Jump to content
Tuts 4 You

Leaderboard


Popular Content

Showing content with the highest reputation since 06/18/2019 in all areas

  1. 8 points
    I created a spinner type control to add to the ModernUI controls (based on an my original version a few years ago: http://masm32.com/board/index.php?topic=1179.0) - typically used when loading, pre-loading or processing something and to hint or indicate to the user something is occurring - similar in that regard to progress bar controls. Download The control can be downloaded via the ModernUI repository or downloaded directly from this link: https://github.com/mrfearless/ModernUI/blob/master/Release/ModernUI_Spinner.zip?raw=true Example I created an example project to demonstrate it. The example (which includes a Radasm project) can be downloaded via the ModernUI repository or downloaded directly from this link: https://github.com/mrfearless/ModernUI/blob/master/Release/MUISpinner1.zip?raw=true There are a number of ways of adding image frames to the ModernUI_Spinner control. The most basic level is to add individual images to construct the spinner animation. This can be done with the MUISpinnerAddFrame or MUISpinnerLoadFrame - using an image handle that is already loaded or using a resource id of an image. For example, the first spinner it is comprised of 8 separate bitmap images: For images that are circular, it can be more convenient to use the MUISpinnerAddImage or MUISpinnerLoadImage functions, as these only require one image. The image is copied a number of times into frame images - as specified by the dwNoFramesToCreate parameter. Each new frame image is incrementally rotated - based on the angle calculated for each new frame image. The bReverse parameter if set to TRUE will set the spinner animation to counter-clockwise. Note: the MUISpinnerAddImage or MUISpinnerLoadImage functions only work with png images or png's stored as RCDATA resources. The far right spinner on the top row is created via loading a single png image: Once loaded it is rotated and new frames are created to enable it to look like this: For more complicated spinners, or spinners that are not circular in nature, the MUISpinnerAddSpriteSheet and MUISpinnerLoadSpriteSheet functions are provided. These allow you to provide a long (wide) image (bitmap, icon or png) handle (or resource id) that contains all the spinner frames in the one image. The image frames are extracted out of this image. The amount of frame images in the spritesheet is passed via the dwSpriteCount parameter. The clock spinner is a good example of this, as it can't be rotated due to the buttons around its edge: So either it can be constructed by manually adding each frame or by using a spritesheet like so: Which looks like this once all the individual frames are extracted: I put some compile time conditions to allow for using of TimerQueue, Multimedia Timer or WM_TIMER for the animation of the spinner. There is also a ModernUI_Spinner.h file for c/c++ - but as I don't actively use that language there may be some typos or mistakes or wrong types specified (I haven't tested it). The Icons8 website is a good source for spinners, and they can be adjusted for size and color etc before downloading - including under the additional download options button as a spritesheet (using apng format). Take note of the frames value, as you will need to use this so that the spritesheet can be divided up into the correct individual frames. https://icons8.com/preloaders/en/search/spinner
  2. 6 points
    Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00
  3. 6 points
    [.NET]实战UnpackMe.mp4 -> https://mega.nz/#!YxwQSAxA!Lwd9XStVyue8fdYKZXmYkoDxE0Y7ftsyNYtBKLTRrGM
  4. 6 points
    @mdj: 使用x64dbg暴打非托管强壳.mp4 -> https://mega.nz/#!Y5JBTaCS!hJXzN5ssvUyRHW8VgpGxINEVrW1zJ2Up96vqqJVG5co I can upload the second video tomorrow, if you need that too. @all: Please be nice and don't abuse the link, it is a free Mega account and has traffic limitations.
  5. 5 points
    Hello, so I keep getting asked what’s the best obfuscators around so I am posting this so I don’t keep repeating it. I have decided to give my opinion on all obfuscators if I am missing any let me know If you are a developer of any of these obfuscators don’t take what I say as an insult use it to improve DNGuard - an obfuscator I used to say was Chinese crap however I’ve recently spent some time analysing this and can say that the HVM technology is very strong and makes unpacking a lot harder. However when not using the HVM setting it makes unpacking extremely simple with jit dumping and can use codecrackers unpacker for this. Compatibility on this obfuscator is its biggest flaw (along with price) which can be a big NO for a lot of people as this protector can cause files to not run on certain .NET frameworks if they fixed this issue and improved compatibility across systems it would make this obfuscator much better. Price is extremely high but I suppose has worked in its favour with not many files around and extremely hard to get test files to test features. Eazfuscator - a .NET VM that has been around for a while now with the last unpacker for version 4.8 I think from saneki on GitHub. Since then Eazfuscator has improved a lot however the concept stays the same and sanekis unpacker is still a brilliant base to start from. Meaning that an unpacker for this isn’t extremely difficult. The compatibility and performance of this obfuscator is actually fairly good for a VM and tells the user not to overuse the VM and only apply on secret methods as to save performance. The problem with Eazfuscator is that any protection method apart from the VM isn’t good, de4dot handles the control flow perfectly and the strings can be easily decrypted by either updating de4dot code which isn’t too hard or simply invoke. So if you’re app is sensitive on performance then maybe avoid this one as for all VMs performance is hurt no matter how efficient it is. In conclusion I do think this obfuscator is one of the top of its game as even with the old unpackers it’s still a lot of work to update ILProtector - An obfuscator I really do like the concept of keeping performance and security balanced, however in recent times with the release of dynamic unpackers it has kind of died as it seems the developer is applying small patches instead of fixing this properly so each unpacker only requires a few changes. In terms of static unpacking they have this down well, it’s actually a very hard job to statically unpack this protector so if they were to patch the dynamic flaws it would quickly appear back at the top but it’s credibility has been stumped due to the release of unpackers that I think may still work on the latest version (something I haven’t checked). Compatibility and performance on this obfuscator are good but one flaw of this obfuscator is that if the dynamic method is decrypted the original ilcode is there, they apply no MSIL mangling which in my eyes they should do both. Agile.Net another .NET VM however I haven’t analysed this myself that much but a few things I have noticed is that updating de4dot to support the latest version is not all that challenging however it is time consuming, a few modifications to de4dot can make it supply all the data you need to update it for the VM. the method encryption can be removed by jit dumpers from codecracker, from what I’ve seen in de4dot the obfuscator isn’t to hard to completely unpack but we have to thank 0xd4d for all he has done on this obfuscator he has done all the hard work for us so it’s just a matter of taking his code and updating, yes this takes a very long time to do Netguard - Now this is one I’m very familiar with, as most people know netguard is a modified confuserex however a fairly heavy modification. Now the actual protection isn’t that strong however for its price it’s very good, the base of netguard is still the same concept as confuserex and many of its protections can be defeated in the exact same way, the only real changes are the native stub and mutations. However once you remove these protections like control flow and constants can be removed in the same theory as I use in my confuserex unpacker2. This obfuscator like I said is the best for its price however if you’re looking for something better there are other options if you’re willing to pay, now compatibility and performance on netguard are something that it’s known for and not in a good way, it has improved a lot recently however they still add lots of junk that adds no real benefit and just slows down code. Appfuscator - now I don’t know why people don’t use this obfuscator anymore. In my eyes it’s still extremely powerful, codecrackers tools are not stable and if you’re tool is larger than a crackme then it will fail, appfuscator uses opaque predicates and CFG to generate its control flow both of which have no public solvers for so is an extremely powerful obfuscator especially if you mix it with something custom. Performance wise this is actually negligible effect so still to this day one of the higher rated obfuscators. Babel.Net - this is similar to ilprotector in the way it makes dynamic methods however in a different approach. The good thing about this obfuscator is that it provides you with more options than just encrypt msil where you have cflow constants and other expected protections making it not as simply as dumping the dynamic method. The dynamic methods itself are not tricky to solve dynamically similar to ilprotector, invoke the correct method and you have the dynamic method ready to read with dnlib. Statically it gets slightly more complex however a few hours debugging with dnspy and some static analysis will reveal its secrets of how it decrypts the encrypted bodies. Performance and compatibility wise I don’t really know enough about it but I’ve not really seen many complaints about it ArmDot - a relatively new .NET VM which I’m fairly interested in. At its current stage it needs polishing, they currently put the whole vm into each method it’s encrypted making it extremely slow. I explained to the developer that it holds no real benefit as to devirtualize it follows the same concept as all vms which is find the instruction handlers and convert back as most are 1:1 with CIL it makes this step relatively easy once you have detected all handlers however if this obfuscator works on your file and performs well I do recommend it especially as its new and being actively worked on and the developer is always interested in seeing ways to improve which is a good thing. KoiVM - another magical creation from yck so do we expect anything other than greatness. Now this was something he sold to customers until he left the scene and trusted XenoCodeRCE with and gave it him to improve and use. Xeno decided that he would sell this to others and ended up causing it to be leaked on GitHub however let’s ignore that. KoiVM is absolutely insane and different to all other VMS we talked about so far. This doesn’t relate 1:1 with CIL and actually converts it to a form of ASM meaning if you manage to get all the code back you then need to translate ASM to CIL which again is no easy task. People think because it’s opensource it makes it not worth it. Remember confuser/ex was open source and undefeated for a long time. KoiVM is on another level compared to those. Compatibility and performance does take a hit and has limitations which you can read on koivm website now if you’re app works fine and you’re happy with performance then I would strongly suggest sticking with it. You can even make modifications to confuserex and use it with that as after all it’s a confuserex plugin. These are just my thoughts and personal opinions on these obfuscators. I do not mean any disrespect to the developers apart from what I think is good and bad. If you would like further explanation on anything let me know or any specific obfuscator that I haven’t covered as I most likely have some sort of opinion on it feel free to ask Regards Cawk
  6. 3 points
    Which is a bloody stupid idea in the first place. Just don't do it. To answer the question - the cause of your problem is MUI files that were introduced in Windows Vista. They enable you to have Windows UI in your own (non-English) language. If you copy some of the Windows built-in executables, you also need to copy the corresponding MUI file to correct subfolder, otherwise it won't be able to load correct resources and you'll see the error you mentioned. Example: Further reading: https://docs.microsoft.com/en-us/windows/win32/intl/mui-fundamental-concepts-explained https://afana.me/archive/2016/06/27/restoring-classic-calculator-in-windows-10.aspx/ https://ntcore.com/?p=266
  7. 3 points
    I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies. If you can not understand it, you can reply me. Best wish.
  8. 3 points
    https://github.com/x64dbg/x64dbg/releases https://github.com/wwh1004/ExtremeDumper/releases
  9. 2 points
    I am mostly wondering why an unpackme needs an anti VM mechanism in place. I am not running any foreign binaries on my host machine. Yes I can patch it myself, but what is the point? Given the fact that it also takes a huge amount of time to even start up, I find it a little unsettling if I have to be honest.
  10. 2 points
    Got a chance to check out Ghidra 9.0.4 (released in May) to compare again and will say they have really optimized the disassembler compared to before. A file I work with often in IDA for a specific game now takes around the same time to disassemble in Ghidra which is a lot better than before. (The previous 9hr post was not for this file, will test that one again in the future.) The decompiler has seen some improvements as well which for this file results in some nice output, a bit cleaner than HexRays even at times. Would say in the short time of it being open source, things have shaped up pretty well for this tool.
  11. 2 points
    There is no reason to copy cmd.exe outside the windows directory, and I very much doubt this is supported or even something Microsoft ever considered. Maybe you can get rid of t he error by setting its current-working-directory to c:\windows\system32, but the real solution here is to not copy cmd.exe outside the system folder.
  12. 2 points
    https://www.uperesia.com/hancitor-packer-demystified Ted.
  13. 2 points
    View File Imports Fixer - Legacy Archives This is a complete collection of public and private builds of Imports Fixer (mainly a collection of private builds). I am uploading all of these for posterity reasons before they are deleted and for those people who like to look over this stuff. Most of these old builds will not work on modern Windows OS's and IF is no longer being developed so do not expect them to function correctly. If you need to use an imports fixer I suggest turning to a publically accessible imports builder such as Scylla. It is more feature complete, supports modern OS builds and is open source - so you can fix any bugs. In advance of questions regarding IFv1.7, this version was never completed and no private builds were released. Version 1.6 is where all the fun ended... Ted. Submitter Teddy Rogers Submitted 06/28/2019 Category Tools & Utilities  
  14. 2 points
    Hi New Update with more features : https://github.com/Ahmadmansoor/AdvancedScript AdvancedScript version 4.3 https://github.com/Ahmadmansoor/AdvancedScript/releases * Add new commands and fix some bugs * fix error load of the Auto Commands when there is no ; * Fix AutoRun and stepson ( wait command to finish). * Fix color variable name. * Add ReadFile , Write2Mem , ReadMem * Add GoToByBase Form ( https://www.youtube.com/watch?v=gQxlbC8RnRg ) * Assigne variable directly no need to Setx Command. Sample : Varx str,memory // var will hold the hex value Varx int,rax_,0 // read rax value +1 Varx str,ourStr // read test string ReadMem $memory,{rax},5 $rax_={rax} +1 $rax_=ads.exebase ReadStr $ourStr,{rdx}
  15. 2 points
    This is the same as #2...Rename 'JNE' to 'JMP' and it will automatically become registered. As the same for my #2 I also created a patch for this but using a different patcher. I used AT4RE's Patcher. Simple CrackMe #1 Patch.exe
  16. 2 points
    - version 4.0: 1- add RegexSearch form. 2- New GUI after replace DataGridView with RichTextBox to easy deal and fast coding. 3- edit CustomBuildStep to Auto copy files (AdvSconfig.txt , HelpAdvancedScript.txt). 4- add AutocompleteMenu.dll . 5- add copy AutocompleteMenu.dll to x64dbg root . 6- add AdvSconfig.txt for AutoComplete list for define Commands and variables. 7- update AutocompleteMenu.dll. 8- add comments_ to Variables class to add it next to the description of the variables when call them by Ctrl+j 9- call list var's by Ctrl+j 10- add ReFill_FunctionsAutoComplete_AtLoad. 11- highlight_system done for good look and analyze. 12- add autoCompleteFlexibleList to handle commands defined in AdvSconfig.txt. 13- add open Script from out side. 14- refresh by menu and F5 to refresh highlight_system. 15- add var of x64dbg system. note : by AdvSconfig.txt u can define the commands in AdvancedSecript . AdvancedScript_4.0.zip
  17. 2 points
    Download: https://github.com/horsicq/pex64dbg/releases Sources: https://github.com/horsicq/pex64dbg More Info: http://n10info.blogspot.com/2019/05/pe-viewer-plugin-for-x64dbg.html
  18. 1 point
    ...or just use MSDN key that's available on the net and avoid all that insanity. NYWVH-....
  19. 1 point
    Another option is to use WM_COPYDATA https://docs.microsoft.com/en-us/windows/win32/dataxchg/wm-copydata The following example demonstrates how to send information between two applications using the WM_COPYDATA message: https://docs.microsoft.com/en-us/windows/win32/dataxchg/using-data-copy
  20. 1 point
    Depends on how much data you intend on exchanging as there are a number of different options. This link explains some of them... https://docs.microsoft.com/en-au/windows/win32/ipc/interprocess-communications Ted.
  21. 1 point
    pleas explain how u unpack it?
  22. 1 point
    Hi, thanks for this info kao.I have test it and it works now like you said.Ok,now its no more so nice to copy CMD + cmd.exe.mui with subfolder anywhere into.Ok all clear now so far.No more copy CMD and just starting it via shift+right mouse or via shortcut.Just need to change my behavior for this. Thanks again
  23. 1 point
    Overcooked is free this week on Epic. Good fun for local multiplayer
  24. 1 point
    Cracked. Using: IDA Pro v7.0 Search for 'Unregistered' -> Find Verification Function -> Patch JNE to JMP using IDA's patch function -> Save -> Cracked Sadly, i couldn't find the original password. CrackMe.exe
  25. 1 point
    This is very nice. You've put some good work into these. Thanks for sharing with us!
  26. 1 point
    Its actually a PyInstaller generated executable. The first sign of this is the relatively large overlay 0x5e014c bytes ~ 6 MB. Further, you can search for one of the strings ("Failed to convert executable path to UTF-8.") on the PyInstaller GitHub repo and you would get a hit. For extracting PyInstaller binaries you can use my script pyinstxtractor.py There are also wrapper scripts on top of this for the same purpose https://github.com/countercept/python-exe-unpacker
  27. 1 point
    Should .NET unpackme's be split and separated in to their own category? If you have another suggestion or idea please explain here... Ted.
  28. 1 point
    .NET forum has been created and .NET challenges moved over. Thank you to everyone who voted... Ted.
  29. 1 point
    It could be compiled with something such as cython or nukita which is hard to unpack. Also that does not mean it was made in Visual Studio. It means it is compiled with C++ runtime version 14 which all python exes say that when trying to find the packer.
  30. 1 point
    Hello password is : How I did it : debug used modded dnspy ((obvfuscator checks for dnspy !) or any other native debugger, and look at memory strings, the real password appears multiple times in memory due to how ConfuserEx handle strings in memory 😕 0x2a39cd8 and 0x2a88ff0
  31. 1 point
    just a try to add more feature's to x64dbg script system History Section: - version 2.0: 1-all numbers are hex numbers. 2-more nested in arguments. 3-Build bridge to make plugin system Compatible with x64dbg script system. 4-create parallel Functions to x64dbg Functions, like ( cmp >> cmpx ). 5-rename new name (Varx Getx Setx) and fix array index entry. 6-add VarxClear ( clear all variable to help user in test's ) , memdump with print style. - version 1.6: 1- add Parser system to recognize arguments. 2- begin build Script system. 3- add more Helper Functions. - version 1.4: 1- make StrCompx in separate Thread and add Sleep time to wait x64dbg to finish process. 2- Fix Hex2duint function add length check in case it less than 2 . - version 1.3: 1- Add another argument to cbLogxJustAtBP for printing on LogxWindow. 2- now it accept bool argument like this (true/false-on/off-1/0). 3- add StrComp_BP function for compare string in memory at BP. 4- compiled x32. Source Code: https://github.com/Ahmadmansoor/AdvancedScript If you find it useful please let me know, and if you want to add more feature's please leave a comment. support both x86 and x64 BR AdvancedScript.v2.0.rar
  32. 1 point
    Hey there, i've been playing with VirusTotal graph since some weeks. Originally i did a graph just for building a landscape of files for ATM Wall, the graph can be seen here: https://www.virustotal.com/graph/embed/g9521270d163a4778aa5bc376c0d80375b11f2d95beee484498dbdaafc989ee5f I got the idea of doing this after having seen the work of @vanjasvajcer about ATM malware classification. But i started to got vicious with VT graph so here is some interesting graphs i did based with VT and kernelmode.info: Zeus World (v2.1.0.1 and inferior): https://www.virustotal.com/graph/embed/gf17a46025f554bc4a4d0edaff78d4aabee6388c959584ac8981961ae32af6994 Big nebula of zeus builders since code leak of v2.0.8.9, contain also few very old builders and some have funny messages inside destined to AV vendors. IceIX World (v1.2.5 and v1.2.6): https://www.virustotal.com/graph/embed/g3e3dfb66d191404593284509fbf9028c5253ee1651ee4da9b24225bf262634bf Citadel World (v1.3.4.5 and v1.3.5.1): https://www.virustotal.com/graph/embed/g1d0637aa096e45b2b1336844fe81e1e286a588fa049a4d529357c0a1d2f1646d Atmos World (v1.01): https://www.virustotal.com/graph/embed/ga7f70bed1f6f4394b4b503b5dcee997c66251a48418b4b3fba03119d3196389e Builders, releases, fews files. SpyEye World: https://www.virustotal.com/graph/embed/g98d5440408854a90b8e5fce2bd4003b40a7295519d5c4e0abe39a470a9fcadb5 Research about plugins are based on the spyeye thread on kernelmode.info, contain a nice timeline of the versioning and most of interesting files i guess. Carberp 'krabs.7z': https://www.virustotal.com/graph/embed/gd6210da59ece445f8e0469a7408a4905126fa5722cdb4b759330e073a29e7429 Files annotation based on kernelmode.info thread again (https://www.kernelmode.info/forum/viewtopic.php?f=16&t=2793), chaos mosaic at the image of the archive. BestAV affiliate: https://www.virustotal.com/graph/embed/g0741bdd40e4b4bc7a4c77e8240de0667f2ea89df4124484b87717ad081f741aa Lot of FakeAV files found with communicating IPs, graph based also on fews posts on kernelmode and also from my personal archive about thoses guys And not related to malware but you can do also funny things: Looking for an ollydbg modification ? https://www.virustotal.com/graph/embed/gd11e600f461c476082159553dadde7ac102288cd74df42d38f84291e97f2263a You have lost your SoftIce CD ? https://www.virustotal.com/graph/embed/g7534bcb28a2a439a8d466f69542374127b54265b605c4589adbf97191a1b0467 a small landscape about dongle piracy https://www.virustotal.com/graph/embed/g035609ac24c94751ae94aef309b6599010d8ccd1549f49f3b8ef7e20febd3f9f
  33. 1 point
    Code like this. You can copy dlls in OpenFileDialog. If you can't copy dlls (maybe anti dump?), you can use the code like "File.WriteAllBytes(@"I:\Downloads\Yes.dll2", File.ReadAllBytes(@"I:\Downloads\Yes.dll"));". ILProtector detects the first few bytes of the compiled machine code. You can fake it.
  34. 1 point
    Strange here attachments downloads works ok. Here is external download link: https://www3.zippyshare.com/v/fDchNW5P/file.html
  35. 1 point
    1. dump ilprotector native runtime you can inject a dll to call OpenFileDialog and dump 2. decrypt method body fix ILProtectorUnpacker's hook, then it works Test.ip.exe.7z
  36. 1 point
    Fallout 76 free week to trial - June 11th-18th Kingdom: New Lands Borderlands 2: Commander Lilith & The Fight for Sanctuary DLC Free Ted.
  37. 1 point
    the latest version contain malware https://github.com/mozilla/addons/issues/1026 new name but I don't know it is safe or not https://addons.mozilla.org/pl/firefox/addon/flash-videodownloader/
  38. 1 point
    https://research.checkpoint.com/malware-against-the-c-monoculture/ Ted.
  39. 1 point
    https://threatpost.com/unhackable-biometric-usb-passwords/144576/
  40. 1 point
    After you dump the main exe (.NET) with MegaDumper: Exception messages: Unable to load DLL 'Test32.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E) So you got to dump that dll with DllSaver. Enigma Only unpacked exes: https://www95.zippyshare.com/v/b0258Ft4/file.html
  41. 1 point
  42. 1 point
    Everyone can see the code because Cawk's ConfuserEx unpacker works just fine.
  43. 1 point
    AdvancedScript_3.1 - fix CheckHexIsValid ( fix length ). - add menu to (copy - follow - delete) variables . - add more check for StrAnalyze. - add MsgBox for if command in a case does not resolve arguments. note : copy can copy one value or all values in case Array variables AdvancedScript_3.1.zip Script.zip
  44. 1 point
    AdvancedScript beta version it is beta version it could have bug, so please report and if u like to add more features let me know. version 2.5 beta : 1- Script window is sperate. 2- Create Folder for script,form Load script with category. 3- add more mirror Functions (xorx - pushx ...), and Functions like ( if , goto,writestr ) to shortcut the work. 4- show all variables in a list with it's values. 5- edit script onfly. 6- enable to define array with range like z[n]. 7- writestr Function. 8- run from anyware in the script. 9- rest variables list in case maintenance. 10- insert rows as much as you need. 11- insert from clipboard replace all script. 12- insert from clipboard inside the script. 13- copy separated lines to used in other script. 14- insert description without confusing . 15- add the dll file of c++ runtime for each package. 16- add some scripts samples. 17- as it is beta version so it support one step not auto step , use F12 for step, sorry for that I need to check if it work then I will add auto step :} note : I forget to say use (Scriptw) command to show the Script window , but git has stop working and copy the script sample to ur script folder in x64dbg folder and pls read the help first AdvancedScript_2.5beta.zip
  45. 1 point
    Unpackers tools - source code C# My source code: https://gitlab.com/CodeCracker https://github.com/CodeCrackerSND https://bitbucket.org/CodeCrackerSND/ I will NOT share (anymore) the rest of my tools!
  46. 1 point
    Support XP-WIN10. and x86,x64 unzip password: xxoo XAntiDebug.rar
  47. 1 point
    Just use NETGuard. Ben mhenni can be deobfuscated and NETGuard too but it's more professional. Also Ben Mhenni has many bugs so i don't recommend buying it
  48. 1 point
    Sometimes my conspirational mind thinks that the people who post unfriendly requests to release the tools are paid by "software protection industry shills" to create a bad atmosphere among the reversing community, so the people in the community would be less willing to release tools and tutorials. If my evil suspicion is true: It works, you bastards! Jokes aside, have a nice day. Cheers
  49. 1 point
    ILSpy mod by Medsft: NET assembly browser and decompiler, debugger, High and Low level Editor Project renamed. ILSpy NEXT. NET assembly browser and decompiler, debugger, High and Low level Editor Description: ILSpy (latest ILSpy public version 2.2.0.1737) -add debugger from the SharpDeveloper studio -add CopyFullyQualifiedTypeName.Plugin -add OpCodeTableForm -add to treeview contextmenu: - strong name utility - rename class utility - Jump to EntryPoint - string viewer utility (search enable) - extension exeecute utility (reservation work enable) - hexeditor methodbody utility (runtime compilation enable, - search any text in decompileTextView - find method call - Analyze. Reference calls positioning and highlight ("IL Code" view) two technologies save the result(High Level:recompile assembly and Low Level:Binary Patch(See results and work in Patch_table))) add to decompiletextview contextmenu: - replace instruction (High Level,need recompile to save assembly) - nop instruction (High Level,need recompile to save assembly) - reverse branch (High Level,need recompile to save assembly) - nop instruction (Low Level, no need recompile binary patch see Patch Table) - reverse branch (Low Level, no need recompile binary patch see Patch Table) - class or method injector (High level) - "Undo" operation Mono.Cecil -ignore null type (Read TypeDefinition) -ignore invalid parameter(Read MethodDefinition) -ignore invalid generic argument() -ignore invalid attribute (if (attribute.Constructor == null) continue;) -ignore invalid signature(GetSecurityDeclarationSignature) -fix handle null value in obfuscated assembly -add ToString for CustomAttributeArgument -add ToString for CustomAttributeNamedArgument -ignore null element(MemberDefinition) -avoid recursive declaringtype of some obfuscated assemblies,currently only one level checking -add AllMemberReferences(IEnumerable<MemberReference> GetMemberReferences) -add ElementTypeIntValue(ElementTypeIntValue) -add support to read/write directly from bytes(FromBytes) -Read reloc section, Contributed by Khiem Nguyen -add alternative "Save" technology modified assembly (support obfuscated assembly) Pack "ALL in One" The latest releases of ILSpy.NEXT on http://il4re.ml// [t]We are opened! Welcome, guys.[/t] Last build: 12_08_2016 Sorry for my bad English and WPF
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...