Jump to content
Tuts 4 You

Leaderboard


Popular Content

Showing content with the highest reputation since 04/23/2019 in all areas

  1. 6 points
    Everyone can see the code because Cawk's ConfuserEx unpacker works just fine.
  2. 5 points
    Download: https://github.com/horsicq/pex64dbg/releases Sources: https://github.com/horsicq/pex64dbg More Info: http://n10info.blogspot.com/2019/05/pe-viewer-plugin-for-x64dbg.html
  3. 4 points
    Hmmmm... Could it be because you didn't do time travel and never experienced 4th of May 2019 before? The expired certificate is inside your outdated copy of Firefox 56. And, as you said it yourself - you refuse to update it. So, how on earth do you expect Mozilla to fix something that's on your computer? Should they send Santa with magic powers to your home? Solution: download the XPI file from above. Extract files from it. Base64-decode new certificate from api.js. Add new certificate into your old Firefox (Tools-Options-Certificates). Done. Takes less time than writing those whiny posts. Full disclaimer: I couldn't test it 100% because I don't use Firefox on a daily basis and I couldn't find portable Firefox 56 with 3rd party addons.
  4. 3 points
    Download: https://github.com/horsicq/nfdx64dbg/releases Sources: https://github.com/horsicq/nfdx64dbg More Info: https://n10info.blogspot.com/2017/05/nfd-plugin-for-x64dbg.html
  5. 3 points
    And here is the fully deobfuscated file with strings decrypted i havent ran through de4dot since this will simplify your button click method to one messagebox.show Unpacked.exe
  6. 3 points
    Here is the code without strings decrypted more to show that i havent just remade the method from scratch but have actually devirtualised the file obfuscator is not that good in all honesty once you get your head around everything in one method its just like any other vm private void button1_Click(object sender, EventArgs e) { int num = 0; if (num != 0) { object obj; char[] value = obj = new char[16]; obj[0] = (2049885642 ^ 2049885579); obj[1] = (721969625 ^ 721969580); obj[2] = (1722827470 ^ 1722827450); obj[3] = (675984423 ^ 675984463); obj[4] = (1647779473 ^ 1647779505); obj[5] = (1793770717 ^ 1793770638); obj[6] = (640259843 ^ 640259958); obj[7] = (959731082 ^ 959731177); obj[8] = (1744869780 ^ 1744869879); obj[9] = (237600744 ^ 237600653); obj[10] = (492056264 ^ 492056251); obj[11] = (327956409 ^ 327956426); obj[12] = (688741927 ^ 688741953); obj[13] = (658212064 ^ 658211989); obj[14] = (454212694 ^ 454212666); obj[15] = (28756323 ^ 28756290); MessageBox.Show(new string(value)); } else { object obj; char[] value2 = obj = new char[10]; obj[0] = (1435200779 ^ 1435200842); obj[1] = (853162666 ^ 853162719); obj[2] = (2119875586 ^ 2119875702); obj[3] = (712244489 ^ 712244577); obj[4] = (1541140050 ^ 1541140082); obj[5] = (2107783153 ^ 2107783095); obj[6] = (1703953462 ^ 1703953495); obj[7] = (1864360465 ^ 1864360568); obj[8] = (2035746888 ^ 2035746852); obj[9] = (620298057 ^ 620298088); MessageBox.Show(new string(value2)); } }
  7. 2 points
    Standard Confuser .NET module trick, koi module is named dat Method entry point 6000307 Anti-tamper remove method : 2C -> 44 ( CFF explorer index) Set number of Metada streams to a smaller number (5) to remove invalid streams.
  8. 2 points
    @LCF-AT Open T:\Program Files\brave\73.2.17.13\brave_resources.pak to a hex editor (dont try w/ notepad++) ASCII search for : brave_new_tab.js replace it with arave_new_tab.js or whitespace whole @ : <script src="chrome://newtab/brave_new_tab.js"></script> tested & working greets @NeWOT
  9. 2 points
    Embarrassing. Don't trust anything that looks like a pregnancy test kit... Ted.
  10. 2 points
    Run the target first with NETBox so won't kill .NET PE. Dump with MegaDumper. In dumped exe change Image Base to 400000 Fix relocation with Universal Fixer Native DLL UnpackMePlease.dll missing: DllSaver break if module contains UnpackMePlease Unpacked exes: https://www112.zippyshare.com/v/26CxsdFV/file.html
  11. 2 points
    login pass: steps to unpack: 1. removed anti tamper and some junk calls 2. cleaned cflow (Thanks to Tesla for cflow cleaning) 2. removed proxy calls 3. removed proxy calls again 4. converted x86 methods to IL 5. decrypted all constants 6. cleaned cflow again (Thanks to Tesla for cflow cleaning) 7. cleaned some small stuff with de4dot. UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe
  12. 2 points
    well, your post is in the crackme section. it means unpacking doesn't really matter. but since you want the file unpacked. here you go. serial key: steps: 1. removed anti tamper 2. converted x86 methods to IL 3. decrypted strings 4. removed delegates 5. attempted to clean cflow (but its not very clean.) 6. cleaned with de4dot CrackMe_fixed-NoX862.exe_unpacked-StringDec_nodelegate-cleaned-cleaned.exe
  13. 2 points
    All samples has been pulled into hybrid-analysis.com sandboxes also looks like we disturbed someone: http://atm.cybercrime-tracker.net/index.php?x=threat&hash=b57bc410683aba4c211e407320e6b7746ce25e06d81ddf480711228efd921a6c
  14. 2 points
    https://www.youtube.com/watch?v=bcByQtkpmPg
  15. 2 points
    Best days of programming before all this Java and Android chaos
  16. 2 points
    Thanks a lot for testing. Please download the new version of the plugin: https://github.com/horsicq/stringsx64dbg/releases
  17. 2 points
    Here is the hotfix for anyone who wants to install without turning on Data Collection and Use... hotfix-update-xpi-intermediate@mozilla.com-1.0.2-signed.xpi
  18. 2 points
    https://www.bleepingcomputer.com/news/microsoft/windows-10-start-menu-gets-its-own-process-in-build-1903/ This should have happened a long time ago though it could be an indication Start is becoming bloated under Windows 10... Ted.
  19. 2 points
    You can still read menu item strings using the GetMenuString function. What I meant previously was that you have to change my example code to work differently with the DrawText function as the string of characters for, "Tuts 4 You", was not saved in the menu structure. The next example has, "Tuts 4 You", saved in the menu structure so you will be able to find this using GetMenuString. Each character is individually retrieved from the menu string and DrawText is used to display it. It also cycles through each RGB colour as before. When you click on a menu item GetMenuString is used to get the menu item text. It is then displayed in a message. I have attached both x32 and x64 this time. Apologies for the previous compile mistake! Ted. Appended Menu Items x64.exe Appended Menu Items x32.exe
  20. 2 points
    It builds a lot on your previous crackmes. So, most of the answers are already there. 1) Finding first 2 checks - they are in 2 separate dynamic methods. You can simply patch those; 2) Third check is in yet another dynamic method. You can patch it, and play the game till the end. However, the game never shows success screen. I think it's a bug in the crackme, as I could not find any code that would set the required field; 3) There are different ways to get IL code of the dynamic method, for example, this breakpoint might help: 4) To patch crackme, you need to understand how it stores information about dynamic methods. See previous crackmes and solutions for some details and hints. 5) Also you'll need to understand how jit hook decrypts IL code. There's nothing original in it: VirtualProtect -> decrypt code in-place -> jit it -> encrypt code back -> VirtualProtect. Very easy to break in several different ways. So, attached are 2 different versions of solution. First solution patches all 3 checks, you can play the game till the end but not get the success screen. Second solution gives you instant win and shows success screen. Bonus: the secret "cheat" code is checked on timer procedure. If you type it quickly enough, it will show the playing field: minesweeper-solution-kao.zip
  21. 1 point
    Sometimes I think Opera is run by a bunch of idiots. I've been using Opera since it was built on Presto engine. They break old versions compatibility without a blink of an eye, I have lost my favourites countless times by upgrading previous version of Opera, it was gone like that - hundreds of bookmarks, since then I have stopped using it at all. Then I have switched to this Chrome based version (just because I was too used to right mouse gestures) and I hate it, they change colors like this pink shit, they change the way startup window is shown (speeddial), they have added some artificial animations after opening a new tabs, it's not possible to assign keyboard shortcuts to many actions (why?). I have contacted with them on their Twitter support many times with bug reports, filed their forms to report bugs - no response at all... You should see their support forums, many people are upset about their "breaking changes" and they don't do anything about it. I'm thinking about moving to Vivaldi, looks like much more customizable version.
  22. 1 point
    Heres the unpacked file found an old unpacker i had which worked on this file (i wont share) Metadata could be cleaned some more but here it is UnpackedBed.exe
  23. 1 point
    After using ManagedJiterFr4 on NetBox 4.0 some metadata streams got corrupted so I got to restore them; I've just have to change first method called which is anti-tamper to 062A (a simply return). For removing invalid streams the strategy is to first set number of streams to a smaller size like 8. #US with a space at the end (" "); yoi don't seems to be a valid stream! Here is a partially unpacked exe: https://www118.zippyshare.com/v/liRTdnBO/file.html It uses delegates!
  24. 1 point
    Just a quick thought/idea ... did you try to put/apply owner-draw flag also for menu item in resources? This way it should send/call the WM_MEASUREITEM for every items and your processing should be the same. [EDIT] Sorry, re-reading your message, you're already using ownerdrawn flag for your menu in resources ... so my previous answer is not useful. Anyway, itemData is a "place" to put custom information and, by default, as far as I remember, it should be empty/uninitialized and/or system-reserved ... unless you put something in it. That's why you actually *have to* modify the resources' menu to set it explicitly. I found this maybe useful quote: https://docs.microsoft.com/en-us/windows/desktop/menurc/using-menus You created popup menu straight by code, right (not using resources) ? You could use the SetMenuItemInfo (as suggested in the quoted link) to set only the itemdata ... without having to re-set the item text again. -- It's a lot I don't play with this stuff, so everyone is very welcome to correct me Best Regards, Tony
  25. 1 point
    No, those are mostly fake attributes. It's just a modded cfex. I didn't go further to attempt to deobfuscate it because it lags so much at the cctor part of module when compiling to c#. And it has flood calls when checking via IL which makes it harder to remove all calls that needs to be removed.
  26. 1 point
    To get unpackmeplease.dll and yes.dll i've just use WinAPI CopyFileA in target process, and after i use standard method to set new Content in component after initialization.
  27. 1 point
    Run original exe with NETBox 4.0 forget to specify version 4.0: https://forum.tuts4you.com/topic/39321-netbox/ Dump .NET exe main module with MegaDumper: https://forum.tuts4you.com/topic/24087-dotnet-dumper-10/page/3/?tab=comments#comment-177260 You should load original exe with dllsaver: https://forum.tuts4you.com/topic/39871-dllsaver/ As for ILProtector unpacking I've used a private tool I won't share!
  28. 1 point
    Step 1: Few notes: is used .NET module trick; you can dump the .NET module with memcpyLogger, You just have find to the first the block which starts with MZ. You get the module assembly entry point token with ConfuserExConstant.exe - as file input you enter original protected file, The Entry Point Token value is 600009C Tools used: https://www115.zippyshare.com/v/HETHPm4D/file.html Step 1: Dumping .NET module explained before; Step2: Confuser Exceptions Restore - anti-tamper: - this is for decrypting MSIL: https://forum.tuts4you.com/topic/41025-confuser-exceptions-restore-anti-tamper It works just fine you must unmark "Invoke EP" and "Patch Anti-tamper". So after we nop first method from <Module>.ctor - this was the anti-tamper; we also fix the entry point of koi module with 600009C Here is the partial unpacked exe: https://www8.zippyshare.com/v/M78VMowQ/file.html or string decryption I've used this: https://github.com/cawk/ConfuserEx-Static-String-Decryptor/releases Check/Mark "Invoke". For c-flow I've used ConfuserExSwitchKiller. ConfuserExCallFixer.exe for inline methods. Here is completly deobfuscated exe: https://www119.zippyshare.com/v/YFwpUuCv/file.html private void method_1(object sender, EventArgs e) { if (this.textBox_1.get_Text().Length >= 5) { string str = this.textBox_1.get_Text(); if (!Directory.Exists(@"Data\\License")) { MessageBox.Show("Password was not found!", str); } else { StreamReader reader = new StreamReader(@"Data\\License\license.dat"); reader.ReadLine(); string str3 = reader.ReadLine(); reader.Close(); if (Class7.smethod_1(str3) == this.textBox_1.get_Text()) { MessageBox.Show("Good Job !"); } else { MessageBox.Show("password is wrong!"); } } } else { MessageBox.Show("Password is invaled or too short!"); } } public static string smethod_1(string string_2) { byte[] inputBuffer = Convert.FromBase64String(string_2); AesCryptoServiceProvider provider = new AesCryptoServiceProvider { BlockSize = 0x80, KeySize = 0x100, Key = Encoding.ASCII.GetBytes(string_1), IV = Encoding.ASCII.GetBytes(string_0), Padding = PaddingMode.PKCS7, Mode = CipherMode.CBC }; ICryptoTransform transform = provider.CreateDecryptor(provider.Key, provider.IV); byte[] bytes = transform.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length); transform.Dispose(); return Encoding.ASCII.GetString(bytes); }
  29. 1 point
    REDasm 2.1 released https://github.com/REDasmOrg/REDasm/blob/master/CHANGELOG.md
  30. 1 point
    http://eprints.networks.imdea.org/1959/1/An_Analysis_of_Pre-installed_Android_Software_2019_EN.pdf
  31. 1 point
    Don't let me son find out about this... 😉 Ted.
  32. 1 point
    World of Goo is currently free at the moment... Ted.
  33. 1 point
    Nothing really different from your last crackme, just need to run it on de4dot before running on the quick tool i made. (Some stuff copy paste from the last tutorial i made for your last crackme) Tutorial: (Run through de4dot first or it will give errors, no idea why) Opening the .exe on Dnspy we can see that the methods have some kind of decompiler crashing. So what i did was simply loading the .exe and writing each instruction to console to see what is going on. Well a lot of ldc.i4.6 appeared as you can see here Simply made a quick tool to remove this Now you can open it on dnspy and see the actual code. But there are some anti-debuggers so i modified the tool that i made to remove the antidebuggers too. like this You can simply debug it now  CrackMe-antiskid-cleaned-Cleaned.exe
  34. 1 point
    https://www.zdnet.com/article/hacker-holding-git-repositories-for-ransom/ https://security.stackexchange.com/questions/209448/gitlab-account-hacked-and-repo-wiped == Download all of your GitHub data - https://github.com/settings/admin
  35. 1 point
    No File->Load ??? Or the ability to run a script txt file?
  36. 1 point
    You will need to give me a bit more info on the first problem. How are you filling the round rectangle area and when? Regarding the second problem. After filling the rectangle create a pen and define its width, PS_SOLID should work fine. Then select it for the device context and then redraw the round rectangle... Pen = CreatePen_(#PS_SOLID, 2, $0) SelectObject_(bmpHDC, Pen) RoundRect_(bmpHDC, r\left, r\top, r\right, r\bottom, 128, 128) Ted.
  37. 1 point
    Hi, so I dont like that color dark value because its aggressive and of course it looks very dumb too.I like decent bright colors whats also better for the eyes.Bright background / dark text are fine.Dark background / bright Text are bad.Firefox does handle the private tab mode better without to change the theme color in the working area/s (tabs / bars) and just putting a small private mode logo in the bar what dosent disturbs anyone you know.But changing the whole theme color in this mode like Opera / Brave etc does isnt really acceptable without to ask for permission by the user itself.Sorry,but its really stupid.So they also put a private Logo into the bar so why them also change the color theme!?Logo is enough so everyone can see this.Sometimes less is more.Of course its just my opinion. greetz
  38. 1 point
    LCF-AT is a woman that doesn't like the pink color... strange! Maybe is just that specific pink color.
  39. 1 point
    If you have a look at my DrawTextColoured procedure in my previous example and the one below you can see how I change the text colour and calculate the required positioning in the menu. The example (below) uses AppendMenu function to add items in to the owner drawn menu. It then adds the new item in to the menu array. You can also see how to add an icon/image in to these menu items. I included an example on how you can process menu events from WM_COMMAND. I suggest having a read through the Windows developers documents regarding menus, particularly the About section. https://docs.microsoft.com/en-au/windows/desktop/menurc/menus I have compiled the example for you this time in x32... Ted. Appended Menu Items.exe
  40. 1 point
    If you want to display an icon in the menu you can use something like DrawIconEx. If it is a bitmap you can BitBlt or similar. The icon needs to be placed at the beginning of the menu, you then offset the placement of any subsequent text in the menu after the icon. I am not entirely sure what you mean by dynamic icons or what you are trying to achieve - I'll have a guess... The menu will be drawn each time it is requested to be shown, any icons can be reloaded and used in any preferred order. You will need to keep a track of your images and icons as you will need to free up these resources at some time otherwise you will risk GDI leaks. If I am guessing at what you are trying to do with dynamic icons (and if I guessed correctly) there is no way around it, you will have to track your icons handles. I have had to do something similar in the past and used structured arrays with defined types. A dynamic example would be tracking windows; titles, position, order, icon, window handle, etc. This information is captured and stored in a structured array and then the necessary information is displayed in the menu. In the below example I have expanded on the previous code I posted and added icons in to the menu. Code is a bit crude though it gives you the idea... Ted. Coloured Menu Item + Icon.exe
  41. 1 point
    @Kazura: That's nonsense. Cloak.NET been broken before and can be broken now. See It's just that people who can unpack that, are not really interested in a very basic crackme.
  42. 1 point
    Hi, can you please check your OS and .NET versions? I only tested it on .NET 4.6.2 EDIT: It seems you will also need the C/C++ runtime library from Microsoft Let me know if you are still facing issues. For me and some other people who tested it, it seems to work.
  43. 1 point
    I really, really disagree. Not all websites are valuable. And not all passwords should chosen to be secure. In fact, this was something I wanted to write about for a long time already, so here it goes: https://lifeinhex.com/my-password-is-password/ (shameless self-promo, I know! )
  44. 1 point
    https://github.com/Pigrecos/Z34Delphi My new repository for using Z3 in delphi(porting z3 c api to delphi). I tried and there were no tools for symbolic execution in delphi
  45. 1 point
    Yes, Anomali Forum: https://forum.anomali.com/
  46. 1 point
    Just check the IAT start & End / Size manually in Olly and correct it if needed and then you are on the safe way.No big deal to do this quickly by yourself without always to trust blind any import tool.In this case ImpRec shows all correctly but also ImpRec can fail etc.Just wanna say that you should verify the found and shown results you know. greetz
  47. 1 point
    time consumed is 10 seconds plus however long it took to find his devirtualizer
  48. 1 point
  49. 1 point
    Very Nice Protection Elinize sağlık antitamper_fix.exe cracked.exe
  50. 1 point
  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up
×
×
  • Create New...