Jump to content
Tuts 4 You


Popular Content

Showing content with the highest reputation since 05/15/2019 in all areas

  1. 8 points
    - version 4.0: 1- add RegexSearch form. 2- New GUI after replace DataGridView with RichTextBox to easy deal and fast coding. 3- edit CustomBuildStep to Auto copy files (AdvSconfig.txt , HelpAdvancedScript.txt). 4- add AutocompleteMenu.dll . 5- add copy AutocompleteMenu.dll to x64dbg root . 6- add AdvSconfig.txt for AutoComplete list for define Commands and variables. 7- update AutocompleteMenu.dll. 8- add comments_ to Variables class to add it next to the description of the variables when call them by Ctrl+j 9- call list var's by Ctrl+j 10- add ReFill_FunctionsAutoComplete_AtLoad. 11- highlight_system done for good look and analyze. 12- add autoCompleteFlexibleList to handle commands defined in AdvSconfig.txt. 13- add open Script from out side. 14- refresh by menu and F5 to refresh highlight_system. 15- add var of x64dbg system. note : by AdvSconfig.txt u can define the commands in AdvancedSecript . AdvancedScript_4.0.zip
  2. 7 points
    Hello, so I keep getting asked what’s the best obfuscators around so I am posting this so I don’t keep repeating it. I have decided to give my opinion on all obfuscators if I am missing any let me know If you are a developer of any of these obfuscators don’t take what I say as an insult use it to improve DNGuard - an obfuscator I used to say was Chinese crap however I’ve recently spent some time analysing this and can say that the HVM technology is very strong and makes unpacking a lot harder. However when not using the HVM setting it makes unpacking extremely simple with jit dumping and can use codecrackers unpacker for this. Compatibility on this obfuscator is its biggest flaw (along with price) which can be a big NO for a lot of people as this protector can cause files to not run on certain .NET frameworks if they fixed this issue and improved compatibility across systems it would make this obfuscator much better. Price is extremely high but I suppose has worked in its favour with not many files around and extremely hard to get test files to test features. Eazfuscator - a .NET VM that has been around for a while now with the last unpacker for version 4.8 I think from saneki on GitHub. Since then Eazfuscator has improved a lot however the concept stays the same and sanekis unpacker is still a brilliant base to start from. Meaning that an unpacker for this isn’t extremely difficult. The compatibility and performance of this obfuscator is actually fairly good for a VM and tells the user not to overuse the VM and only apply on secret methods as to save performance. The problem with Eazfuscator is that any protection method apart from the VM isn’t good, de4dot handles the control flow perfectly and the strings can be easily decrypted by either updating de4dot code which isn’t too hard or simply invoke. So if you’re app is sensitive on performance then maybe avoid this one as for all VMs performance is hurt no matter how efficient it is. In conclusion I do think this obfuscator is one of the top of its game as even with the old unpackers it’s still a lot of work to update ILProtector - An obfuscator I really do like the concept of keeping performance and security balanced, however in recent times with the release of dynamic unpackers it has kind of died as it seems the developer is applying small patches instead of fixing this properly so each unpacker only requires a few changes. In terms of static unpacking they have this down well, it’s actually a very hard job to statically unpack this protector so if they were to patch the dynamic flaws it would quickly appear back at the top but it’s credibility has been stumped due to the release of unpackers that I think may still work on the latest version (something I haven’t checked). Compatibility and performance on this obfuscator are good but one flaw of this obfuscator is that if the dynamic method is decrypted the original ilcode is there, they apply no MSIL mangling which in my eyes they should do both. Agile.Net another .NET VM however I haven’t analysed this myself that much but a few things I have noticed is that updating de4dot to support the latest version is not all that challenging however it is time consuming, a few modifications to de4dot can make it supply all the data you need to update it for the VM. the method encryption can be removed by jit dumpers from codecracker, from what I’ve seen in de4dot the obfuscator isn’t to hard to completely unpack but we have to thank 0xd4d for all he has done on this obfuscator he has done all the hard work for us so it’s just a matter of taking his code and updating, yes this takes a very long time to do Netguard - Now this is one I’m very familiar with, as most people know netguard is a modified confuserex however a fairly heavy modification. Now the actual protection isn’t that strong however for its price it’s very good, the base of netguard is still the same concept as confuserex and many of its protections can be defeated in the exact same way, the only real changes are the native stub and mutations. However once you remove these protections like control flow and constants can be removed in the same theory as I use in my confuserex unpacker2. This obfuscator like I said is the best for its price however if you’re looking for something better there are other options if you’re willing to pay, now compatibility and performance on netguard are something that it’s known for and not in a good way, it has improved a lot recently however they still add lots of junk that adds no real benefit and just slows down code. Appfuscator - now I don’t know why people don’t use this obfuscator anymore. In my eyes it’s still extremely powerful, codecrackers tools are not stable and if you’re tool is larger than a crackme then it will fail, appfuscator uses opaque predicates and CFG to generate its control flow both of which have no public solvers for so is an extremely powerful obfuscator especially if you mix it with something custom. Performance wise this is actually negligible effect so still to this day one of the higher rated obfuscators. Babel.Net - this is similar to ilprotector in the way it makes dynamic methods however in a different approach. The good thing about this obfuscator is that it provides you with more options than just encrypt msil where you have cflow constants and other expected protections making it not as simply as dumping the dynamic method. The dynamic methods itself are not tricky to solve dynamically similar to ilprotector, invoke the correct method and you have the dynamic method ready to read with dnlib. Statically it gets slightly more complex however a few hours debugging with dnspy and some static analysis will reveal its secrets of how it decrypts the encrypted bodies. Performance and compatibility wise I don’t really know enough about it but I’ve not really seen many complaints about it ArmDot - a relatively new .NET VM which I’m fairly interested in. At its current stage it needs polishing, they currently put the whole vm into each method it’s encrypted making it extremely slow. I explained to the developer that it holds no real benefit as to devirtualize it follows the same concept as all vms which is find the instruction handlers and convert back as most are 1:1 with CIL it makes this step relatively easy once you have detected all handlers however if this obfuscator works on your file and performs well I do recommend it especially as its new and being actively worked on and the developer is always interested in seeing ways to improve which is a good thing. KoiVM - another magical creation from yck so do we expect anything other than greatness. Now this was something he sold to customers until he left the scene and trusted XenoCodeRCE with and gave it him to improve and use. Xeno decided that he would sell this to others and ended up causing it to be leaked on GitHub however let’s ignore that. KoiVM is absolutely insane and different to all other VMS we talked about so far. This doesn’t relate 1:1 with CIL and actually converts it to a form of ASM meaning if you manage to get all the code back you then need to translate ASM to CIL which again is no easy task. People think because it’s opensource it makes it not worth it. Remember confuser/ex was open source and undefeated for a long time. KoiVM is on another level compared to those. Compatibility and performance does take a hit and has limitations which you can read on koivm website now if you’re app works fine and you’re happy with performance then I would strongly suggest sticking with it. You can even make modifications to confuserex and use it with that as after all it’s a confuserex plugin. These are just my thoughts and personal opinions on these obfuscators. I do not mean any disrespect to the developers apart from what I think is good and bad. If you would like further explanation on anything let me know or any specific obfuscator that I haven’t covered as I most likely have some sort of opinion on it feel free to ask Regards Cawk
  3. 6 points
    At least they made him look cute!
  4. 6 points
    Download: https://github.com/horsicq/pex64dbg/releases Sources: https://github.com/horsicq/pex64dbg More Info: http://n10info.blogspot.com/2019/05/pe-viewer-plugin-for-x64dbg.html
  5. 3 points
    That is most likely not your crackme. But what the hell.. Load it in IDA, decompile serial check and it will look like this: if ( ++idx >= 29 ) { if ( count_of_sevens == 1 && String[6] == '7' ) { v5 = (unsigned __int8)entered_key[0]; if ( entered_key[0] ) { LOBYTE(v5) = entered_key[4]; if ( v5 ) { LOBYTE(v5) = entered_key[8]; if ( v5 ) { LOBYTE(v5) = entered_key[12]; if ( v5 ) { LOBYTE(v5) = entered_key[16]; if ( v5 ) { LOBYTE(v5) = entered_key[21]; if ( v5 ) { part1 = getintfromkey(0, 4, 0); part2 = getintfromkey(0, 4, v6); part3 = getintfromkey(0, 4, v7); part4 = getintfromkey(0, 4, v8); part5 = getintfromkey(0, 5, v9); part6 = getintfromkey(0, 8, v10); v11 = part1 * (unsigned __int8)entered_key[7]; v12 = part1 * (unsigned __int8)entered_key[6]; v13 = part1 * (unsigned __int8)entered_key[4]; if ( v11 == part5 && v12 == part3 && !(part1 * (unsigned __int8)entered_key[5]) && v13 == part4 && 1000 * v13 + 10 * v12 + v11 == part6 ) { ...show good boy message... There are some checks for specific character values: * char 6 must be "7", there may not be any other "7" in the key; * char 5 must be "0"; * chars 4,8,12,16,21 may not be "0"; Key is split into in several parts: part1 = first 4 chars part3 = chars 8..11 part4 = chars12..15 part5 = chars16..20 part6 = chars21..28 Then it does some simple multiplication and checks the result. At this point you have 2 options: - make a tool that will randomly choose part1 and chars 4 and 7, do the multiplication to calculate parts 3, 4, 5, 6 and see if it passes all checks. - remember math lessons from school and figure out the only possible combination that will pass all checks. First one is much faster, second one will be .. challenging. Either way, you should arrive at the only possible solution: Well, in fact, there is infinite number of valid keys. You can append random characters to the key above, they are not checked..
  6. 2 points
    Ok so I fixed a few issues, was a good few more than I realized and maybe I added some more capability . Hopefully its in a better shape now. Still lots of features that I would like to add, in particular editing long string values - I had thought to display an edit box below the treeview when the item strings where larger than what the treeview natively displays for an item (256 characters max from what I recall), but we will see if I ever get round to adding in that. Still likely there may be more bugs, but hopefully its a big more stable and capable. I consider cjsontree more of a demo/example program with source code to show how one might use the CJSON library: https://github.com/DaveGamble/cJSON Download and changelog for cjsontree is here: https://github.com/mrfearless/cjsontree/releases
  7. 2 points
    Read about LR_LOADTRANSPARENT flag for LoadImage. That's how it was done in the old days before alpha blending..
  8. 2 points
    Load icon Create a compatible bitmap same size as icon Use DrawIcon / DrawIconEx to draw the icon into the hdc's bitmap return the hBitmap and free any resources not required - dc's, icon (if not needed anymore) Use the SetMenuItemBitmaps Might need to include a few other steps but the basics outlined should convert the icon to a bitmap.
  9. 2 points
    We all know you have the skills to unpack vanilla version and most of the mods out there. You don't need to post 20 unpacked EXEs to show that - that's not the point of unpackmes. The point is to produce something that others can use as a starting point in their learning path. Also, saying "I used my private unpacker that I'm not gonna share" is equally not helpful for learning. So, perhaps you could start off by writing ONE paper about unpacking modified confuserex?
  10. 2 points
    @LCF-AT Open T:\Program Files\brave\\brave_resources.pak to a hex editor (dont try w/ notepad++) ASCII search for : brave_new_tab.js replace it with arave_new_tab.js or whitespace whole @ : <script src="chrome://newtab/brave_new_tab.js"></script> tested & working greets @NeWOT
  11. 2 points
    Embarrassing. Don't trust anything that looks like a pregnancy test kit... Ted.
  12. 2 points
    Run the target first with NETBox so won't kill .NET PE. Dump with MegaDumper. In dumped exe change Image Base to 400000 Fix relocation with Universal Fixer Native DLL UnpackMePlease.dll missing: DllSaver break if module contains UnpackMePlease Unpacked exes: https://www112.zippyshare.com/v/26CxsdFV/file.html
  13. 1 point
    Jose Roca's site is the place to go for all GDIPlus stuff, or the MSDN/Microsoft Docs pages. And the forums on that site for examples: - GDI: http://www.jose.it-berater.org/smfforum/index.php?board=416.0 - GDI+: http://www.jose.it-berater.org/smfforum/index.php?board=417.0 Also I would suggest doing the GdiplusStartup at the beginning of the program and the GdiplusShutdown as the program is exiting rather than every time inside the function. Looks pretty good. Glad you got it all working.
  14. 1 point
    Hi again, after longer time of working on that ico stuff I did it today and found a method how to change a icon handle into bitmap handle and using it with SetMenuItemBitmaps function and to draw it perfectly transparent without any issues. 😀 The solution was it to use GDI+ functions (never really used before) what does the work already.After while of checking how to use GDI+ functions I did manage it and created a own function code to do the work and it works with all the diffrent ico files I have and also postet above in earlier post.Just great Baby!Special self congrats to me this time hehe.Anyway,I am just really really happy that I got it working now after long time of trying etc.Below my code function so far.... Create HBITMAP Handles from Icon resources ................................................................................................................. invoke CreateHBITMAPfromResICON,hInstance,400,16 .if eax != FALSE mov _IconBitmapObject,eax ; invoke DeleteObject,_IconBitmapObject if no more needed .endif invoke CreateHBITMAPfromResICON,hInstance,401,16 .if eax != FALSE mov _IconBitmapObject2,eax ; invoke DeleteObject,_IconBitmapObject2 if no more needed .endif invoke CreateHBITMAPfromResICON,hInstance,402,16 .if eax != FALSE mov _IconBitmapObject3,eax ; invoke DeleteObject,_IconBitmapObject3 if no more needed .endif invoke CreateHBITMAPfromResICON,hInstance,200,16 .if eax != FALSE mov _IconBitmapObject4,eax ; invoke DeleteObject,_IconBitmapObject4 if no more needed .endif ................................................................................................................. invoke SetMenuItemBitmaps,popupmenuhandle,MEN_1, MF_BYCOMMAND, _IconBitmapObject, _IconBitmapObject invoke SetMenuItemBitmaps,popupmenuhandle,MEN_2, MF_BYCOMMAND, _IconBitmapObject2, _IconBitmapObject2 invoke SetMenuItemBitmaps,popupmenuhandle,MEN_3, MF_BYCOMMAND, _IconBitmapObject3, _IconBitmapObject3 invoke SetMenuItemBitmaps,popupmenuhandle,MEN_4, MF_BYCOMMAND, _IconBitmapObject4, _IconBitmapObject4 ................................................................................................................. CreateHBITMAPfromResICON proc uses edi esi _hInstance:DWORD,_ResID:DWORD,_size:DWORD local _hicon:DWORD local _bitmap:DWORD local _Hbitmap:DWORD local _graphics:PVOID local _gsi:GdiplusStartupInput local _gtkn:PULONG invoke LoadImage,_hInstance,_ResID,IMAGE_ICON,_size, _size,LR_DEFAULTSIZE .if eax != FALSE mov _hicon, eax mov _gsi.GdiplusVersion,TRUE mov _gsi.DebugEventCallback,NULL mov _gsi.SuppressBackgroundThread,NULL mov _gsi.SuppressExternalCodecs,NULL invoke GdiplusStartup,ADDR _gtkn,ADDR _gsi,NULL .if eax == NULL ; OK invoke GdipCreateBitmapFromHICON,_hicon,addr _bitmap .if eax == NULL invoke GdipCreateHBITMAPFromBitmap,_bitmap,addr _Hbitmap,NULL .if eax == FALSE invoke GdipDisposeImage,_bitmap invoke GdiplusShutdown,_gtkn invoke DestroyIcon,_hicon mov eax, _Hbitmap .else invoke GdipDisposeImage,_bitmap invoke GdiplusShutdown,_gtkn invoke DestroyIcon,_hicon mov eax, FALSE .endif .else invoke GdiplusShutdown,_gtkn invoke DestroyIcon,_hicon mov eax, FALSE .endif .else invoke DestroyIcon,_hicon mov eax, FALSE .endif .else mov eax, FALSE .endif Ret CreateHBITMAPfromResICON endp ....and this I got to see now when I select all menu items with the mouse.... .....do you see it now?Only the icon itself is visible without any other menu color around (like using with DrawIconEx / see pic from older posts above).All 4 diffrent ico icons / sizes gets handled perfecty like real bitmap icons.Thats it and all what I wanted.Just using normal ico icons without creating and using extra bitmap icons.Doing all directly on fly.So what do you think?Its good so or could my function using GDI make some problems later etc?Just asking so I didnt used GDI+ before. I found some references about GDI+ functions here... http://www.jose.it-berater.org/gdiplus/iframe/index.htm ....does anyone know whether there are also some GDI / + function help file to download?I mean similar like Win32 Programmers Reference or Windows Sockets 2 Application Program Interface with function descriptions you know.Just would like to know which references are all to get and to download for any xy modules. greetz
  15. 1 point
    Hey there, i've been playing with VirusTotal graph since some weeks. Originally i did a graph just for building a landscape of files for ATM Wall, the graph can be seen here: https://www.virustotal.com/graph/embed/g9521270d163a4778aa5bc376c0d80375b11f2d95beee484498dbdaafc989ee5f I got the idea of doing this after having seen the work of @vanjasvajcer about ATM malware classification. But i started to got vicious with VT graph so here is some interesting graphs i did based with VT and kernelmode.info: Zeus World (v2.1.0.1 and inferior): https://www.virustotal.com/graph/embed/gf17a46025f554bc4a4d0edaff78d4aabee6388c959584ac8981961ae32af6994 Big nebula of zeus builders since code leak of v2.0.8.9, contain also few very old builders and some have funny messages inside destined to AV vendors. IceIX World (v1.2.5 and v1.2.6): https://www.virustotal.com/graph/embed/g3e3dfb66d191404593284509fbf9028c5253ee1651ee4da9b24225bf262634bf Citadel World (v1.3.4.5 and v1.3.5.1): https://www.virustotal.com/graph/embed/g1d0637aa096e45b2b1336844fe81e1e286a588fa049a4d529357c0a1d2f1646d Atmos World (v1.01): https://www.virustotal.com/graph/embed/ga7f70bed1f6f4394b4b503b5dcee997c66251a48418b4b3fba03119d3196389e Builders, releases, fews files. SpyEye World: https://www.virustotal.com/graph/embed/g98d5440408854a90b8e5fce2bd4003b40a7295519d5c4e0abe39a470a9fcadb5 Research about plugins are based on the spyeye thread on kernelmode.info, contain a nice timeline of the versioning and most of interesting files i guess. Carberp 'krabs.7z': https://www.virustotal.com/graph/embed/gd6210da59ece445f8e0469a7408a4905126fa5722cdb4b759330e073a29e7429 Files annotation based on kernelmode.info thread again (https://www.kernelmode.info/forum/viewtopic.php?f=16&t=2793), chaos mosaic at the image of the archive. BestAV affiliate: https://www.virustotal.com/graph/embed/g0741bdd40e4b4bc7a4c77e8240de0667f2ea89df4124484b87717ad081f741aa Lot of FakeAV files found with communicating IPs, graph based also on fews posts on kernelmode and also from my personal archive about thoses guys And not related to malware but you can do also funny things: Looking for an ollydbg modification ? https://www.virustotal.com/graph/embed/gd11e600f461c476082159553dadde7ac102288cd74df42d38f84291e97f2263a You have lost your SoftIce CD ? https://www.virustotal.com/graph/embed/g7534bcb28a2a439a8d466f69542374127b54265b605c4589adbf97191a1b0467 a small landscape about dongle piracy https://www.virustotal.com/graph/embed/g035609ac24c94751ae94aef309b6599010d8ccd1549f49f3b8ef7e20febd3f9f
  16. 1 point
    just a try to add more feature's to x64dbg script system History Section: - version 2.0: 1-all numbers are hex numbers. 2-more nested in arguments. 3-Build bridge to make plugin system Compatible with x64dbg script system. 4-create parallel Functions to x64dbg Functions, like ( cmp >> cmpx ). 5-rename new name (Varx Getx Setx) and fix array index entry. 6-add VarxClear ( clear all variable to help user in test's ) , memdump with print style. - version 1.6: 1- add Parser system to recognize arguments. 2- begin build Script system. 3- add more Helper Functions. - version 1.4: 1- make StrCompx in separate Thread and add Sleep time to wait x64dbg to finish process. 2- Fix Hex2duint function add length check in case it less than 2 . - version 1.3: 1- Add another argument to cbLogxJustAtBP for printing on LogxWindow. 2- now it accept bool argument like this (true/false-on/off-1/0). 3- add StrComp_BP function for compare string in memory at BP. 4- compiled x32. Source Code: https://github.com/Ahmadmansoor/AdvancedScript If you find it useful please let me know, and if you want to add more feature's please leave a comment. support both x86 and x64 BR AdvancedScript.v2.0.rar
  17. 1 point
    Should .NET unpackme's be split and separated in to their own category? If you have another suggestion or idea please explain here... Ted.
  18. 1 point
    To download individual packages goto the release section on the repo or https://github.com/mrfearless/libraries/releases/tag/latest Can you send me an example and/or reproduction steps (or visuals) so I can check out the issue, thanks.
  19. 1 point
    Windows has a default size for icons, and will scale down icons for the titlebar. For menus and bitmaps I think I've always opted for size 24x24 for the bitmaps if i recall correctly.
  20. 1 point
    I believe you have 2 options: 1) continue insisting on " I am just using ico icons and no bitmap icons or wanna just use ico icons only". You'll spend hours or perhaps days trying to cover all possibilities (alpha/non-alpha/monochrome/what not), writing code that analyzes ICO file, converts ICO to BMP on the fly, etc.; 2) you take an image editor and convert all your ICO to BMP. It's a one time effort. Even if it takes 1 minute per icon, you'll be done in 30 minutes or so. From where I stand, the choice is clear.
  21. 1 point
    If you know the background color, then you can fake it by painting with the background color first (FillRect), then drawing over that.
  22. 1 point
    I think you can simply use almost any image editing software, select the area you want to make transparent (e.g. using magic wand tool) and then simply use the DEL key to delete the area. Then the deleted area should have a checkered texture which means it's transparent.
  23. 1 point
    DrawIconEx... and... https://docs.microsoft.com/en-gb/windows/desktop/menurc/icons Ted.
  24. 1 point
    The search function already brings up the search result(s) to specific posts? Step 1: Step 2: Ted.
  25. 1 point
    Hi, so in my tool I did set a default timeout of 5 seconds to wait for an answer of the server / Url you do request.I thought 5 seconds would be enough to wait for and aboard then the request.Just added this option to prevent hanging loop ony any request etc.So you can also patch this value if you wanna try it.Just search for the connect functions in Olly and right above this function you can see a mov command putting value 5 into.This you can change to a higher value to wait some more seconds So the video I wanna download is first a video (vod) no live stream.The problem is as I said before the cookie I need to use which gets expired after few minutes.If the download of this video does take to long (need more time as the cookie is valid) using YT-DL or FFmpeg then both tools do fail with http response error 403 (forbidden).So I only have a small time window what does allow me to access the video / playlist.Thats the main problem and I need to refresh the cookie/s.If the video is to large and or download speed access to the server is to low then I cant download the video at once.I also found no way / method / commandline arguments yet to tell FFmpeg or YT-DL to autorefresh the cookie and now I am looking for a method to download the video completely in seperated parts without any issues. There is no commandline (or found not yet) to specify the .ts segments range to download of a playlist.Only command I found are to set the timestamp using -ss & -t or -to to set the timestamp/s only what is unfortunately not very good so I dont get the excat frames matching and get some frames missing or too much if I donwload some parts.It would be much better to have a commandline to specify the segment parts / range itself to download like this... ffmpeg -segment_range 0:30 ....0:30 = download first segment till segment 30 complete and then stop. ffmpeg -segment_range 31:60 ...30:60 = download segment 31 till segement 60 complete and then stop etc. "Downloaded 2 files.Each file has 30 complete segments inside like I would download them one by one = 100 % match.Now I just need to merge both files = done." In this case the user could download whole segments of a playlist without to use / set / care about any timestamps using -ss commandline what makes problems as I told before and the video dosent get downloaded 1:1 if the timestamp starts / ends I did set into a segment file (keyframe issues) so it cant cut it right if I use the copy mode and I dont wanna re-encode the video you know.If I download all segments by itself manually then I got them all original and just need to merge them togehter = 1:1 video but using timestamps its not doable. Of course I did play around with FFmpeg using diffrent comandline lines to get some more or less good results but not perfect.Main goal for me is it to download the video for 100 % perfectly 1:1 with no overlapping or missing frames inside.Thats the tricky part now.Normaly no problem to do that with FFmpeg at once but in this case its not so easy if you need to refresh the cookies. All in all I dont get work using FFmpeg to get the video 1:1.As I said,missing frames or overlapping of time etc.For example.Below a playlist example link to a video (not using cookies in this case) you can test / play with FFmpeg and commandline args xy and now try to download some segemnts using -ss timestamp -to timestamp commandlines like just few seconds.After this check the small file/s you did download with FFmpeg and load it into VirtualDub for example to see all frames and time / lenght of this part/s. https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/index_776000_av.m3u8 I tried something like this... ffmpeg -ss 00:00:01.000 -to 00:00:10.000 -accurate_seek -seek_timestamp 1 -i "https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/index_776000_av.m3u8" -c copy "Output.ts" ..as result I get a file what has a lenght of 8 seconds and 200 frames.Missing 1 second so it should be 9 seconds.If I do set a starttime of second 2 instead of 1 then I get a 8 seconds file = right.If I set a timecode start of only 0 I also get 8 seconds out and missing frames from the beginning of the video.If I only set this commandline.. -ss 00:00:00 -to 00:00:10 ...then I get a video lenght of Frame 253 (0:00:10.120) = 120ms to large or 3 frames to much.Thats the bad thing using timestamps so somehow you dont get it really exact out and my thought to download segment ranges instead would be better but dont found any CL for this yet if there are any CL for it in FFmpeg. The playlist inside with the ts files looks like this... #EXTM3U #EXT-X-TARGETDURATION:10 #EXT-X-ALLOW-CACHE:YES #EXT-X-PLAYLIST-TYPE:VOD #EXT-X-VERSION:3 #EXT-X-MEDIA-SEQUENCE:1 #EXTINF:10.000, https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment1_776000_av.ts?null=0 #EXTINF:10.000, https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment2_776000_av.ts?null=0 #EXTINF:10.000, https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment3_776000_av.ts?null=0 #EXTINF:10.000, https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment4_776000_av.ts?null=0 ......... #EXTINF:10.000, https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment268_776000_av.ts?null=0 #EXTINF:3.440, https://zdfvodde-vh.akamaihd.net/i/meta-files/zdf/smil/m3u8/300/16/11/161124_subwaylfalle_inf/6/161124_subwaylfalle_inf.smil/segment269_776000_av.ts?null=0 #EXT-X-ENDLIST ...the video has 269 segments.All segments having a lenght of 10 seconds except the last segment has a lenght of 3.44.So it seems to work if I use exact timestamps like this... -to 00:00:10 -accurate_seek -seek_timestamp 1 -ss 00:00:10 -to 00:00:20 -accurate_seek -seek_timestamp 1 -ss 00:00:20 -to 00:00:30 -accurate_seek -seek_timestamp 1 ....here I get 3 parts exactly right.But what is if the EXTINF lenght for each segments are diffrent and not mostly same = problem.Some are starting with unround lenght = need to do calc process etc.In this case like that it would be easier to have any commandline to set ranges only as I said above to prevent to calc out some timestamps in the hope you do it right and get it out right too at the end you know.I dont know whether there are any commandline args for FFmepg or YT-DL to manage this so maybe anyone does know it and could post some infos / hints about that. greetz
  26. 1 point
    Maybe you can rewrite some of your code based on what you find in there anyway. For me precise positioning and special effects like this are especially hard to figure out without the source. And when trying to make custom listview controls containing other controls and the like, its almost hopeless to make it professional without this. The abstraction versus efficiency never enabled them to generalize the UI code to avoid custom drawing and it was too intermingled with all their core UI source to possibly separate it out for distribution. They seem to be sacrificing efficiency now due to more powerful machines with UWP and such.
  27. 1 point
    https://people.symlink.me/~rom1/dev/ windows_2000_source_code.zip\win2k\private\ntos\w32\ntuser\client - ZIP archive, unpacked size 658,114,889 bytes WinRAR can even search the archive for you if you don't want to extract it. menuc.c - however menu is really a combination of a check box button and a static control I think. btnctl.c - complete with owner draw example for buttons statctl.c - complete with owner draw example for statics SYSRGB(GRAYTEXT) seems to be referenced for disabled. Of course this is old source and by now they have rewritten and changed a lot with Aero and other features. But the core of Windows UI programming is still based off this which is why Microsoft continues to rigorously sanitize that leaked source from the web 20 years later!!! But I will solve this for you now for real: mngrayc.c - the entire drawing code for the draw state (sounds like menu gray to me). If this snippet is not allowed for wrath of MSFT then admin could kindly remove it... /* * Is our scratch bitmap big enough? We need potentially * cx+1 by cy pixels for default etc. */ if ((gcxGray < cx + 1) || (gcyGray < cy)) { if (hbmpT = CreateBitmap(max(gcxGray, cx + 1), max(gcyGray, cy), 1, 1, 0L)) { HBITMAP hbmGray; hbmGray = SelectObject(ghdcGray, hbmpT); DeleteObject(hbmGray); gcxGray = max(gcxGray, cx + 1); gcyGray = max(gcyGray, cy); } else { cx = gcxGray - 1; cy = gcyGray; } } PatBlt(ghdcGray, 0, 0, gcxGray, gcyGray, WHITENESS); /* * DISABLED state * Emboss * Draw over-1/down-1 in hilight color, and in same position in shadow. * * DEFAULT state * Drop shadow * Draw over-1/down-1 in shadow color, and in same position in foreground * Draw offset down in shadow color, */ if (uFlags & DSS_DISABLED) { BltColor(hdcDraw, SYSHBR(3DHILIGHT), ghdcGray, x + 1, y + 1, cx, cy, 0, 0, BC_INVERT); BltColor(hdcDraw, SYSHBR(3DSHADOW), ghdcGray, x, y, cx, cy, 0, 0, BC_INVERT); } else if (uFlags & DSS_DEFAULT) { BltColor(hdcDraw, SYSHBR(3DSHADOW), ghdcGray, x+1, y+1, cx, cy, 0, 0, BC_INVERT); goto DrawNormal; } else { DrawNormal: BltColor(hdcDraw, hbrFore, ghdcGray, x, y, cx, cy, 0, 0, BC_INVERT); } And then finally the work happens in BltColor with this line: BitBlt(hdc, xO, yO, cx, cy, hdcSrce, xO1, yO1, ((uBltFlags & BC_INVERT) ? 0xB8074AL : 0xE20746L)); //xO1, yO1, (fInvert ? 0xB80000 : 0xE20000)); So some really almost impossible to come up with on your own code with a 3D highlight/3D shadow and special hardcoded color inversion codes. And with Aero its probably 10 times worse if you need to support that. Have to decompile user32.dll in Win10 perhaps Why Visual Studio does not automatically generate the pages of original user32 code for you, I have no idea but it would sure make more professional consistent custom drawn Windows apps for sure!!! I hope a new source code leak comes soon I really liked the Win2k one - especially for the user32 code a real gem for those of us who have done owner drawing and want to exactly replicate original functionality without coming up with hacked up slightly incorrect alternatives.
  28. 1 point
    Hi Progman, so it would be nice to have / find some kind of complete Ownerdraw example template code but didnt found anything like that.Ony short codes to handle this or that you know.Also for a menu OD I didnt found any full code example / template to handle all situations for menus etc. No I didnt checked the Win 2000 source.Maybe I wouldnt also find where this OD code is stored into (file xy). greetz
  29. 1 point
    Hello fella, to kick things let me say a big thanks for your tool, i've used it few times but it has some issues(?). I've used it to download a YT live while it was still playing, first time worked perfectly and it didnt gave me problems when the live got copyrighted(from music) it kept download the rest of it. Video was complete and everything was good. Second time i tried using it w/o closing the same app instance as before it wasnt sending any network packet, like it had unclosed connection from first time and no error handling?resulting to "select with timeout Error time limit expired!"<gif attached> Gave it another chance and tried do the same thing, download a live YT stream which possibly would get copyrighted, the video didnt got any copyright but the download finished 6-8 hours later(i got terrible internet but not that much). Trying again the exact same thing, monitoring the network and the filesize, ffmpeg had 2.4gb of network total receive while the filesize was ~300mb(weird) which i interuptted downloading. By opening this video with different media players, none of them could start rendering anything and i wanted to use that ~300mb part since eventually got copyrighted. about ur questions: Part 2 audio and video are they the same time?Have u tried to extract audio and video in case they are unsync? Did u try to merge these 2 parts and see if the output works? i would: copy /b 001-050.mp4 + 051-100.mp4 output.mp4(u can merge as much segments u want) and check or/and u can try this "kernel video repair" which seemed to created an output(not sure if worked) for one corrupted downloads of mine, unfortunately they ask for license even to try it so... "module": "licenseactivation.dll" <they load it dynamically on activation> "address": "0x38B4" i think is the last part u will look at(dont know if i can share such infos public here). To get the total video length and use it with -ss u have to use either API for browserless option OR javascript OR have a server which will do that for the ffmpeg user afik. Then you can download it in parts as 001-002 for the time u want and merge them later BUT the problem of using the YT API is that it doesnt split permissions, what i mean its 1 auth to retrieve the information and manage the full channel with uploads and downloads. There was a service that got shutdown which was giving the time of videos and the oembed from yt doesnt return times(ex: https://www.youtube.com/oembed?url=YOUR_YT_LINK&format=json) Hopefully i understood correctly and since youtube-dl works fine with non-live my blind guess is u ask for YT LIVES but even if not, someone else might find that information useful. About the 403 and the cookie i have no clue, sorry. this message became like an essay wow cheers
  30. 1 point
    Wouldn't it be possible to add a button or a checkbox when posting a reply, saying something like "Are you posting an answer, or a general comment?" And then if the reply is an answer, you can moderate it to make sure it is complete. If it's just a general reply or asking for details, allow the system to post it, and review it later. I don't think people would abuse the system just to get their incomplete answers public for a few minutes/hours.
  31. 1 point
    I remember how I looked at a lot of UI controls when the source code to Windows 2000 was leaked. It would have been nice to always start your owner drawing with the default Windows handling and then customize it as needed given that they handle all sorts of things like accessibility, etc in there which are easy to forget about or overlook. In this case, probably they are just using the system default transparency color which you can look up, and doing some sort of transparency mask with it possibly with a special brush pattern. A simple system call and GDI call but the exact manner of doing it would possibly require RE. Or you can go your own route and forget how Windows does it which has been the normal way. Have you taken a look at the Windows 2000 source code??? Probably it has your answer.
  32. 1 point
    If I understood you correctly this is similar to how it was prior to the change. Many members complained replies to challenges were all becoming an uploaded unpacked file or completed crackme, with no information on how it was achieved stating "unpacked", "done!", etc. This system only fueled the glory seekers. A suggestion was to deter this from happening to encourage the sharing of information on how these are solved. Unfortunately there is no automated system that can determine a genuine reply to one that is a completed solution with no information. All these need to be manually reviewed and approved. Regarding those replies that are hidden, this is a compromise to the glory seekers. To be clear, any replies that are discussing the challenge and not containing the solution are all approved. It is not a perfect system for managing these forums, I am fully aware of this. It is a compromise between the wishes of other members, capabilities of the forums software and the moderating team. If it was not for the time waiting for review and approval and the lack of understanding why posted solutions have been hidden none of this would be up for discussion... Ted.
  33. 1 point
    @LCF-AT alternative, if u like to have the status labels etc. w/o bgimage @: you can search @ T:\Program Files\brave\\brave_resources.pak for : background-image: url(${e=>e.background}); and whitespace it. -- this is the brave_new_tab.js (694kb) each time new open a new tab, loads this!! https://www17.zippyshare.com/v/Ufg3tbew/file.html
  34. 1 point
    Themida removed (dumped and fixed) still protected by eazfuscator i don't know how to devitualize it but i guess it can be unpacked without debugging, so here your Anti debug has no sense in this protection someone can continue CrackMe Themida removed.rar
  35. 1 point
    I made a small tutorial (originally published on Training Circle forum) about keygenning a recent ATM malware sample who passed our gate. this is addressed to beginners. keygenning.dispcash.19.tutorial.zip
  36. 1 point
    do you even google? https://superuser.com/a/1266695
  37. 1 point
    You got to start ManagedJitterFr4 (for Confuser) on NetBox 4.0; after that just Jit button when the first assembly is logged - first assembly is the main assembly.
  38. 1 point
    After using ManagedJiterFr4 on NetBox 4.0 some metadata streams got corrupted so I got to restore them; I've just have to change first method called which is anti-tamper to 062A (a simply return). For removing invalid streams the strategy is to first set number of streams to a smaller size like 8. #US with a space at the end (" "); yoi don't seems to be a valid stream! Here is a partially unpacked exe: https://www118.zippyshare.com/v/liRTdnBO/file.html It uses delegates!
  39. 1 point
    Just a quick thought/idea ... did you try to put/apply owner-draw flag also for menu item in resources? This way it should send/call the WM_MEASUREITEM for every items and your processing should be the same. [EDIT] Sorry, re-reading your message, you're already using ownerdrawn flag for your menu in resources ... so my previous answer is not useful. Anyway, itemData is a "place" to put custom information and, by default, as far as I remember, it should be empty/uninitialized and/or system-reserved ... unless you put something in it. That's why you actually *have to* modify the resources' menu to set it explicitly. I found this maybe useful quote: https://docs.microsoft.com/en-us/windows/desktop/menurc/using-menus You created popup menu straight by code, right (not using resources) ? You could use the SetMenuItemInfo (as suggested in the quoted link) to set only the itemdata ... without having to re-set the item text again. -- It's a lot I don't play with this stuff, so everyone is very welcome to correct me Best Regards, Tony
  40. 1 point
    Run original exe with NETBox 4.0 forget to specify version 4.0: https://forum.tuts4you.com/topic/39321-netbox/ Dump .NET exe main module with MegaDumper: https://forum.tuts4you.com/topic/24087-dotnet-dumper-10/page/3/?tab=comments#comment-177260 You should load original exe with dllsaver: https://forum.tuts4you.com/topic/39871-dllsaver/ As for ILProtector unpacking I've used a private tool I won't share!
  41. 1 point
    Step 1: Few notes: is used .NET module trick; you can dump the .NET module with memcpyLogger, You just have find to the first the block which starts with MZ. You get the module assembly entry point token with ConfuserExConstant.exe - as file input you enter original protected file, The Entry Point Token value is 600009C Tools used: https://www115.zippyshare.com/v/HETHPm4D/file.html Step 1: Dumping .NET module explained before; Step2: Confuser Exceptions Restore - anti-tamper: - this is for decrypting MSIL: https://forum.tuts4you.com/topic/41025-confuser-exceptions-restore-anti-tamper It works just fine you must unmark "Invoke EP" and "Patch Anti-tamper". So after we nop first method from <Module>.ctor - this was the anti-tamper; we also fix the entry point of koi module with 600009C Here is the partial unpacked exe: https://www8.zippyshare.com/v/M78VMowQ/file.html or string decryption I've used this: https://github.com/cawk/ConfuserEx-Static-String-Decryptor/releases Check/Mark "Invoke". For c-flow I've used ConfuserExSwitchKiller. ConfuserExCallFixer.exe for inline methods. Here is completly deobfuscated exe: https://www119.zippyshare.com/v/YFwpUuCv/file.html private void method_1(object sender, EventArgs e) { if (this.textBox_1.get_Text().Length >= 5) { string str = this.textBox_1.get_Text(); if (!Directory.Exists(@"Data\\License")) { MessageBox.Show("Password was not found!", str); } else { StreamReader reader = new StreamReader(@"Data\\License\license.dat"); reader.ReadLine(); string str3 = reader.ReadLine(); reader.Close(); if (Class7.smethod_1(str3) == this.textBox_1.get_Text()) { MessageBox.Show("Good Job !"); } else { MessageBox.Show("password is wrong!"); } } } else { MessageBox.Show("Password is invaled or too short!"); } } public static string smethod_1(string string_2) { byte[] inputBuffer = Convert.FromBase64String(string_2); AesCryptoServiceProvider provider = new AesCryptoServiceProvider { BlockSize = 0x80, KeySize = 0x100, Key = Encoding.ASCII.GetBytes(string_1), IV = Encoding.ASCII.GetBytes(string_0), Padding = PaddingMode.PKCS7, Mode = CipherMode.CBC }; ICryptoTransform transform = provider.CreateDecryptor(provider.Key, provider.IV); byte[] bytes = transform.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length); transform.Dispose(); return Encoding.ASCII.GetString(bytes); }
  42. 1 point
    Unpacked! pass:
  43. 1 point
    login pass: steps to unpack: 1. removed anti tamper and some junk calls 2. cleaned cflow (Thanks to Tesla for cflow cleaning) 2. removed proxy calls 3. removed proxy calls again 4. converted x86 methods to IL 5. decrypted all constants 6. cleaned cflow again (Thanks to Tesla for cflow cleaning) 7. cleaned some small stuff with de4dot. UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe
  44. 1 point
    https://youtu.be/Sv8yu12y5zM bonus - VSCodium - Binary releases of VS Code without MS branding/telemetry/licensing - hxxps://github.com/VSCodium/vscodium
  45. 1 point
    Hi guys, I am a fan of FFmpeg CLI tool but its always hard to remember all commandline arguments if I didnt used it for a longer while and I can't find my notes about it (as always).Now I thought it would be a good idea to code a GUI tool where I can use FFmpeg with and store all commandline argument combinations I want into it to call and execute them quickly.I know there are already a few GUI tools out there for FFmpeg but they have some limitations and or are not my taste.So you know I have always a special taste and wanna combine all together in the best case.Now after few months I am done with a first version and wanna also share it with you guys. First Steps -------------------------------------------- Start the app and enter your FFmpeg path.If you dont have it then download a static build from FFmpeg.org or ffmpeg.zeranoe.com/builds/ Next should have installed the VLC player (2.2.6 in my case) How it works? -------------------------------------------- So the app has 2 diffrent GUIs.The main GUI you can use for media editing,converting etc all what you can do with FFmpeg commandline arguments.The seconds GUI I made specially for quick handling of streams to play download them plus more features which could be important. Features: Main GUI -------------------------------------------- -Quick analysis of files after drag & drop into the app and showing the info into it -Full analysis of file by MediaInfo or FFmpeg itself -Preview image of video files & quick playing by your video player -Three diffrent commandline edit controls in main GUI to execute with FFmpeg -Quick Mux / DeMux function to extract / add / change streams without re-encoding in Concat or Input mode -Window to see whole FFmpeg traffic -Storage listview to (add / delete / send / play / record / search) manage your commandlines and infos -NoFile (you can use FFmpeg like in a normal CMD window) Features: Quicky GUI -------------------------------------------- -Store and choose diffrent URLs by menu -Store and choose diffrent commandline args by menu -Store and choose diffrent pre commandline args by menu -Store and choose diffrent names by menu (Will used to save into file and showing in VLC) -Play,Download,Edit,Search functions etc -Store names and URLs into extra listview -Store and call till three custom request headers -Diffrent choosable request methods,user agents and optinal headers -Url checking (with or without SSL) -Reading pagesources -Finding URL extensions -Response Header -Switch View (CRLF) -JSON Viewer -URL Decoder -OnTop On/Off I also created a video with some examples how to use my app but the video was getting a little big with 50 MB so I am sorry for that.Inside you can also find some text files with infos.If something not works or if I forgot to explain some feature or anything else than just post a reply in this topic.Have fun and till later. PS: I also wanna send some extra special thanks to our member fearless who always helped me a lot (without getting crazy - I think so..) with all my coding questions I had.Thank you. Merry Christmas and greetz FFmpeg Quicky 1.0.rar
  46. 1 point
    Hi again, not sure about that so its not same like making some kind of single reply bookmarks you know.In the profile page for example I can choose "see reputation activity" and get a list of all who pressed a like button etc and something like that I would like to have for single replys I do mark for myself (as I told before already).Maybe its possible to add another button into the like button list..."Thanks,Haha,Confused,Sad,Like,......--> Mark <--"....you know.Just my idea so far.Not sure whether you can do that or whether its possible to make that on this forum but you know what I mean right.I think its a good idea. About MFC.So in this case I only can follow a topic.If the topic has many sites and tons of replys then I also can not find quickly what I am looking for you know.Its not same like the idea about marking / bookmark single replys. greetz
  47. 1 point
    Unpacked Use any long key to pass checks. GetMe_unp.zip
  48. 1 point
  49. 1 point
    thought I would post this since it's extremely useful for working on some embedded targets. the basic principle is you use a cheap logic analyzer to intercept read requests to the chip ( usually from the microprocessor of your target ) since some designs they store special information in small chips on PCB, like serial number, password, settings, etc. after the CPU reads all the addresses its interested in over the SPI or I2C bus your logic analyzer sees the waveforms and captures the data. then this utility will convert the logic analyzer file to a binary dump of the chip by reconstructing the flash memory contents so you can see what's inside and load into IDA. very useful source code and intro https://github.com/alainiamburg/sniffROM/wiki/Getting-Started https://github.com/alainiamburg/sniffROM
  50. 1 point
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
  • Create New...