the other code examples doing some strange problems later. greetz EDIT: My fault about WM_DRAWCLIPBOARD so its still working.Just forgot that I added a check yesterday.So I think now its seems to work better using example from Ted WindowToFocus x32 just with adding SetWindowPos x2 and moving mousepointer some more to right side where it does click on.I think with this method I can live now so far. I can use it with WM_DRAWCLIPBOARD (SetClipboardViewer etc) or also with WM_CLIPBOARDUPDATE with AddClipboardFormatListener function.This seems to be easier just need to call this function once + RemoveClipboardFormatListener at the end. Thank again guys.
  14. 1 point
    Waiting on mouse movement this time... Global User32 = OpenLibrary(#PB_Any, "user32.dll") Prototype.i AddClipboardFormatListener_(hWnd) Global AddClipboardFormatListener_.AddClipboardFormatListener_ AddClipboardFormatListener_ = GetFunction(User32, "AddClipboardFormatListener") Procedure LastInput(cWnd) Protected lpPoint.POINT Protected oldx, oldy GetCursorPos_(@lpPoint.POINT) oldx = lpPoint\x oldy = lpPoint\y Repeat GetCursorPos_(@lpPoint.POINT) Delay(10) Until oldx <> lpPoint\x Or oldy <> lpPoint\y SetWindowPos_(WindowID(0), cWnd, #Null, #Null, #Null, #Null, #SWP_NOSIZE | #SWP_NOMOVE | #SWP_ASYNCWINDOWPOS) EndProcedure Procedure WindowToFocus(hWnd, uMsg, wParam, lParam) Static cOnr, cWnd #WM_CLIPBOARDUPDATE = $031D Select uMsg Case #WM_CLIPBOARDUPDATE If IsClipboardFormatAvailable_(#CF_TEXT) ; Find the last clipboard owner then bring our window to the foreground. cOnr = GetClipboardOwner_() cWnd = GetParent_(cOnr) SetWindowPos_(cWnd, hWnd, #Null, #Null, #Null, #Null, #SWP_NOSIZE | #SWP_NOMOVE | #SWP_ASYNCWINDOWPOS) ; Save the current mouse pointer coordinates. CreateThread(@LastInput(), cWnd) EndIf EndSelect ProcedureReturn #PB_ProcessPureBasicEvents EndProcedure Ted.
  15. 1 point
    I might point out that perhaps what is missing is the task at hand. If I copy a magnet:// link, my torrent app will automatically come to the front and offer to download if it is open. In Windows 10, clicking on a link which has magnet:// now brings up a would you like such and such app to open this warning. The only Windows-sanctioned solution is to use the correct mechanisms like registering your app to handle all of these events. Clipboard Viewer Chain: https://docs.microsoft.com/en-us/windows/win32/dataxchg/using-the-clipboard#adding-a-window-to-the-clipboard-viewer-chain Protocol Handlers: https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-ph-install-registration There are probably tricks you can do. I don't know how the torrent programs monitor and bring to front, but I imagine you could monitor the clipboard for a change, modify the clipboard to contain a protocol that you are registered for e.g. myapp:// and then the system will bring your app to the forefront. I imagine this works in Win7 as well. But its a cleaner and better route in modern windows than hijacking the foreground window which due to annoying apps that have overused that ability has become increasingly complicated, difficult and with all sorts of nuances and details to check for. For example accessibility features, custom keyboard mappings, system style of windows that might make keyboard/mouse simulation complex, privileged windows, UAC elevation prompts, 2 apps that both are trying to capture and bring to front could end up getting in deadlock fight for it, etc. A professional solution probably is not worth it unless its absolutely necessary with no alternatives and could require reversing Windows a bit to get some peculiar details. I've browsed the Win2k source more than few times :). IMO, Microsoft should open source the UI drawing parts of the basic windows controls so its easy to derive clean professional owner-draw solutions and the like which deals with every possible circumstance. That seems long overdue and who knows at the current rate maybe they will some day.
  16. 1 point
    I have made 2 small files for you to test as a workaround for your problem... SetForegroundWindow Keypress Test.exe (Simulates ALT Press & Release) keybd_event(VK_MENU,0, 0 , 0); //Alt Press keybd_event(VK_MENU,0,KEYEVENTF_KEYUP,0); // Alt Release SetForegroundWindow Mousebutton Test.exe (Simulates Left Mouse Button Press & Release) mouse_event(MOUSEEVENTF_ABSOLUTE or MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0); // Left Button Press mouse_event(MOUSEEVENTF_ABSOLUTE or MOUSEEVENTF_LEFTUP, 0, 0, 0, 0); // Left Button Up SetForegroundWindowTest.rar Both worked for me in all programs I tried including Olly A workaround like this is the only way you can reliably steal focus due to the restrictions, simulating a mouse press or a keypress tricks it into taking away the focus from the window you are working with, ALT apparently allows SetForegroundWindow due to the ALT+TAB feature of windows which will always be on top
  17. 1 point
    I think I already answered it ๐Ÿ˜‹ When a user is working/interacting in an active window you can't steal focus away from it to another application. The user passes on focused privileges by activating the window. If you are really, really, really intent on stealing focus you can do something immensely annoying by simulating a mouse click on screen in a window. Something like this... Global User32 = OpenLibrary(#PB_Any, "user32.dll") Prototype.i AddClipboardFormatListener_(hWnd) Global AddClipboardFormatListener_.AddClipboardFormatListener_ AddClipboardFormatListener_ = GetFunction(User32, "AddClipboardFormatListener") Procedure WindowToFocus(hWnd, uMsg, wParam, lParam) Static cOnr, cWnd, Timer #WM_CLIPBOARDUPDATE = $031D Select uMsg Case #WM_CLIPBOARDUPDATE If IsClipboardFormatAvailable_(#CF_TEXT) cOnr = GetClipboardOwner_() cWnd = GetParent_(cOnr) SetWindowPos_(cWnd, hWnd, #Null, #Null, #Null, #Null, #SWP_NOSIZE | #SWP_NOMOVE | #SWP_ASYNCWINDOWPOS) ;GetWindowRect_(cWnd, @lpRect.rect) GetWindowRect_(hWnd, @lpRect.rect) SetCursorPos_(lpRect\left + 10, lpRect\top + 10) tagINPUT.INPUT ; Mouse down... tagINPUT\type = #INPUT_MOUSE tagINPUT\mi\dwFlags = #MOUSEEVENTF_LEFTDOWN SendInput_(1, @tagINPUT, SizeOf(INPUT)) ; Mouse up... tagINPUT\mi\dwFlags = #MOUSEEVENTF_LEFTUP SendInput_(1, @tagINPUT, SizeOf(INPUT)) EndIf EndSelect ProcedureReturn #PB_ProcessPureBasicEvents EndProcedure If OpenWindow(0, 0, 0, 300, 200, "WindowToFocus", #PB_Window_ScreenCentered | #PB_Window_SizeGadget | #PB_Window_MaximizeGadget) AddClipboardFormatListener_(WindowID(0)) SetWindowCallback(@WindowToFocus()) Repeat Until WaitWindowEvent() = #PB_Event_CloseWindow EndIf Ted.
  18. 1 point
    SetWindowPos can change the z order but it doesn't activate the window You can use SetActiveWindow after you have brought to front, if its not in front it will not set as active Have you tried SetForegroundWindow ?
  19. 1 point
    I use a free app which I think does what your asking, it is a downloader which monitors the clipboard for new links to sites it supports such as youtube, clicknupload etc. and when a new link is copied to clipboard it pops up a window asking if you want to download it if that's what you want your app to do then maybe you could see how they do it there http://wordrider.net/freerapid/
  20. 1 point
    You cannot take (steal) focus away from another window you do not control whilst the user is currently active inside it. You will not be notified of the other windows' events to make a judgement call when to send your window to back. As @kao mentioned above the only way to do this would be to attach to the thread input queue of that window. You can then change its z-order position whilst focused. There are a few caveats. If the process is elevated you will not be able to attach to the input queue. If there is a problem with the process you are attached to you run the risk of inheriting those problems. Some more questions; Why do you need to bring your window to the front? What is the purpose of your window whilst it is in front, what will it do when it is front? If you need to bring the window to the front how long do you need it to be there? Why do you need to send it to the back? If you only need your window to be front for a short period set a timer event to send it back when its work is done. There are some other methods whilst another window has focus though they are hit-and-miss. Waiting for WM_NCACTIVATE is one, though this event may never occur and shouldn't be relied upon. Global User32 = OpenLibrary(#PB_Any, "user32.dll") Prototype.i AddClipboardFormatListener_(hWnd) Global AddClipboardFormatListener_.AddClipboardFormatListener_ AddClipboardFormatListener_ = GetFunction(User32, "AddClipboardFormatListener") Procedure WindowToFocus(hWnd, uMsg, wParam, lParam) Static cOnr, cWnd, Timer #WM_CLIPBOARDUPDATE = $031D Select uMsg Case #WM_CLIPBOARDUPDATE If IsClipboardFormatAvailable_(#CF_TEXT) cOnr = GetClipboardOwner_() cWnd = GetParent_(cOnr) SetWindowPos_(cWnd, hWnd, #Null, #Null, #Null, #Null, #SWP_NOSIZE | #SWP_NOMOVE | #SWP_ASYNCWINDOWPOS) SetTimer_(hWnd, Timer, 500, #Null) EndIf Case #WM_TIMER Select wParam Case Timer SetWindowPos_(hWnd, cWnd, #Null, #Null, #Null, #Null, #SWP_NOSIZE | #SWP_NOMOVE | #SWP_ASYNCWINDOWPOS) EndSelect EndSelect ProcedureReturn #PB_ProcessPureBasicEvents EndProcedure If OpenWindow(0, 0, 0, 300, 200, "WindowToFocus", #PB_Window_ScreenCentered | #PB_Window_SizeGadget | #PB_Window_MaximizeGadget) AddClipboardFormatListener_(WindowID(0)) SetWindowCallback(@WindowToFocus()) Repeat Until WaitWindowEvent() = #PB_Event_CloseWindow EndIf Ted.
  21. 1 point
    GetWindowThreadProcessId you might wanna check that doesnt destroy ebx
  22. 1 point
    @LCF-AT: I believe this example and explanation should work: https://www.codeproject.com/Tips/76427/How-to-bring-window-to-top-with-SetForegroundWindo My ugly test code (PLEASE don't use it in real life project!): ;invoke SetWindowPos,hWin,HWND_TOPMOST,0,0,0,0, SWP_NOACTIVATE or SWP_SHOWWINDOW or SWP_NOSIZE or SWP_NOMOVE ;invoke SetWindowPos,hWin,HWND_NOTOPMOST,0,0,0,0, SWP_NOACTIVATE or SWP_SHOWWINDOW or SWP_NOSIZE or SWP_NOMOVE pushad invoke GetForegroundWindow mov esi, eax invoke GetCurrentThreadId mov ebx, eax invoke GetWindowThreadProcessId, esi, 0 mov edi, eax invoke AttachThreadInput, ebx, edi, 1 invoke AllowSetForegroundWindow, -1 invoke SetForegroundWindow,hWin invoke AttachThreadInput, ebx, edi, 0 popad Please note that I did only very limited testing with only notepad, your sample app and 3 copy to clipboard attempts. There might be issues, especially in your "very specific" configurations with Sandboxie and what not.. Does that solve your problem? kao.
  23. 1 point
    Hi Did you tried to send mouse down/up message to your window ? sample: https://stackoverflow.com/questions/12363215/send-mouse-click-message BR, h4sh3m
  24. 1 point
    SetWindowPos(windowHwnd, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOACTIVATE | SWP_SHOWWINDOW | SWP_NOSIZE | SWP_NOMOVE); think you can convert that to asm yourself
  25. 1 point
    As @atom0s already mentioned SetFocus is what you are after if you want keyboard events in your window... Ted.
  26. 1 point
    In terms of API that can be used / are used to do this: BringWindowToTop SetActiveWindow SetForegroundWindow SetFocus SetWindowPos ShowWindow SwitchToThisWindow In some cases, you may need to make use of 'AttachThreadInput' as well.
  27. 1 point
    As I said earlier - I don't use Sandboxie and can't help you with that. From the quick search, you could try to enable Trace mode and check the log for hints what needs to be enabled: https://www.sandboxie.com/SandboxieTrace
  28. 1 point
    Over 1.5 Billion unique people, including close to 260 million in the US. Over 1 billion personal email addresses. Work email for 70%+ decision makers in the US, UK, and Canada. Over 420 million Linkedin urls Over 1 billion facebook urls and ids. 400 million+ phone numbers. 200 million+ US-based valid cell phone numbers. https://www.dataviper.io/blog/2019/pdl-data-exposure-billion-people/
  29. 1 point
    I took dragdrop.asm from raedit, commented out things that didn't immediately compile, added a simple window + initialization code and it sort of works. When something is dragged over window, you can see calls to IDropTarget_AddRef and IDropTarget_DragEnter. After that it messes up because most of the code in IDropTarget_DragEnter was commented out. But that was enough for my dumb test. So, probably you did something wrong with pIDropTarget declaration or implementation.
  30. 1 point
    ..and there's your problem. Sandboxie blocks such communication by design - because that's the only way it can ensure that the sandboxed process doesn't break out of it. I'm not using Sandboxie, so I can't tell you if/how you can work around it. Google for possible configuration options. Maybe (just maybe!) this configuration option could work: https://www.sandboxie.com/OpenWinClass See IDropTarget link from my first answer. It's a COM interface. It's ugly. But that's how things in Windows sometimes work - no way around it. Here's another sample program - http://web.archive.org/web/20050402152142/http://home.inreach.com/mdunn/code/ClipSpy/clipspy.html - there you can actually drag/drop any link from IE, not only from address bar. So, it might be even better example than the first one I gave. Or you can look at RAEdit sources, they have most of the structures defined (no comments, though): https://github.com/m417z/SimEd/blob/master/RAEdit/DragDrop.asm
  31. 1 point
    Sample app does work for me in 64bit Win7 on both Chrome and IE, otherwise I wouldn't suggest it. From Chrome you can drag/drop both address from address bar and hyperlinks from any webpage. From IE8 you can drag/drop address from address bar. I don't use Firefox or Brave or Vivaldi or whatever other weird browsers, so I can't test those.
  32. 1 point
    You need to implement drop target. See MSDN for RegisterDragDrop, IDropTarget and/or http://www.catch22.net/tuts/win32/drop-target for sample app with C sources.
  33. 1 point
    I read somewhere that there are some disk images so you don't need to download the entire torrent. As to what is specifically on there and how revealing that information is I have no idea... Ted.
  34. 1 point
    This one is good to use on your TV's browser - instead of using the default YouTube app - to get around all the annoying ads... Ted.
  35. 1 point
    @CodeExplorer : There's only one post by @Drin in July 21, so where did you see his post in July 17?
  36. 1 point
    Hi again, The original repositry is not for VS2013 or above it seems, the fix below works very well for me [at the expense of throwing away XP compatibility]. LonghronShen Forked Scylla I hope this help others like me, it makes me wonder why tuts4you never got to mention it anywhere. If someone finds this useful, please don't forget to give a reaction to this post. Regards, Ben
  37. 1 point
  38. 1 point
    https://github.com/DefCon42/op-mutation decided to release the source because it's a neat example of a practical application of linear algebra yes, i know the code does not look great and there's blatant violations of like every standard ever no, i won't change that :^) note: only works with relatively simple operations. add, sub, not, etc will work but higher order operators like multiplication and exponentiation will not
  39. 1 point
    Simple Polymorphic Engine (SPE32) is a simple polymorphic engine for encrypting code and data. It is an amateur project that can be used to demonstrate what polymorphic engines are. SPE32 allows you to encrypt any data and generate a unique decryption code for this data. The encryption algorithm uses randomly selected instructions and encryption keys. https://github.com/PELock/Simple-Polymorphic-Engine-SPE32 Sample polymorphic code in x86dbg window: Another polymorphic code mutation, this time with code junks
  40. 1 point
    Ok, I have deobfuscated the file. Enjoy i guess. Btw some parts of the file uses "dynamic" so it wouldn't look like just "dynamic" it dnspy. There will be something like callsite stuff cuz that's how the compiler interprets the dynamic data type. sample(2)-SysMathCallFixed-DelegatesFixed-FieldToLocalFix-VarsUnmelted-StringDec_deobfuscated.exe
  41. 1 point
    Before you potentially dump $50 on CodeStage, look around for free options. Most of what's offered in his library is already free. Protected memory/variables: - https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.protectedmemory - https://gamedev.stackexchange.com/a/9851 (Xor'd value, same as how CodeStage protects.) - https://www.alanzucconi.com/2015/09/02/a-practical-tutorial-to-hack-and-protect-unity-games/ - https://github.com/Ymiku/SafeInt - https://github.com/pedro15/UniToolKit Protected player prefs: - https://www.alanzucconi.com/2015/09/02/a-practical-tutorial-to-hack-and-protect-unity-games/ - https://gist.github.com/ftvs/5299600 - https://github.com/rawandnf/SecurePlayerPrefs - Any kind of encryption you prefer works for this. Generate Code Hashes: - Use System.Reflection for this. (MethodBody -> GetILAsByteArray -> hash etc.) Detect Speed Hack: - This is done by monitoring the ticks of an application in a timer/thread checking for any sudden increases that cause the timing of the app/process to be considered fast/slow. - https://github.com/WizardVan/UnityDetector Detect Wall Hacks: - This is done a number of ways depending on what kind of detection you are looking for. Detect Injections: - Walk/monitor the app domains assembly list for unknown modules. (AppDomain.CurrentDomain.GetAssemblies()) - Track a list of valid/allowed modules + checksum hashes. - Track IL edits to functions via hash checks. Keep in mind all of this is bypassable, editable, etc. by a hack/cheat/mod so while you are adding a layer of security it will only work against certain people whom are not familiar with bypassing this kind of stuff.
  42. 1 point
    Hi guys. I have a linux "hacking challenge" x64 binary that is difficult to exploit, you can find it attached to this email. This binary it's vulnerable to buffer overflow + ROP + canary bypass, so will be possible to execute shellcode. The vulnerable input fields are "HOURS WORKED" and "REASON FOR OVERTIME" (this field it's also vulnerable to format string vulnerability, so with an input like %016llX,%016llX,%016llX etc... will be possible to dump the stack and the canary value) Any of you that can give it a look? Thanks a lot guys! (the vulnerable binary it's "vulnelf") vulnelf
  43. 1 point
    Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00
  44. 1 point
    Yep, looks like Dotwall. But the main executable is totally boring - the interesting stuff is in .NET resources. So, don't waste much time trying to deobfuscate main executable. There are 2 malicious PE files in .NET resources - XOR-encrypted with key 76 00 6F 00 52 00 4E 00 66 00 48 00 73 00 44 00 One is Aspire.dll, protected with .NET Reactor - that's some sort of malware launcher. Other one is password stealer written in Delphi.
  45. 1 point
    Anti Debugging Protection Techniques With Examples: https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software
  46. 1 point
    this has some more techniques: https://studylib.net/doc/14916230/anti-debugging-techniques-malware-analysis-seminar-meetin...
  47. 1 point
    Good times! I still play UT every once in while, last time was with my son. Happy to participate in a game night/day if someone is able to organise an event and it falls at a suitable date and time... Ted.
  48. 1 point
    @mr.exodia congrats my Friend BR , Apuromafo CLS
  49. 1 point
    Find it funny how the agitator creates the topic to try and bring attention to what he had to post later on Puny schemes. People just have lives; RE isn't going anywhere. Same as there's been one generation of smart, skilled and enthused people, others will follow. Circle of life. What I do find funny is how this "high-level programming" works even with big companies, such as Denuvo. I put quotes because same as Java relies on a ton of shit OTHER people wrote across time, which they now just import, similarly Denuvo relies on VMProtect to shield whatever crap they've got going on. Were it not for it, we'd have gotten ourselves the ol' time SecuROM/SafeDisc fiascos. I digress.. Congrats, ExoD And keep it up, love your work.
  50. 0 points
    I do miss the old times with people actually posting new and interesting stuff in here. Last few years have been really tough. I don't have a solution to that, just the feeling that it's the biggest problem that needs addressing. As for smaller and easier to solve things: 1) It would be nice to have faster actions to stop troll-fights between techlord's fans and their opponents. Last thing we need here is the toxic atmosphere they bring; 2) It's time to stop "Difficulty 10/10" nonsense in crackmes that contain nothing more than a rebranded ConfuserEx. For example, create a rule that members with "Junior" title are not allowed to post crackmes, as they almost inevitably submit total garbage. Or maybe crackme section moderators could do more filtering (I'm not saying they are not doing a good job - they are!, just that the acceptance rules are too relaxed); My 2 cents. kao.
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...