Jump to content
Tuts 4 You

Leaderboard


Popular Content

Showing content with the highest reputation since 03/20/2019 in all areas

  1. 4 points
    Hey all! I recently came across this neat paper here: https://tel.archives-ouvertes.fr/tel-01623849/document where they used what they called "Mixed-Boolean Arithmetic" to obfuscate arithmetic expressions, and then showed ways to deobfuscate them. Looking a the deobfuscation methods, they seemed largely either pattern-based or wouldn't work when bigger numbers were involved. So I thought to myself, "How can I mess with this?" Well, first things first, they have no concrete method there for creating these expressions. There are two pages total dedicated to the creation of these expressions, so I had to get creative to make it work. They describe using numpy to solve the matrix equation created and using a hack-y method to circumvent not having a square matrix, but I thought that I could do a bit better... Enter two painstaking days of learning linear algebra and figuring out exactly what I needed to do. They start by computing the truth tables of some expressions, putting them into a matrix as columns, then solving for the vector that, when using the dot product on the vector and the matrix, returned zero. After that, they filtered out various "rewrite rules" from the matrix generated. You can read more about this in the paper, though there's not much to go off of. They use numpy's linalg.solve to do this, but that only works with square matrices and produced results with constants that were a tad small for my taste :^) After a bit of research I found a python module called cvxpy, designed to find values that satisfy an expression under certain constraints. Even cooler was that you could specify matrix equations and integer-only solutions, which is exactly what I needed. After tinkering with it for a bit, I was able to reliably create expressions like these (representing a xor b): -27540 * (~a & b) + 373574 * (~a ^ ~b) + -27541 * (a & ~b) + -27541 * (~a & b) + -11 * (a + b) + -30436 * (~a & ~b) + -30436 * (~a * ~b) + 137712 * (a * ~b) + -27544 * (~a) + 1 * (b) + 3 * (~a + ~b) + -221347 * (~a - ~b) + 13 * (a + b) + -2 * (a) + -30454 * (~a + ~b) + -30454 * (~a + ~b) + -3 * (b) + -30449 * (a | b) + -27546 * (~b) 3672455 * (~a * b) + -362611 * (a ^ b) + 78113 * (a) + -524636 * (~b) + -524636 * (a ^ ~b) + 78113 * (a) + -524636 * (~a | b) + -362611 * (a ^ b) + -959545 * (a | b) + -78113 * (a - b) + -959545 * (~a + ~b) + -524636 * (~a) + 142249 * (a + b) + -959544 * (~a + ~b) + 142249 * (a + b) + -524637 * (a - ~b) + -524637 * (~a) + -524637 * (a & ~b) + 3241246 * (~a ^ ~b) Using truth tables modulo 4 instead of modulo 2 I was also able to compute equivalencies for multiplication, which was pretty neato. However, using the same method of computing the truth table and finding an equivalent expression you can reverse this sort of operation. I'll leave that as an exercise to the reader. EDIT: As a friend of mine pointed out, this will work with any operation that can be reducible to boolean math (i.e. xor, addition, subtraction, multiplication), not just arithmetic operations.
  2. 3 points
    https://github.com/LisaDziuba/Awesome-Design-Tools#no-code-tools bonus (free -> add to cart -> mailinator -> 498mb) - hxxps://fusionretrobooks.com/collections/pdf/products/the-story-of-the-commodore-amiga-in-pixels_pdf
  3. 3 points
    Used protector (I've forget to specify): https://www.52pojie.cn/thread-652274-1-1.html http://distro.crack.vc/index.php?dir=RceTools/Packers/ Finally made scripts and a tutorial on how to restore stolen bytes: https://forum.tuts4you.com/topic/41211-obsidium-olly-scripts/ BR.
  4. 2 points
    Check Ted's answer again: So if you want colors (any at all) or mix normal/bold then you will need to draw the items yourself using the GDI api SetTextColor and TextOut and those functions after responding to the draw item event by setting the owner draw flag.
  5. 2 points
    Here is a working sample (in PureBasic) for you. This sets one of the menu items to be bold... If OpenWindow(0,0,0,250,100,"Right click in the window...", #PB_Window_SystemMenu | #PB_Window_ScreenCentered) If CreatePopupMenu(0) MenuItem(0,"MenuItem 0") MenuItem(1,"MenuItem 1") MenuItem(2,"MenuItem 2") MenuItem(3,"MenuItem 3") bold.MENUITEMINFO bold\cbSize = SizeOf(bold) bold\fMask = #MIIM_STATE bold\fState = #MFS_DEFAULT SetMenuItemInfo_(MenuID(0), 2, #True, bold) ;"2" is the MenuItem to be made bold EndIf Repeat Event = WaitWindowEvent() If Event = #WM_RBUTTONUP DisplayPopupMenu(0, WindowID(0)) EndIf Until Event = #PB_Event_CloseWindow EndIf If you want to add colours and the like you will have to consider using #MFT_OWNERDRAW and manually draw the menu items on #WM_DRAWITEM event... Ted. Bold Menu Item.exe
  6. 2 points
    I use something like this if I want to make a menu item bold... bold.MENUITEMINFO bold\cbSize = SizeOf(bold) bold\fMask = #MIIM_STATE bold\fState = #MFS_DEFAULT SetMenuItemInfo_(MenuID(0), 2, #True, bold) ;"2" is the MenuItem to be made bold https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-setmenuiteminfow https://docs.microsoft.com/en-au/windows/desktop/api/winuser/ns-winuser-tagmenuiteminfoa Ted.
  7. 2 points
    9.0.2 released with the source which notes can be found on their site: https://ghidra-sre.org/releaseNotes.html With the source, they did include the decompiler's source code which some were concerned with being released. It's there and is coded in C/C++ so there is potential for things to get better as time goes on with community help/support. Would love to see it become on par with IDA's and better in the long run. Given how Ghidra is setup too, if it does start to become on par/better of a decompiler someone could essentially turn it into an IDA plugin if they wanted.
  8. 2 points
    Is an action-strategy shoot 'em up game developed by Sensible Software and published by Virgin Interactive. The game is military-themed and based on shooting action but with a strategy game-style control system. The player directs troops through numerous missions, battling enemy infantry, vehicles and installations. http://openfodder.com/ https://github.com/OpenFodder/openfodder online (WebAssembly) https://s3.amazonaws.com/openfodder/OpenFodder.html -- -- https://emscripten.org/ Is a toolchain for compiling to asm.js and WebAssembly, built using LLVM, that lets you run C and C++ on the web at near-native speed without plugins. @atom0s
  9. 2 points
    Found a olly modification that I've created that works ok with Obsidium; I called it OLLY_(Orig_Safengine).rar since it also works for Safengine. A tutorial by Nieo is the most recent: https://tuts4you.com/e107_plugins/download/download.php?view.3678 Let the cracking begin! OLLY_(Orig_Safengine).rar
  10. 2 points
    AdvancedScript version 3.0 releases 1- add help file and command help on the form. 2- add ads lib like ("GetAPIName","GetArraySize","ReadStr","GetdesCallJmp","isInArray","isAddrBelongSection"). 3- Write2File_ can write array directly. 4- add commentset command. 5- replace Script:ebug::Wait(); with waitPauseProcess(); 6- at ret command . 7- AutoComplete for Functions and variables and ads lib. 8- add log box for future work. 9- add AutoUpdate checkbox for enable disable update of variables list. 10- fix some bug and improve some others like (findallmemx) . 11- add tuts how to use. AdvancedScript How to Script How to fix IAT Themida API Comment Script Good for Static Analyzing
  11. 2 points
    Language : Delphi XE Platform : Microsoft Windows x32/x64 OS Version : XP/Vista/7/8/8.1/10 Packer / Protector : ArmoredBinary - Modern Binary Obfuscation Tool. Description : Attached file was protected with full version of armoredbinary obfuscator ( with medium protection approach ) , make sure unpacked file will execute successfully in any environment. You will dealing with OEP hiding , Resource Protection , Simple IAT Protection , AntiDump Tricks. Screenshot : Protected file after execution will be similar to Thanks. ArmoredBinary_Official_UnpackMe.rar
  12. 1 point
    I knocked up a quick example, you could do something similar to this... Declare.i WinProc(hWnd, Msg, wParam, lParam) Declare.i SetMenuItemBold(MenuNum) Global hMenu If OpenWindow(0, 0, 0, 250, 100,"Right click in the window...", #PB_Window_SystemMenu | #PB_Window_ScreenCentered) If SetWindowCallback(@WinProc()) hMenu = CreatePopupMenu(0) If hMenu ; Create a text array for the menu item text. Global Dim menutext.s(4) menutext(0) = " MenuItem 0" menutext(1) = " MenuItem 1" menutext(2) = " MenuItem 2" menutext(3) = " End" ; Create the menu items and point to the array containing the text. MenuItem(0, menutext(0)) MenuItem(1, menutext(1)) MenuItem(2, menutext(2)) MenuItem(3, menutext(3)) ; Set menu items to #MFT_OWNERDRAW For a = 0 To 3 With tag.MENUITEMINFO \cbSize = SizeOf(MENUITEMINFO) \fMask = #MIIM_TYPE \fType = #MFT_OWNERDRAW \dwTypeData = @menutext(a) SetMenuItemInfo_(hMenu, a, #True, @tag) EndWith Next EndIf ; PureBasic window event loop. Repeat Event = WaitWindowEvent() Select Event Case #PB_Event_RightClick DisplayPopupMenu(0, WindowID(0)) ; When a menu item is clicked on set it to bold. Case #PB_Event_Menu Select EventMenu() Case 0 : SetMenuItemBold(EventMenu()) Case 1 : SetMenuItemBold(EventMenu()) Case 2 : SetMenuItemBold(EventMenu()) Case 3 : End EndSelect EndSelect Until Event = #PB_Event_CloseWindow EndIf EndIf Procedure.i WinProc(hWnd, Msg, wParam, lParam) Static hbrush Select Msg Case #WM_DESTROY ; Delete created objects once the window is destroyed. DeleteObject_(hbrush) Case #WM_MEASUREITEM ; lParam - Pointer to a MEASUREITEMSTRUCT structure that contains the dimensions of the owner-drawn control or menu item. *lpm.MEASUREITEMSTRUCT = lParam ; Define the width and height for the menu item to be created. *lpm\itemWidth = 200 *lpm\itemHeight = 30 Case #WM_DRAWITEM: ; lParam - Pointer to a DRAWITEMSTRUCT structure containing information about the item to be drawn and the type of drawing required. *lpd.DRAWITEMSTRUCT = lParam ; If a menu item is selected, use #COLOR_MENUHILIGHT. If *lpd\itemState & #ODS_SELECTED hbrush = CreateSolidBrush_(GetSysColor_(#COLOR_MENUHILIGHT)) SelectObject_(*lpd\hDC, hbrush) EndIf ; Set the background mix mode of the specified device context to #TRANSPARENT. ; This sets the text background to #TRANSPARENT (otherwise its background will be filled a different colour from that of the menu). SetBkMode_(*lpd\hDC, #TRANSPARENT) ; Set the device context boundary pen colour, the null pen draws nothing. SelectObject_(*lpd\hDC, GetStockObject_(#NULL_PEN)) ; A rectangle that defines the boundaries of the control to be drawn. ; When drawing menu items, the owner window must not draw outside the boundaries of the rectangle defined by the rcItem member. Rectangle_(*lpd\hDC, *lpd\rcItem\left, *lpd\rcItem\top, *lpd\rcItem\right, *lpd\rcItem\bottom) If menutext(*lpd\itemID) = menutext(1) SetTextColor_(*lpd\hDC, #Green) DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #Null) ElseIf menutext(*lpd\itemID) = menutext(2) ; Calculate the length of the menu item text. DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #DT_CALCRECT) ; Set the menu item text colour and then draw it. SetTextColor_(*lpd\hDC, #Blue) DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #Null) ; Save the old right co-ordinate so we can offset the additional menu item text. oldRight = *lpd\rcItem\right ; Calculate the length of the additional menu item text. DrawText_(*lpd\hDC, " Tuts4You", -1, @*lpd\rcItem, #DT_CALCRECT) ; Calculate the offset to add the new text in the menu. *lpd\rcItem\left = oldRight *lpd\rcItem\right + oldRight ; Set the menu item text colour and then draw it. SetTextColor_(*lpd\hDC, #Red) DrawText_(*lpd\hDC, " Tuts4You", -1, @*lpd\rcItem, #Null) Else DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #Null) EndIf EndSelect ProcedureReturn #PB_ProcessPureBasicEvents EndProcedure Procedure SetMenuItemBold(hMenuNumSel) bold.MENUITEMINFO bold\cbSize = SizeOf(bold) bold\fMask = #MIIM_STATE bold\fState = #MFS_DEFAULT SetMenuItemInfo_(hMenu, hMenuNumSel, #True, bold) EndProcedure Ted. Coloured Menu Item.exe
  13. 1 point
    Hi LCF-AT, usually you have to use owner-drawn menus: you just tell windows you would take the burden to measure and draw the content by yourself. A very very quick Google search takes you to http://winapi.freetechsecrets.com/win32/WIN32Example_of_OwnerDrawn_Menu_Items.htm https://www.codeproject.com/Articles/8715/Owner-drawn-menus-in-two-lines-of-code https://www.codeguru.com/cpp/controls/menu/article.php/c3719/The-Easiest-Way-to-Code-the-Owner-Drawn-Menu.htm Don't know if there's available an example in pure ASM, I'm afraid. Regards, Tony
  14. 1 point
    Probably have to create your own control with a WS_POPUP window and use DrawText for the individual parts in the different colors. And have to calc the 'menu item' positions, and store the 'menu text' strings in an array or structures etc. Also calc position of the control relative to where mouse/cursor position was, for the placement to show it at.
  15. 1 point
    https://youtu.be/Sv8yu12y5zM bonus - VSCodium - Binary releases of VS Code without MS branding/telemetry/licensing - hxxps://github.com/VSCodium/vscodium
  16. 1 point
    Program cannot start because VMprotect dll is missing Are you sure this is using no packer or protector?
  17. 1 point
    Compiling it is certainly for serious developers and paranoid reversers
  18. 1 point
    Hmm think the forums are bugging out.. your post wasn't there for me @Progman when I made mine. But shows it was posted an hour ago now.
  19. 1 point
    @atom0s and @deepzero we now also have a version 9.02 with some more fixes: https://ghidra-sre.org/ghidra_9.0.2_PUBLIC_20190403.zip Since serious reversers will want to download the source and not merely browse it, here is a directly link (and it weighs in at ~66mb, smaller than the distribution package even): https://github.com/NationalSecurityAgency/ghidra/archive/master.zip
  20. 1 point
    Source Code of Ghidra Released:
  21. 1 point
    The following Kindle e-books are free at the moment. You will need to amend the URL for your specific region if you are not in Australia... Command Line Kung Fu: Bash Scripting Tricks, Linux Shell Programming Tips, and Bash One-liners Linux Administration: The Linux Operating System and Command Line Guide for Linux Administrators Python Programming for Beginners: An Introduction to the Python Computer Language and Computer Programming (Python, Python 3, Python Tutorial) High Availability for the LAMP Stack: Eliminate Single Points of Failure and Increase Uptime for Your Linux, Apache, MySQL, and PHP Based Web Applications Machine Learning For Absolute Beginners: A Plain English Introduction (Second Edition) (Machine Learning For Beginners Book 1) Shell Scripting: How to Automate Command Line Tasks Using Bash Scripting and Shell Programming Ted.
  22. 1 point
  23. 1 point
    9.0.1 was released recently: https://ghidra-sre.org/releaseNotes.html
  24. 1 point
    fix and tools in attach. example_fix.zip RGN Tools.zip
  25. 1 point
    Hi there, With few guys we made a zoo dedicated to malware targeting ATM platforms, as far as i know nobody has made a similar public project so voila. You will find here malwares that specifically targets ATMs, and reports (notice) about them. Files of interest got harvested from kernelmode.info, but also virustotal and various other services and peoples interested about the project. I'm using binGraph, pedump, Python, bintext, for the engine on reports. Some samples exist in 'duplicate' on the wall (we also provide unpacks for few files), if it is the case: it's mentioned on the report. We have hashs who are without references (i mean not associated in a white paper or something) thoses files are regrouped on the statistics page, we tried to make the stat page interesting enough for everyone to have fun exploring the zoo from the stats. We have IoCs that others seem to don't have, e.g kaspersky report about winpot, that leaded also to funny react from ppl selling it no worry, everyone have it now. We have also a page that includes some yara rules for detecting some of these malwares, and a page with goodies, voila! Everything provided in old skool style, intro also available! CyberCrime quality http://atm.cybercrime-tracker.net/ Feedback welcome, enjoy the ride ! 💳🏧
  26. 1 point
    Strings plugin for x64dbg. Download: https://github.com/horsicq/stringsx64dbg/releases Sources: https://github.com/horsicq/stringsx64dbg/ More Info: http://n10info.blogspot.com/2019/03/strings-plugin-for-x64dbg.html
  27. 1 point
    I heard that Mr Exodia joined Denuvo very recently as an employee. Very hearty congratulations to our very much beloved Mr Exodia!!!! 🍻 I just hope that there would be no "conflict of interest" with his reversing hobby and that he would continue to post and release great work for all of us! 😁
  28. 1 point
    How To Fix Debugger Detected In x64dbg Picture ProtectionID Scan
  29. 1 point
    AdvancedScript beta version it is beta version it could have bug, so please report and if u like to add more features let me know. version 2.5 beta : 1- Script window is sperate. 2- Create Folder for script,form Load script with category. 3- add more mirror Functions (xorx - pushx ...), and Functions like ( if , goto,writestr ) to shortcut the work. 4- show all variables in a list with it's values. 5- edit script onfly. 6- enable to define array with range like z[n]. 7- writestr Function. 8- run from anyware in the script. 9- rest variables list in case maintenance. 10- insert rows as much as you need. 11- insert from clipboard replace all script. 12- insert from clipboard inside the script. 13- copy separated lines to used in other script. 14- insert description without confusing . 15- add the dll file of c++ runtime for each package. 16- add some scripts samples. 17- as it is beta version so it support one step not auto step , use F12 for step, sorry for that I need to check if it work then I will add auto step :} note : I forget to say use (Scriptw) command to show the Script window , but git has stop working and copy the script sample to ur script folder in x64dbg folder and pls read the help first AdvancedScript_2.5beta.zip
  30. 1 point
    I think it's the best idea, you can later share your findings with the rest of the community, I'm sure we can learn from this.
  31. 1 point
    What if i reverse engineer an existing antivirus and develop my own. Thanks for your comment.
  32. 1 point
    Tools: dnSpy, ConfuserEx Tools, de4dot ConsoleApplication3_unpacked.exe
  33. 1 point
    Thanks much Teddy... Any ideas why I keep getting error that I have exceeded download quota? I can download 4mb's and get that error every time... Then have to wait until tomorrow, and hope it continues it. Frustrating as heck lol... Thank you for taking time to put the link. ËÞIãLèS666
  34. 1 point
    @ramjane I'm sharing my private script to reach OEP on all 5.xx (and maybe 4.xx). First it tries to find static OEP address in Enigma VM section. If failed, it tries to dynamically reach OEP. lc log "Enigma 5.xx OEP Finder by PC-RET v 1.1 started" bc dbh bphwc gmi eip, MODULEBASE MOV IMAGEBASE, $RESULT //gmi eip, CODEBASE //MOV CODEBASE, $RESULT //gmi eip, CODESIZE //MOV CODESIZE, $RESULT pusha mov eax, IMAGEBASE mov edi, eax add eax, 3C mov eax, edi+[eax] mov SECTIONS, [eax+06], 02 mov esi, eax+0F8 mov edi, 28 mov ebp, SECTIONS mov ecx, edi mul edi, 1 // second section add edi, esi sub edi, 28 mov CODEBASE, [edi+0C] add CODEBASE, IMAGEBASE mov CODESIZE, [edi+08] popa GPA "VirtualAlloc", "kernel32.dll" mov VirtualAlloc, $RESULT GPA "VirtualProtect", "kernel32.dll" mov VirtualProtect, $RESULT GPA "VirtualQuery", "kernel32.dll" mov VirtualQuery, $RESULT bphws VirtualAlloc run rtr esti bphwc VirtualAlloc gmemi eip, MEMORYBASE mov ENIGMA_SECTION, $RESULT mov startsearch, ENIGMA_SECTION find startsearch, #8945F8EB0C8BCF8BD68B45FCE8????????F6C304740B8B55F88B45FC# // structure cmp $RESULT, 0 je dynamic_find static_find: bp $RESULT esto gmemi esi, MEMORYBASE mov startsearch, $RESULT gmemi esi, MEMORYSIZE mov searchend, $RESULT add searchend, startsearch alloc 100 mov eval_section, $RESULT mov [eval_section], #609CB8AAAAAAAABBBBBBBBBBB9CCCCCCCCBADDDDDDDD3BC20F831F0000003918740D813800004000740583C004EBE73948100F840800000083C004EBD99D61908B70F803F39D6190# mov [eval_section+3], startsearch mov [eval_section+8], IMAGEBASE mov [eval_section+D], CODESIZE mov [eval_section+12], searchend bp eval_section+3f bp eval_section+45 bp eval_section+47 mov bakeip, eip mov eip, eval_section esto cmp eip, eval_section+3f je notfound_static cmp eip, eval_section+45 je found_static jmp error found_static: ///////////////////////You can stop here and see OEP in ESI register/////////////////////// mov oep, esi esto mov eip, bakeip bc free eval_section gmemi oep, MEMORYBASE cmp $RESULT, 0 jne not_invalid_oep eval "Invalid OEP found: {oep}. Now script will try another method." msg $RESULT jmp dynamic_find not_invalid_oep: mov oepbytes, [oep], 2 cmp oepbytes, 25ff je risc_oep cmp $RESULT, CODEBASE je good_oep eval "Some weird OEP found: {oep}. Do you want to continue or try using another method? \r\n\r\n\r\nContinue: NO\r\nAnother method: YES" msgyn $RESULT cmp $RESULT, 01 je dynamic_find good_oep: bphws oep esto msg "OEP found!" bphwc ret risc_oep: eval "It seems that OEP: {oep} is RISC-protected. Continuing in another mode." msg $RESULT jmp dynamic_find notfound_static: mov eip, bakeip bc free eval_section dynamic_find: bphws VirtualProtect esto bphwc VirtualProtect bphws VirtualQuery mov hits, 0 VirtualQueryloop: esto cmp [esp+4], IMAGEBASE je checkhits jmp VirtualQueryloop checkhits: inc hits cmp hits, 2 jne VirtualQueryloop bc bphwc bprm CODEBASE, CODESIZE run bpmc msg "Possible OEP(near OEP) found." ret error: msg "Fatal error occured." ret
  35. 1 point
    Read the FULL ARTICLE HERE . Full SOURCES and set of tools can be DOWNLOADED FROM HERE . A PDF created from the website article is attached for the convenience of the readers. PRACTICAL uses : The principles discussed can be used for reversing the firmware of Routers, Dongles etc etc. Please note that while the author has focussed on firmware which is Open Source, the same principles can also be used for Closed-Source Firmware. Firmware Hooking - Using Capstone and Keystone.pdf
  36. 1 point

    Version

    78 downloads

    Uret Pirate Girl <3 GFX BY ANEES KHAN
  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up
×
×
  • Create New...