Jump to content
Tuts 4 You


Popular Content

Showing content with the highest reputation since 03/18/2019 in all areas

  1. 5 points
    Hi there, With few guys we made a zoo dedicated to malware targeting ATM platforms, as far as i know nobody has made a similar public project so voila. You will find here malwares that specifically targets ATMs, and reports (notice) about them. Files of interest got harvested from kernelmode.info, but also virustotal and various other services and peoples interested about the project. I'm using binGraph, pedump, Python, bintext, for the engine on reports. Some samples exist in 'duplicate' on the wall (we also provide unpacks for few files), if it is the case: it's mentioned on the report. We have hashs who are without references (i mean not associated in a white paper or something) thoses files are regrouped on the statistics page, we tried to make the stat page interesting enough for everyone to have fun exploring the zoo from the stats. We have IoCs that others seem to don't have, e.g kaspersky report about winpot, that leaded also to funny react from ppl selling it no worry, everyone have it now. We have also a page that includes some yara rules for detecting some of these malwares, and a page with goodies, voila! Everything provided in old skool style, intro also available! CyberCrime quality http://atm.cybercrime-tracker.net/ Feedback welcome, enjoy the ride ! 💳🏧
  2. 4 points
    Hey all! I recently came across this neat paper here: https://tel.archives-ouvertes.fr/tel-01623849/document where they used what they called "Mixed-Boolean Arithmetic" to obfuscate arithmetic expressions, and then showed ways to deobfuscate them. Looking a the deobfuscation methods, they seemed largely either pattern-based or wouldn't work when bigger numbers were involved. So I thought to myself, "How can I mess with this?" Well, first things first, they have no concrete method there for creating these expressions. There are two pages total dedicated to the creation of these expressions, so I had to get creative to make it work. They describe using numpy to solve the matrix equation created and using a hack-y method to circumvent not having a square matrix, but I thought that I could do a bit better... Enter two painstaking days of learning linear algebra and figuring out exactly what I needed to do. They start by computing the truth tables of some expressions, putting them into a matrix as columns, then solving for the vector that, when using the dot product on the vector and the matrix, returned zero. After that, they filtered out various "rewrite rules" from the matrix generated. You can read more about this in the paper, though there's not much to go off of. They use numpy's linalg.solve to do this, but that only works with square matrices and produced results with constants that were a tad small for my taste :^) After a bit of research I found a python module called cvxpy, designed to find values that satisfy an expression under certain constraints. Even cooler was that you could specify matrix equations and integer-only solutions, which is exactly what I needed. After tinkering with it for a bit, I was able to reliably create expressions like these (representing a xor b): -27540 * (~a & b) + 373574 * (~a ^ ~b) + -27541 * (a & ~b) + -27541 * (~a & b) + -11 * (a + b) + -30436 * (~a & ~b) + -30436 * (~a * ~b) + 137712 * (a * ~b) + -27544 * (~a) + 1 * (b) + 3 * (~a + ~b) + -221347 * (~a - ~b) + 13 * (a + b) + -2 * (a) + -30454 * (~a + ~b) + -30454 * (~a + ~b) + -3 * (b) + -30449 * (a | b) + -27546 * (~b) 3672455 * (~a * b) + -362611 * (a ^ b) + 78113 * (a) + -524636 * (~b) + -524636 * (a ^ ~b) + 78113 * (a) + -524636 * (~a | b) + -362611 * (a ^ b) + -959545 * (a | b) + -78113 * (a - b) + -959545 * (~a + ~b) + -524636 * (~a) + 142249 * (a + b) + -959544 * (~a + ~b) + 142249 * (a + b) + -524637 * (a - ~b) + -524637 * (~a) + -524637 * (a & ~b) + 3241246 * (~a ^ ~b) Using truth tables modulo 4 instead of modulo 2 I was also able to compute equivalencies for multiplication, which was pretty neato. However, using the same method of computing the truth table and finding an equivalent expression you can reverse this sort of operation. I'll leave that as an exercise to the reader. EDIT: As a friend of mine pointed out, this will work with any operation that can be reducible to boolean math (i.e. xor, addition, subtraction, multiplication), not just arithmetic operations.
  3. 3 points
    https://github.com/LisaDziuba/Awesome-Design-Tools#no-code-tools bonus (free -> add to cart -> mailinator -> 498mb) - hxxps://fusionretrobooks.com/collections/pdf/products/the-story-of-the-commodore-amiga-in-pixels_pdf
  4. 3 points
    Used protector (I've forget to specify): https://www.52pojie.cn/thread-652274-1-1.html http://distro.crack.vc/index.php?dir=RceTools/Packers/ Finally made scripts and a tutorial on how to restore stolen bytes: https://forum.tuts4you.com/topic/41211-obsidium-olly-scripts/ BR.
  5. 2 points
    9.0.2 released with the source which notes can be found on their site: https://ghidra-sre.org/releaseNotes.html With the source, they did include the decompiler's source code which some were concerned with being released. It's there and is coded in C/C++ so there is potential for things to get better as time goes on with community help/support. Would love to see it become on par with IDA's and better in the long run. Given how Ghidra is setup too, if it does start to become on par/better of a decompiler someone could essentially turn it into an IDA plugin if they wanted.
  6. 2 points
    Is an action-strategy shoot 'em up game developed by Sensible Software and published by Virgin Interactive. The game is military-themed and based on shooting action but with a strategy game-style control system. The player directs troops through numerous missions, battling enemy infantry, vehicles and installations. http://openfodder.com/ https://github.com/OpenFodder/openfodder online (WebAssembly) https://s3.amazonaws.com/openfodder/OpenFodder.html -- -- https://emscripten.org/ Is a toolchain for compiling to asm.js and WebAssembly, built using LLVM, that lets you run C and C++ on the web at near-native speed without plugins. @atom0s
  7. 2 points
    Found a olly modification that I've created that works ok with Obsidium; I called it OLLY_(Orig_Safengine).rar since it also works for Safengine. A tutorial by Nieo is the most recent: https://tuts4you.com/e107_plugins/download/download.php?view.3678 Let the cracking begin! OLLY_(Orig_Safengine).rar
  8. 2 points
    AdvancedScript version 3.0 releases 1- add help file and command help on the form. 2- add ads lib like ("GetAPIName","GetArraySize","ReadStr","GetdesCallJmp","isInArray","isAddrBelongSection"). 3- Write2File_ can write array directly. 4- add commentset command. 5- replace Script:ebug::Wait(); with waitPauseProcess(); 6- at ret command . 7- AutoComplete for Functions and variables and ads lib. 8- add log box for future work. 9- add AutoUpdate checkbox for enable disable update of variables list. 10- fix some bug and improve some others like (findallmemx) . 11- add tuts how to use. AdvancedScript How to Script How to fix IAT Themida API Comment Script Good for Static Analyzing
  9. 2 points
    Language : Delphi XE Platform : Microsoft Windows x32/x64 OS Version : XP/Vista/7/8/8.1/10 Packer / Protector : ArmoredBinary - Modern Binary Obfuscation Tool. Description : Attached file was protected with full version of armoredbinary obfuscator ( with medium protection approach ) , make sure unpacked file will execute successfully in any environment. You will dealing with OEP hiding , Resource Protection , Simple IAT Protection , AntiDump Tricks. Screenshot : Protected file after execution will be similar to Thanks. ArmoredBinary_Official_UnpackMe.rar
  10. 2 points
    Just to clarify as well, I'm not saying Ghidra is bad or to not use it. Sorry if what I'm saying is coming across like that, that isn't my intention or what I mean to imply. I do actually like Ghidra and I am happy to see something finally be on par with IDA's feature set. Given that Ghidra is new and has a small team of like 2? people, there is a lot of room for improvement. And the better part is that they do plan to open source it fully, which is nothing but even better for it. Something I do foresee though with it becoming open source is that people will port it to a different language because of how slow Java is in general. I'd guess we'll see a C# port at some point or eventually a C++ port depending on how decides to tackle it which I'm all for seeing happen. Overall, it is a nice tool and I'm glad to see it happen, I just hope to see it get better over time, especially with speed improvements.
  11. 1 point
    https://youtu.be/Sv8yu12y5zM bonus - VSCodium - Binary releases of VS Code without MS branding/telemetry/licensing - hxxps://github.com/VSCodium/vscodium
  12. 1 point
    Program cannot start because VMprotect dll is missing Are you sure this is using no packer or protector?
  13. 1 point
    Compiling it is certainly for serious developers and paranoid reversers
  14. 1 point
    Hmm think the forums are bugging out.. your post wasn't there for me @Progman when I made mine. But shows it was posted an hour ago now.
  15. 1 point
    @atom0s and @deepzero we now also have a version 9.02 with some more fixes: https://ghidra-sre.org/ghidra_9.0.2_PUBLIC_20190403.zip Since serious reversers will want to download the source and not merely browse it, here is a directly link (and it weighs in at ~66mb, smaller than the distribution package even): https://github.com/NationalSecurityAgency/ghidra/archive/master.zip
  16. 1 point
    Source Code of Ghidra Released:
  17. 1 point
    The following Kindle e-books are free at the moment. You will need to amend the URL for your specific region if you are not in Australia... Command Line Kung Fu: Bash Scripting Tricks, Linux Shell Programming Tips, and Bash One-liners Linux Administration: The Linux Operating System and Command Line Guide for Linux Administrators Python Programming for Beginners: An Introduction to the Python Computer Language and Computer Programming (Python, Python 3, Python Tutorial) High Availability for the LAMP Stack: Eliminate Single Points of Failure and Increase Uptime for Your Linux, Apache, MySQL, and PHP Based Web Applications Machine Learning For Absolute Beginners: A Plain English Introduction (Second Edition) (Machine Learning For Beginners Book 1) Shell Scripting: How to Automate Command Line Tasks Using Bash Scripting and Shell Programming Ted.
  18. 1 point
  19. 1 point
    9.0.1 was released recently: https://ghidra-sre.org/releaseNotes.html
  20. 1 point
    fix and tools in attach. example_fix.zip RGN Tools.zip
  21. 1 point
    Strings plugin for x64dbg. Download: https://github.com/horsicq/stringsx64dbg/releases Sources: https://github.com/horsicq/stringsx64dbg/ More Info: http://n10info.blogspot.com/2019/03/strings-plugin-for-x64dbg.html
  22. 1 point
    The vulnerability might have put millions "at risk", but realistically most likely affected not one single person at all.
  23. 1 point
    I heard that Mr Exodia joined Denuvo very recently as an employee. Very hearty congratulations to our very much beloved Mr Exodia!!!! 🍻 I just hope that there would be no "conflict of interest" with his reversing hobby and that he would continue to post and release great work for all of us! 😁
  24. 1 point
    How To Fix Debugger Detected In x64dbg Picture ProtectionID Scan
  25. 1 point
    AdvancedScript beta version it is beta version it could have bug, so please report and if u like to add more features let me know. version 2.5 beta : 1- Script window is sperate. 2- Create Folder for script,form Load script with category. 3- add more mirror Functions (xorx - pushx ...), and Functions like ( if , goto,writestr ) to shortcut the work. 4- show all variables in a list with it's values. 5- edit script onfly. 6- enable to define array with range like z[n]. 7- writestr Function. 8- run from anyware in the script. 9- rest variables list in case maintenance. 10- insert rows as much as you need. 11- insert from clipboard replace all script. 12- insert from clipboard inside the script. 13- copy separated lines to used in other script. 14- insert description without confusing . 15- add the dll file of c++ runtime for each package. 16- add some scripts samples. 17- as it is beta version so it support one step not auto step , use F12 for step, sorry for that I need to check if it work then I will add auto step :} note : I forget to say use (Scriptw) command to show the Script window , but git has stop working and copy the script sample to ur script folder in x64dbg folder and pls read the help first AdvancedScript_2.5beta.zip
  26. 1 point
    I think it's the best idea, you can later share your findings with the rest of the community, I'm sure we can learn from this.
  27. 1 point
    What if i reverse engineer an existing antivirus and develop my own. Thanks for your comment.
  28. 1 point
    Tools: dnSpy, ConfuserEx Tools, de4dot ConsoleApplication3_unpacked.exe
  29. 1 point
    Thanks much Teddy... Any ideas why I keep getting error that I have exceeded download quota? I can download 4mb's and get that error every time... Then have to wait until tomorrow, and hope it continues it. Frustrating as heck lol... Thank you for taking time to put the link. ËÞIãLèS666
  30. 1 point
    @ramjane I'm sharing my private script to reach OEP on all 5.xx (and maybe 4.xx). First it tries to find static OEP address in Enigma VM section. If failed, it tries to dynamically reach OEP. lc log "Enigma 5.xx OEP Finder by PC-RET v 1.1 started" bc dbh bphwc gmi eip, MODULEBASE MOV IMAGEBASE, $RESULT //gmi eip, CODEBASE //MOV CODEBASE, $RESULT //gmi eip, CODESIZE //MOV CODESIZE, $RESULT pusha mov eax, IMAGEBASE mov edi, eax add eax, 3C mov eax, edi+[eax] mov SECTIONS, [eax+06], 02 mov esi, eax+0F8 mov edi, 28 mov ebp, SECTIONS mov ecx, edi mul edi, 1 // second section add edi, esi sub edi, 28 mov CODEBASE, [edi+0C] add CODEBASE, IMAGEBASE mov CODESIZE, [edi+08] popa GPA "VirtualAlloc", "kernel32.dll" mov VirtualAlloc, $RESULT GPA "VirtualProtect", "kernel32.dll" mov VirtualProtect, $RESULT GPA "VirtualQuery", "kernel32.dll" mov VirtualQuery, $RESULT bphws VirtualAlloc run rtr esti bphwc VirtualAlloc gmemi eip, MEMORYBASE mov ENIGMA_SECTION, $RESULT mov startsearch, ENIGMA_SECTION find startsearch, #8945F8EB0C8BCF8BD68B45FCE8????????F6C304740B8B55F88B45FC# // structure cmp $RESULT, 0 je dynamic_find static_find: bp $RESULT esto gmemi esi, MEMORYBASE mov startsearch, $RESULT gmemi esi, MEMORYSIZE mov searchend, $RESULT add searchend, startsearch alloc 100 mov eval_section, $RESULT mov [eval_section], #609CB8AAAAAAAABBBBBBBBBBB9CCCCCCCCBADDDDDDDD3BC20F831F0000003918740D813800004000740583C004EBE73948100F840800000083C004EBD99D61908B70F803F39D6190# mov [eval_section+3], startsearch mov [eval_section+8], IMAGEBASE mov [eval_section+D], CODESIZE mov [eval_section+12], searchend bp eval_section+3f bp eval_section+45 bp eval_section+47 mov bakeip, eip mov eip, eval_section esto cmp eip, eval_section+3f je notfound_static cmp eip, eval_section+45 je found_static jmp error found_static: ///////////////////////You can stop here and see OEP in ESI register/////////////////////// mov oep, esi esto mov eip, bakeip bc free eval_section gmemi oep, MEMORYBASE cmp $RESULT, 0 jne not_invalid_oep eval "Invalid OEP found: {oep}. Now script will try another method." msg $RESULT jmp dynamic_find not_invalid_oep: mov oepbytes, [oep], 2 cmp oepbytes, 25ff je risc_oep cmp $RESULT, CODEBASE je good_oep eval "Some weird OEP found: {oep}. Do you want to continue or try using another method? \r\n\r\n\r\nContinue: NO\r\nAnother method: YES" msgyn $RESULT cmp $RESULT, 01 je dynamic_find good_oep: bphws oep esto msg "OEP found!" bphwc ret risc_oep: eval "It seems that OEP: {oep} is RISC-protected. Continuing in another mode." msg $RESULT jmp dynamic_find notfound_static: mov eip, bakeip bc free eval_section dynamic_find: bphws VirtualProtect esto bphwc VirtualProtect bphws VirtualQuery mov hits, 0 VirtualQueryloop: esto cmp [esp+4], IMAGEBASE je checkhits jmp VirtualQueryloop checkhits: inc hits cmp hits, 2 jne VirtualQueryloop bc bphwc bprm CODEBASE, CODESIZE run bpmc msg "Possible OEP(near OEP) found." ret error: msg "Fatal error occured." ret
  31. 1 point
    Read the FULL ARTICLE HERE . Full SOURCES and set of tools can be DOWNLOADED FROM HERE . A PDF created from the website article is attached for the convenience of the readers. PRACTICAL uses : The principles discussed can be used for reversing the firmware of Routers, Dongles etc etc. Please note that while the author has focussed on firmware which is Open Source, the same principles can also be used for Closed-Source Firmware. Firmware Hooking - Using Capstone and Keystone.pdf
  32. 1 point



    Uret Pirate Girl <3 GFX BY ANEES KHAN
  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up
  • Create New...