Tuts 4 You

Moderator

22

2,870

Full Member+

16

4,719

Full Member

16

31

Full Member+

10

2,178

## Popular Content

Showing content with the highest reputation since 07/20/2019 in all areas

1. 2 points

## Is using WinRar enough to encrypt files?

Nice GPU you got there, does it run "mines sweeper" at 60 FPS ?
2. 2 points

## Is using WinRar enough to encrypt files?

Using cRARk with my GeForce RTX 2080 Ti, you can get around: So if your password is pretty short, bruteforcing is an option for you... -HooK
3. 2 points

4. 2 points

## Triton - Dynamic Binary Analysis framework for Delphi

I created this experimental project. I hope someone can be useful. any collaboration and improvement is welcome thank you https://github.com/Pigrecos/Triton4Delphi
5. 2 points

## VMProtect (.NET) Code Markers Sample App

Files protected with VMProtect demo can be only ran in your own pc.
6. 2 points

7. 2 points

## KeygenMe/DeVirtualizeMe

Approach: Keygen.7z xSilent.Runtime.refactored.dll.7z
8. 1 point

## Looking for Curl static build - Has anyone?

They most certainly are available on the curl site: https://curl.haxx.se/download.html Which has special page for Windows builds: https://curl.haxx.se/windows/ 32-bit latest (7.65.3_1): https://curl.haxx.se/windows/dl-7.65.3_1/curl-7.65.3_1-win32-mingw.zip 32-bit latest (7.65.3_1) with OpenSSL 1.1.1c: https://curl.haxx.se/windows/dl-7.65.3_1/openssl-1.1.1c_1-win32-mingw.zip
9. 1 point

## Agile.net (6.4.0.31)

I Released a way of patching these vm's, here https://github.com/TobitoFatitoNulled/Venturi77CallHijacker but you'll need to manually inject agile for now (will try to fix the issue asap tho. My disc is TobitoFatito#5573
10. 1 point

## x64_dbg: how to set condition breakpoint and never pause program ?

There is quite an extensive documentation available at http://help.x64dbg.com/en/latest/introduction/ConditionalBreakpoint.html, however if you don't feel like reading, just use Break Condition "0", Log Condition "r9 != 0" and uncheck "Fast Resume" (since fast resume will skip logging if break condition != 0).
11. 1 point

## small, simple crackme

There are many working keys. One of them is "$^CQE!#(Mrfe%&&$": The key was brute forced using a quickly written C++ executable: The code for the C++ executable is as follows:
12. 1 point

## First Crackme

[*] Changed the text How I did it? [*] Added +1 to sum factorial How I didt it? For now that the addresses are well know you can easily calculate the string value and change edit these reg values by patching the exe so it always return what ever you want.
13. 1 point

## Is using WinRar enough to encrypt files?

At a long enough password length, even with enormous computing power, one is more likely to find a collision than the original password. After more than 2^128 combinations are tried for the example AES-128 HMAC used. However since the character set is limited, its not exactly clear which passwords might have shorter length collisions and using which other character set. As well depending on the decryption algorithm, the collision password may not correctly decrypt. Keep in mind that the verification algorithm and decryption algorithm are 2 different things. The verification part is merely to save the trouble of decrypting garbage data and a mere convenience. Old WinRAR versions would just extract without checking validity. In these cases an automated attack would require knowing something about the decrypted data that could be verified for correctness. Unless pre-image attacks against AES become available or quantum computers then simply an 8 character password dictionary resistant with a good enough character set is enough for most usages. If you are worried about the NSA, then probably you would want to use something completely different given they are famous for backdooring algorithms and AES was standardized in part by them.
14. 1 point

## Is using WinRar enough to encrypt files?

hello , you can use " crunch " to generate a custom wordlist then change " rar " files extention to " zip " and finally you can use " fcrackzip " , all what i've mentioned is available on " kali linux OS " Greetz
15. 1 point

## Obfuscated VM CrackMe

password: "viva la revolution" How the password verified? Here, check my entered password against the correct one, both encrypted. Obviously, the encrypted password at RVA 00011054 is 18 characters long. But, what is the encryption or decryption algorithm? Don't dive into that, instead I assume the algorithm is symmetrical. This time, I entered the right length password "123456789012345678". At entry of the subroutine, Ecx=004FF534, we can find the entered password at allocated buffer 008F0000: Copy and paste with the correct cipher password from RVA 00011054: 008F0000 12 EC C5 CB AC FC 86 96 23 7C 7D 57 46 5C 43 4F 008F0010 56 2D 2A 00 Run to the end of loop at 01323461, we got: 008F0000 12 76 69 76 61 20 6C 61 20 72 65 76 6F 6C 75 74 .viva la revolut 008F0010 69 6F 6E 00 ion.
16. 1 point

## Is using WinRar enough to encrypt files?

Yes it is based on AES-128 and AES-256 so its very secure. Quantum computing may just be a pipe dream - it is still far from guaranteed. Perhaps if cryptanalytic weaknesses are found in AES, it could also change things though its been studied by many mathematicians for many years without much progress. Short passwords especially will become vulnerable however. Remember there are now processor intrinsic for AES (https://en.wikipedia.org/wiki/AES_instruction_set), and if a special GPU-like hardware were fabricated, its possible you could do reasonably serious attacks on AES. Modern nVidia GTX now allow for integer operations in the streaming units so extremely high throughput is already possible there. Furthermore, government agencies may have massive amounts of hardware to do just that. But most people cannot foot the bill for the special hardware let alone the power consumption requirements needed to run it. Certainly I would not believe the absurdly outdated time required information on WinRAR's website (https://www.win-rar.com/enc_faq.html?&L=0#c7723). 100 times faster or 1000 times faster by now without much doubt depending on environment and method.
17. 1 point

## Is using WinRar enough to encrypt files?

I think it's more than enough until quantum computing becomes mainstream, most of us will be dust when that happens
18. 1 point

## How to get RVA from MethodBase?

It works with the following code, thanks! static int GetRVA(MethodBase mb) { var mdInfo = MetadataInfo.GetMetadataInfo(mb.Module); int table = mb.MetadataToken >> 24; int rid = mb.MetadataToken & 0xffffff; mdInfo.MetaDataTables.GetRow((uint)table, (uint)rid, out var ppRow); return *(int*)ppRow; }
19. 1 point

20. 1 point

## Steam Zero-Day Vulnerability Affects Over 100 Million Users

Depending on how it was originally reported (assuming it was through a medium like hackerone) they probably had no other options. Reading over their hackerone page, gives me a few ideas for things to test that are possibly vulnerable. (Not looking to exploit, would report etc.)
21. 1 point

## Self-contained executable with .NET Core 3.0 on Windows, Linux

I can only really see this being useful for small IoT devices where you are deploying a specific program to it and nothing else. For a computer/server where you are running numerous applications built around the .NET framework, it makes 0 sense to bundle like this. You waste space, you lock the application to the included dependencies which can lead to security issues and other problems, among other things. Like Xeno said as well, this isn't new tech either, stuff like this already exists to do the same thing. It is nice that it's built into the framework now and is supported by Microsoft directly, but I just don't see it being that useful for many people. More of a niche thing for IoT devices imo.
22. 1 point

## VMProtect (.NET) Code Markers Sample App

Language : .Net Framework 4.0 Platform : Windows x86 OS Version : ( Windows 7 and higher.) Packer / Protector : VMProtect Demo (.NET Support) Description : VMProtect introduce their own .NET solution. This a sample software from their own SDK protected with VMProtect Demo using Ultra (Mutation + Virtualization) Would like to see who and what can be recovered from source and how much of original source can be recovered. Screenshot : Project1.vmp.exe
23. 1 point

## ConfuserEx Fork

Finally I can also unpack this, My method: - remove anti tamper with dnspy - clean cflow and sizeOf, string.Length, Math's using modified confuser unpacker - replace or inlining local variable like <Module>.a69ad3ae-21ea-4884-9794-dd4fb7db216a and proxy call to Math.cos using ILReplacer - codeExplorer predicate killer and done. CrackMe-cleaned.rar
24. 1 point

## How to handle proxy addresses?

To redirect all connections to fiddler use proxifier.
25. 1 point

## Harmony Injector Help

For Harmony You need to load Target executable to the current domain in other words you need to create application loader. The Step: 1. Create new WinForms (loader) - Add reference to 0Harmony.dll and Target.exe - Add button, name it btnOpenApp with click handler private void btnOpenApp_Click(object sender, EventArgs e) { AssemblyName assemblyName = AssemblyName.GetAssemblyName(@"c:\path\to\Target.exe"); var assembly = Assembly.Load(assemblyName); var methodBase = assembly.ManifestModule.ResolveMethod(assembly.EntryPoint.MetadataToken); // do the patch Harmony.Patch(); // Open the Target new Thread(() => { // assume method entry point is static and doesn't have parameter methodBase.Invoke(null, null); }).Start(); } 2. Create class Harmony.cs using Harmony; using System; using System.Reflection; using System.Windows.Forms; namespace YourWinformsNameSpace { internal static class Harmony { public static void Patch() { HarmonyInstance h = HarmonyInstance.Create("test.patch.by.ewwink"); h.PatchAll(Assembly.GetExecutingAssembly()); } [HarmonyPatch(typeof(Target.FormClass), "calculate")] [HarmonyPatch(new Type[] { typeof(int), typeof(int) })] public class Patchcalculate { static void Prefix(int num1, ref int num2) { MessageBox.Show(string.Format("Second param {0} will be patched to 7", num2)); num2 = 7; } } } } The above will patch second parameter for calculate method to 7. make sure target Framework and CPU is match.
26. 1 point

33. 1 point

## Evil Gnome

Linux Evil Gnome pass: infected HUGE APT collection with others where this came from at: https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/ 7ffab36b2fa68d0708c82f01a70c8d10614ca742d838b69007f5104337a4b869.zip
34. 1 point

## Visual Studios 2019 Pro - trial

...or just use MSDN key that's available on the net and avoid all that insanity. NYWVH-....
35. 1 point

## KeygenMe/DeVirtualizeMe

The challenge is slightly flawed as the serial is formatted in plaintext. Fun challenge, keygen coming soon
36. 1 point

Hi New Update with more features : https://github.com/Ahmadmansoor/AdvancedScript AdvancedScript version 4.3 https://github.com/Ahmadmansoor/AdvancedScript/releases * Add new commands and fix some bugs * fix error load of the Auto Commands when there is no ; * Fix AutoRun and stepson ( wait command to finish). * Fix color variable name. * Add ReadFile , Write2Mem , ReadMem * Add GoToByBase Form ( https://www.youtube.com/watch?v=gQxlbC8RnRg ) * Assigne variable directly no need to Setx Command. Sample : Varx str,memory // var will hold the hex value Varx int,rax_,0 // read rax value +1 Varx str,ourStr // read test string ReadMem $memory,{rax},5$rax_={rax} +1 $rax_=ads.exebase ReadStr$ourStr,{rdx}
37. 1 point

## Themida configuration

1. Read https://www.oreans.com/ThemidaHelp.pdf 2. Add obfuscation like a ithare::obf 3. Encrypt strings with xorstr https://github.com/JustasMasiulis/xorstr 4. For education read https://github.com/lurumdare/ideas 5. Some tricks https://github.com/lurumdare/DefensiveGuideAgainstCrackers 6. Use embedding objects https://github.com/lurumdare/furikuri_tutorial (I think it is anti-disassembler https://forum.reverse4you.org/t/eset-finfinsher/1127 supported VMProtect, test on Themida and write me PM)
38. 1 point

## The (Legally) Free PC Games Topic...

At least they made him look cute!
39. 1 point

## [DevirtualizeMe] ArmDot

And here is the fully deobfuscated file with strings decrypted i havent ran through de4dot since this will simplify your button click method to one messagebox.show Unpacked.exe
40. 1 point

## CrackMe for nonskid

Alright, it was really easy to remove Opening the .exe on Dnspy we can see that the methods have some kind of decompiler crashing. So what i did was simply loading the .exe and writing each instruction to console to see what is going on. Well a lot of ldc.i4.6 appeared as you can see here Simply made a quick tool to remove this Now you can open it on dnspy and see the actual code. But there are some anti-debuggers so i modified the tool that i made to remove the antidebuggers too. like this You can simply debug it now CrackMe (1)-Cleaned.exe
41. 1 point

## New Device Login - email send to me a lot!!!

I won't update my Firefox for one main reasons: is not compatible with KeeFox plugin I'm using. Also the last version of Firefox takes a lot of of memory: 1 GB of memory and is also slow. My laptop is not that good: only Intel i3-2350M 2.30 GHz dual core.
42. 1 point

## VMProtect 3.1.2 (Build 886) Anti-debug Method Improved

nice . You’re very professional.
43. 1 point

## VMProtect vs Themida

Bullshit. I took a look on their VM (the sample that HellSpider uploaded). It is very simple VM with very simple "obfuscation" (or you can say almost no existing obfuscation). Totally out of league of Themida/VMProtect . (I worked on that a little bit more than one weekend and I think that I need one more weekend to finish devirtualizing his sample, but not so interested in it right now) The only reason that there are no tools/tutorials for it is because it is not as common as Themida/VMProtect. The same is probably true for all the other uncommon "much better" protectors. And about Themida/VMProtect, as someone who wrote a script that automatically devirtualize Themida. As I said in the past, I still think that their VM is better than VMProtect. All the reasons were already listed in this thread.
44. 1 point

## VMProtect vs Themida

Well guessing from the first post of the topic creator, he wants to use virtualization as protection (otherwise he wouldn't think about VMProtect or?). I didn't invest time in reversing Themida protected targets yet, neither code virtualized targets (but soon). Just from reading how Themida is using virtual machines as protections, with hybrid virtualizations like SHARK or EAGLE I would say that it's a better choice to go for Themida than VMProtect. Currently I'm working on VMProtect a lot in my free time, and what I can say that the VMs have a pretty straightforward pattern when it comes to the handlers. For me the biggest problem was actually the mutation of the assembly, but with compiler optimization techniques you can clean up the code pretty good and continue your analysis on the demutated code (which is one half the devirtualization process). The other half is pretty much identifying how the handlers work, analyzing them and translating them back but even this is dynamically possible with coding and I would think it's less effort than reversing the different themida vms. And if this isn't the case I would want to see a proof for that..
45. 1 point

## LZMA packer / depacker code

Figured I drop this here. Its the packer and decompressor I use for my private build of my exe packer. Feel free to do what you want with it. lzma_decenc.rar
46. 1 point

## [DevirtualizeMe] Themida 2.3.5.0 Full

I think that the new VMs of Oreans are the best VMs out there. Until then all the VMs were with simple handlers, and the complexity were in other areas (in the obfuscation of the handlers or the obfuscation of the "vm code"). Oreans made vms with auto-generated complex handlers. (and now it isn't even necessary to obfuscate the handlers or the vm code) (As a side note: They protect their newer products with improved version of tiger, which does obfuscate the vm code with their regular obfuscation and using internal vm registers, but beside being annoying it doesn't add much to the protection..) I started working on VMProtect (just had one day to work on it), it looks similar to CISC, but they implement many operations with a small set of simple handlers, which make this vm more complex (than CISC, not the new vms, but I don't have the right to say that until I fully devirtaulize it) And about time consuming - it is enough to just devirtualize one of those new vms, if you do it good. I work on this project as a side project for fun (mostly on weekends), and it took me about two months to fully devirtualize fish. But after that it took me just a week to add support for tiger, and even less to add support for dolphin. I don't make money from this, but I don't share this project because then there won't be a point in this protection
47. 1 point

## [DevirtualizeMe] Themida 2.3.5.0 Full

Well, there are few dedicated persons in the world who can do that. Noobs can't. And there are no up-to-date public tools (Deathway's tools are not working for most VMs already). So, after doing simple cost-benefit analysis, Themida guys will sleep really well.
48. 1 point

## [DevirtualizeMe] Themida 2.3.5.0 Full

Yep. Yhis dump have the TM sections removed. Could have them on the right place but makes no difference to me. As i know Themida allocate al API's to VM'ed portions of memory outside the main exe. That is why i was so puzzled. Because i see that the redirection was into main exe virtual space and not in upper addresses. The IAT table can be restored via 4 patch points like in LCF-AT script or just bp on acces on a API and them memory bp on write on code section to see where is written. You can with a little patience to restore the IAT table or write a small Odbg script to automate. It remains to add the VM'ed antidumps and i think all is done. In you case. As you can see a dedicated person will UV the VM'ed code so i guess that Oreans cannot sleep well.
49. 1 point

## Old keygen sources in delphi

Let me share you a couple of old keygen sources created in delphi. These sources are old, ugly & coded in a dirty style. A couple of these sources are coded by me and a couple by others, Maybe you can study and learn of it. Password is my name. sources.rar
50. 0 points

## [Help] about hookjit and ilcode compile

looks like nobody want talk with this...