Tuts 4 You

Moderator

34

2,962

Full Member+

21

2,232

21

7,977

Junior+

20

15

## Popular Content

Showing content with the highest reputation since 11/08/2019 in all areas

1. 5 points

2. 3 points

## Invidious is an alternative front-end to YouTube

https://invidio.us/ src - https://github.com/omarroth/invidious
3. 3 points

## Unpack Challenge (Agile.NET)

JitDumperv4.rar
4. 3 points

## Unpack Challenge (Agile.NET)

I have unpacked most of the protections just need someone to complete the last part of it, the calls/delegates!! Instructions: 1. Jit-dump the executable with JitDumper3/4 enable the checkbox (Dump MD). 2. Clean the (String And Flow) with SimpleAssemblyExplorer(SAE) checking the checkbox (Delegates} as well. 3. De4dot. Files.rar
5. 2 points

## How to bring a window active to front?

I am glad you have a workaround for this in the end. You may find suspending operation for around ~10 milliseconds after setting the cursor position and before simulating the mouse down input, using the Sleep function, adds a little bit more reliability and may not require you to add a second call to SetWindowPos. If you are concerned about accidentally activating a menu when simulating the mouse down you can calculate the centre of the windows titlebar or populate NONCLIENTMETRICS structure. Just be mindful there may be occasions where this may still occur particularly with owner drawn windows and Windows 10 apps. I still recommend the timer option... 😎 Ted.
6. 2 points

8. 2 points

## Strange VB injector sample, no injection behavior on physical/virtual machine

Injector uses VB P-Code, you'll need to use VB decompiler or some P-Code disassembler for analysis. It's pretty funky code using shellcode, resolving APIs by hash and what not. Or you can simply put breakpoint on RtlDecompressBuffer and then dump decompressed payload from memory. It's an old shitty backdoor called XpertRAT. BTW, injector works just fine in my VMWare (32bit Win7).
9. 2 points

## Flare On 6

@Washi has finally made his writeups public: https://github.com/Washi1337/ctf-writeups/tree/master/FlareOn/2019/ Some of his solutions make me green with envy. Great job!
10. 1 point

## ILSpy mod by Medsft: NET assembly browser and decompiler, debugger, Hi

h__ps://my-files.ru/wcun0h pass: exelab
11. 1 point

## Do you know any tiny image editor?

Starting from the smallest: IrfanView, XNView Classic, Paint.NET. Rotate works in all 3; Saving transparency info is slightly crappy in IrfanView, works perfectly in all others; Resize on mouse scroller - haven't seen in any editor ever. Works in all 3 by entering resize % (eg. 200%) or target dimensions;
12. 1 point

## Strange VB injector sample, no injection behavior on physical/virtual machine

Hi all: Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86) and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server. By the way, the VC runtime library and .NET framework 2&4 are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet. Can anyone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, thks a lot... The password of the sample zip package is "infected". Do not run or debug on the real machine! ANY.RUN report (PC-side access): https://app.any.run/tasks/2be96389-5c11-4541-b3b2-bb027f445add/ Hybrid Analysis report: https://www.hybrid-analysis.com/sample/0e0a3f5fa2d7e092dbb9e31b55e8f1dc6879673d9af92735577522dc504e7af9?environmentId=120 VB_Injector_password_infected.zip
13. 1 point

14. 1 point

18. 1 point

## How to bring a window active to front?

SetWindowPos can change the z order but it doesn't activate the window You can use SetActiveWindow after you have brought to front, if its not in front it will not set as active Have you tried SetForegroundWindow ?
19. 1 point

20. 1 point

42. 1 point

## Linux binary to exploit

Hi guys. I have a linux "hacking challenge" x64 binary that is difficult to exploit, you can find it attached to this email. This binary it's vulnerable to buffer overflow + ROP + canary bypass, so will be possible to execute shellcode. The vulnerable input fields are "HOURS WORKED" and "REASON FOR OVERTIME" (this field it's also vulnerable to format string vulnerability, so with an input like %016llX,%016llX,%016llX etc... will be possible to dump the stack and the canary value) Any of you that can give it a look? Thanks a lot guys! (the vulnerable binary it's "vulnelf") vulnelf
43. 1 point

## [DevirtualizeMe] Themida 3.0.3.0

Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00
44. 1 point

## Obfuscated Malware Sample

Yep, looks like Dotwall. But the main executable is totally boring - the interesting stuff is in .NET resources. So, don't waste much time trying to deobfuscate main executable. There are 2 malicious PE files in .NET resources - XOR-encrypted with key 76 00 6F 00 52 00 4E 00 66 00 48 00 73 00 44 00 One is Aspire.dll, protected with .NET Reactor - that's some sort of malware launcher. Other one is password stealer written in Delphi.
45. 1 point

## Anti Debugging Protection Techniques With Examples

Anti Debugging Protection Techniques With Examples: https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software
46. 1 point

## Anti Debugging Protection Techniques With Examples

this has some more techniques: https://studylib.net/doc/14916230/anti-debugging-techniques-malware-analysis-seminar-meetin...
47. 1 point

## Feedback and Ideas

Good times! I still play UT every once in while, last time was with my son. Happy to participate in a game night/day if someone is able to organise an event and it falls at a suitable date and time... Ted.
48. 1 point

## Congratulations Mr Exodia

@mr.exodia congrats my Friend BR , Apuromafo CLS
49. 1 point

## Congratulations Mr Exodia

Find it funny how the agitator creates the topic to try and bring attention to what he had to post later on Puny schemes. People just have lives; RE isn't going anywhere. Same as there's been one generation of smart, skilled and enthused people, others will follow. Circle of life. What I do find funny is how this "high-level programming" works even with big companies, such as Denuvo. I put quotes because same as Java relies on a ton of shit OTHER people wrote across time, which they now just import, similarly Denuvo relies on VMProtect to shield whatever crap they've got going on. Were it not for it, we'd have gotten ourselves the ol' time SecuROM/SafeDisc fiascos. I digress.. Congrats, ExoD And keep it up, love your work.
50. 0 points

## Feedback and Ideas

I do miss the old times with people actually posting new and interesting stuff in here. Last few years have been really tough. I don't have a solution to that, just the feeling that it's the biggest problem that needs addressing. As for smaller and easier to solve things: 1) It would be nice to have faster actions to stop troll-fights between techlord's fans and their opponents. Last thing we need here is the toxic atmosphere they bring; 2) It's time to stop "Difficulty 10/10" nonsense in crackmes that contain nothing more than a rebranded ConfuserEx. For example, create a rule that members with "Junior" title are not allowed to post crackmes, as they almost inevitably submit total garbage. Or maybe crackme section moderators could do more filtering (I'm not saying they are not doing a good job - they are!, just that the acceptance rules are too relaxed); My 2 cents. kao.