Tuts 4 You

Moderator

72

2,799

Full Member+

18

2,153

Full Member

13

271

Junior+

13

26

## Popular Content

Showing content with the highest reputation since 04/27/2019 in all areas

1. 6 points

## Can You See The Code?

Everyone can see the code because Cawk's ConfuserEx unpacker works just fine.
2. 5 points

## PE Viewer - plugin for x64dbg

3. 4 points

Hmmmm... Could it be because you didn't do time travel and never experienced 4th of May 2019 before? The expired certificate is inside your outdated copy of Firefox 56. And, as you said it yourself - you refuse to update it. So, how on earth do you expect Mozilla to fix something that's on your computer? Should they send Santa with magic powers to your home? Solution: download the XPI file from above. Extract files from it. Base64-decode new certificate from api.js. Add new certificate into your old Firefox (Tools-Options-Certificates). Done. Takes less time than writing those whiny posts. Full disclaimer: I couldn't test it 100% because I don't use Firefox on a daily basis and I couldn't find portable Firefox 56 with 3rd party addons.
4. 3 points

## Crackme Baby

That is most likely not your crackme. But what the hell.. Load it in IDA, decompile serial check and it will look like this: if ( ++idx >= 29 ) { if ( count_of_sevens == 1 && String[6] == '7' ) { v5 = (unsigned __int8)entered_key[0]; if ( entered_key[0] ) { LOBYTE(v5) = entered_key[4]; if ( v5 ) { LOBYTE(v5) = entered_key[8]; if ( v5 ) { LOBYTE(v5) = entered_key[12]; if ( v5 ) { LOBYTE(v5) = entered_key[16]; if ( v5 ) { LOBYTE(v5) = entered_key[21]; if ( v5 ) { part1 = getintfromkey(0, 4, 0); part2 = getintfromkey(0, 4, v6); part3 = getintfromkey(0, 4, v7); part4 = getintfromkey(0, 4, v8); part5 = getintfromkey(0, 5, v9); part6 = getintfromkey(0, 8, v10); v11 = part1 * (unsigned __int8)entered_key[7]; v12 = part1 * (unsigned __int8)entered_key[6]; v13 = part1 * (unsigned __int8)entered_key[4]; if ( v11 == part5 && v12 == part3 && !(part1 * (unsigned __int8)entered_key[5]) && v13 == part4 && 1000 * v13 + 10 * v12 + v11 == part6 ) { ...show good boy message... There are some checks for specific character values: * char 6 must be "7", there may not be any other "7" in the key; * char 5 must be "0"; * chars 4,8,12,16,21 may not be "0"; Key is split into in several parts: part1 = first 4 chars part3 = chars 8..11 part4 = chars12..15 part5 = chars16..20 part6 = chars21..28 Then it does some simple multiplication and checks the result. At this point you have 2 options: - make a tool that will randomly choose part1 and chars 4 and 7, do the multiplication to calculate parts 3, 4, 5, 6 and see if it passes all checks. - remember math lessons from school and figure out the only possible combination that will pass all checks. First one is much faster, second one will be .. challenging. Either way, you should arrive at the only possible solution: Well, in fact, there is infinite number of valid keys. You can append random characters to the key above, they are not checked..
5. 3 points

6. 3 points

## [DevirtualizeMe] ArmDot

And here is the fully deobfuscated file with strings decrypted i havent ran through de4dot since this will simplify your button click method to one messagebox.show Unpacked.exe
7. 3 points

## [DevirtualizeMe] ArmDot

Here is the code without strings decrypted more to show that i havent just remade the method from scratch but have actually devirtualised the file obfuscator is not that good in all honesty once you get your head around everything in one method its just like any other vm private void button1_Click(object sender, EventArgs e) { int num = 0; if (num != 0) { object obj; char[] value = obj = new char[16]; obj[0] = (2049885642 ^ 2049885579); obj[1] = (721969625 ^ 721969580); obj[2] = (1722827470 ^ 1722827450); obj[3] = (675984423 ^ 675984463); obj[4] = (1647779473 ^ 1647779505); obj[5] = (1793770717 ^ 1793770638); obj[6] = (640259843 ^ 640259958); obj[7] = (959731082 ^ 959731177); obj[8] = (1744869780 ^ 1744869879); obj[9] = (237600744 ^ 237600653); obj[10] = (492056264 ^ 492056251); obj[11] = (327956409 ^ 327956426); obj[12] = (688741927 ^ 688741953); obj[13] = (658212064 ^ 658211989); obj[14] = (454212694 ^ 454212666); obj[15] = (28756323 ^ 28756290); MessageBox.Show(new string(value)); } else { object obj; char[] value2 = obj = new char[10]; obj[0] = (1435200779 ^ 1435200842); obj[1] = (853162666 ^ 853162719); obj[2] = (2119875586 ^ 2119875702); obj[3] = (712244489 ^ 712244577); obj[4] = (1541140050 ^ 1541140082); obj[5] = (2107783153 ^ 2107783095); obj[6] = (1703953462 ^ 1703953495); obj[7] = (1864360465 ^ 1864360568); obj[8] = (2035746888 ^ 2035746852); obj[9] = (620298057 ^ 620298088); MessageBox.Show(new string(value2)); } }
8. 2 points

9. 2 points

## Feedback and Ideas

We all know you have the skills to unpack vanilla version and most of the mods out there. You don't need to post 20 unpacked EXEs to show that - that's not the point of unpackmes. The point is to produce something that others can use as a starting point in their learning path. Also, saying "I used my private unpacker that I'm not gonna share" is equally not helpful for learning. So, perhaps you could start off by writing ONE paper about unpacking modified confuserex?
10. 2 points

## Opera Pink?WTF!

@LCF-AT Open T:\Program Files\brave\73.2.17.13\brave_resources.pak to a hex editor (dont try w/ notepad++) ASCII search for : brave_new_tab.js replace it with arave_new_tab.js or whitespace whole @ : <script src="chrome://newtab/brave_new_tab.js"></script> tested & working greets @NeWOT
11. 2 points

## ‘Unhackable’ Biometric USB Offers Up Passwords in Plain Text

Embarrassing. Don't trust anything that looks like a pregnancy test kit... Ted.
12. 2 points

## Black Hat Lucifer (Anti Dump + IL Protection + Enigma Protector)

Run the target first with NETBox so won't kill .NET PE. Dump with MegaDumper. In dumped exe change Image Base to 400000 Fix relocation with Universal Fixer Native DLL UnpackMePlease.dll missing: DllSaver break if module contains UnpackMePlease Unpacked exes: https://www112.zippyshare.com/v/26CxsdFV/file.html
13. 2 points

## ConfuserEx Mod

login pass: steps to unpack: 1. removed anti tamper and some junk calls 2. cleaned cflow (Thanks to Tesla for cflow cleaning) 2. removed proxy calls 3. removed proxy calls again 4. converted x86 methods to IL 5. decrypted all constants 6. cleaned cflow again (Thanks to Tesla for cflow cleaning) 7. cleaned some small stuff with de4dot. UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe
14. 2 points

## Modified ConfuserEx

well, your post is in the crackme section. it means unpacking doesn't really matter. but since you want the file unpacked. here you go. serial key: steps: 1. removed anti tamper 2. converted x86 methods to IL 3. decrypted strings 4. removed delegates 5. attempted to clean cflow (but its not very clean.) 6. cleaned with de4dot CrackMe_fixed-NoX862.exe_unpacked-StringDec_nodelegate-cleaned-cleaned.exe
15. 2 points

## Global ATM Malware Wall

All samples has been pulled into hybrid-analysis.com sandboxes also looks like we disturbed someone: http://atm.cybercrime-tracker.net/index.php?x=threat&hash=b57bc410683aba4c211e407320e6b7746ce25e06d81ddf480711228efd921a6c
16. 2 points

17. 2 points

## Debugging in Turbo Pascal like it's 1994

Best days of programming before all this Java and Android chaos
18. 2 points

## Strings x64dbg plugin

19. 2 points

Here is the hotfix for anyone who wants to install without turning on Data Collection and Use... hotfix-update-xpi-intermediate@mozilla.com-1.0.2-signed.xpi
20. 2 points

21. 2 points

## MineSweeper

It builds a lot on your previous crackmes. So, most of the answers are already there. 1) Finding first 2 checks - they are in 2 separate dynamic methods. You can simply patch those; 2) Third check is in yet another dynamic method. You can patch it, and play the game till the end. However, the game never shows success screen. I think it's a bug in the crackme, as I could not find any code that would set the required field; 3) There are different ways to get IL code of the dynamic method, for example, this breakpoint might help: 4) To patch crackme, you need to understand how it stores information about dynamic methods. See previous crackmes and solutions for some details and hints. 5) Also you'll need to understand how jit hook decrypts IL code. There's nothing original in it: VirtualProtect -> decrypt code in-place -> jit it -> encrypt code back -> VirtualProtect. Very easy to break in several different ways. So, attached are 2 different versions of solution. First solution patches all 3 checks, you can play the game till the end but not get the success screen. Second solution gives you instant win and shows success screen. Bonus: the secret "cheat" code is checked on timer procedure. If you type it quickly enough, it will show the playing field: minesweeper-solution-kao.zip
22. 1 point

## How to use RoundRects with Gardient Color?

Hi Progman, so it would be nice to have / find some kind of complete Ownerdraw example template code but didnt found anything like that.Ony short codes to handle this or that you know.Also for a menu OD I didnt found any full code example / template to handle all situations for menus etc. No I didnt checked the Win 2000 source.Maybe I wouldnt also find where this OD code is stored into (file xy). greetz
23. 1 point

@LCF-AT alternative, if u like to have the status labels etc. w/o bgimage @: you can search @ T:\Program Files\brave\73.2.17.13\brave_resources.pak for : background-image: url(${e=>e.background}); and whitespace it. -- this is the brave_new_tab.js (694kb) each time new open a new tab, loads this!! https://www17.zippyshare.com/v/Ufg3tbew/file.html 24. 1 point ## Eazfuscator.NET + Themida Themida removed (dumped and fixed) still protected by eazfuscator i don't know how to devitualize it but i guess it can be unpacked without debugging, so here your Anti debug has no sense in this protection someone can continue CrackMe Themida removed.rar 25. 1 point ## Beds Protector 4.5 Heres the unpacked file found an old unpacker i had which worked on this file (i wont share) Metadata could be cleaned some more but here it is UnpackedBed.exe 26. 1 point ## Beds Protector 4.5 After using ManagedJiter﻿Fr4 on NetBox 4.0 some metadata streams got corrupted so I got to restore them; I've just have to change first method called which is anti-tamper to 062A (a simply return). For removing invalid streams the strategy is to first set number of streams to a smaller size like 8. #US with a space at the end (" "); yoi don't seems to be a valid stream! Here is a partially unpacked exe: https://www118.zippyshare.com/v/liRTdnBO/file.html It uses delegates! 27. 1 point ## Beds Protector 4.5 No, those are mostly fake attributes. It's just a modded cfex. I didn't go further to attempt to deobfuscate it because it lags so much at the cctor part of module when compiling to c#. And it has flood calls when checking via IL which makes it harder to remove all calls that needs to be removed. 28. 1 point ## ConfuserEx Mod Step 1: Few notes: is used .NET module trick; you can dump the .NET module with memcpyLogger, You just have find to the first the block which starts with MZ. You get the module assembly entry point token with ConfuserExConstant.exe - as file input you enter original protected file, The Entry Point Token value is 600009C Tools used: https://www115.zippyshare.com/v/HETHPm4D/file.html Step 1: Dumping .NET module explained before; Step2: Confuser Exceptions Restore - anti-tamper: - this is for decrypting MSIL: https://forum.tuts4you.com/topic/41025-confuser-exceptions-restore-anti-tamper It works just fine you must unmark "Invoke EP" and "Patch Anti-tamper". So after we nop first method from <Module>.ctor - this was the anti-tamper; we also fix the entry point of koi module with 600009C Here is the partial unpacked exe: https://www8.zippyshare.com/v/M78VMowQ/file.html or string decryption I've used this: https://github.com/cawk/ConfuserEx-Static-String-Decryptor/releases Check/Mark "Invoke". For c-flow I've used ConfuserExSwitchKiller. ConfuserExCallFixer.exe for inline methods. Here is completly deobfuscated exe: https://www119.zippyshare.com/v/YFwpUuCv/file.html private void method_1(object sender, EventArgs e) { if (this.textBox_1.get_Text().Length >= 5) { string str = this.textBox_1.get_Text(); if (!Directory.Exists(@"Data\\License")) { MessageBox.Show("Password was not found!", str); } else { StreamReader reader = new StreamReader(@"Data\\License\license.dat"); reader.ReadLine(); string str3 = reader.ReadLine(); reader.Close(); if (Class7.smethod_1(str3) == this.textBox_1.get_Text()) { MessageBox.Show("Good Job !"); } else { MessageBox.Show("password is wrong!"); } } } else { MessageBox.Show("Password is invaled or too short!"); } } public static string smethod_1(string string_2) { byte[] inputBuffer = Convert.FromBase64String(string_2); AesCryptoServiceProvider provider = new AesCryptoServiceProvider { BlockSize = 0x80, KeySize = 0x100, Key = Encoding.ASCII.GetBytes(string_1), IV = Encoding.ASCII.GetBytes(string_0), Padding = PaddingMode.PKCS7, Mode = CipherMode.CBC }; ICryptoTransform transform = provider.CreateDecryptor(provider.Key, provider.IV); byte[] bytes = transform.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length); transform.Dispose(); return Encoding.ASCII.GetString(bytes); } 29. 1 point ## Microsoft Windows 95 PowerToys Making a Comeback! Microsoft is open-sourcing PowerToys on GitHub, so anyone can contribute and create power user tools for Windows 10. The first two utilities that Microsoft is working on for Windows 10 are a new maximize to desktop widget and a Windows key shortcut guide. The maximize to desktop widget places a pop-up button over the maximize button when you hover over it. It’s designed to let you quickly send an app to another desktop, utilizing Windows 10’s multi-desktop view. The Windows shortcut guide utility simply shows a keyboard shortcut guide when you hold down the Windows key. Microsoft is also considering 10 other utilities for these new PowerToys for Windows 10: Full window manager, including specific layouts for docking and undocking laptops Keyboard shortcut manager Win+R replacement Better alt+tab including browser tab integration and search for running apps Battery tracker Batch file re-namer Quick resolution swaps in task bar Mouse events without focus Cmd (or PS or Bash) from here Contents menu file browsing Repo: https://github.com/Microsoft/PowerToys Windows Calculator was already open sourced here: https://github.com/Microsoft/calculator Apparently it will soon feature a graphing mode. 30. 1 point ## You can now play Minecraft Classic in your browser Don't let me son find out about this... 😉 Ted. 31. 1 point ## Free Ubisoft and Epic PC Games... World of Goo is currently free at the moment... Ted. 32. 1 point ## Firefox disabled all AddOns! Options -> Privacy & Security -> Firefox Data Collection and Use -> Enable and Disable "Allow Firefox to install and run studies" It installs the hotfix. 33. 1 point ## Night Protector 2.0 after few months, i decided to try again and i have finally unpacked it! steps: 1. decrypted strings for parameter. 2. converted str that is actually an int value. 3. resolved all sizeOfs. 4. converted reference proxy calli to normal calls and removed the proxy calls. 5. Removed some Cflow. 6. calculated the integer values that uses xor to get the value. 7. decrypted all the strings. 8. cleaned cflows and the rest acrack-me_obfuscated_Unpacked.exend also renamed. Credits: Tesla - Helping remove cflow crack-me_obfuscated_Unpacked.exe 34. 1 point ## Can You See The Code? Language : .NET Platform : Windows x86 OS Version : All Packer / Protector : ConfuserEx Modded Description : Can you see the code? UnPackMe.exe 35. 1 point ## AdvancedScript x64dbg Plugin No File->Load ??? Or the ability to run a script txt file? 36. 1 point ## How to use RoundRects with Gardient Color? I would check your gradient structure and rectangle work area dimensions are correctly sized. Make sure you have no other drawing events going on in the device context - before or after drawing the rectangle. Can you try drawing your bitmaps when your program starts up as it seems a bit unnecessary redrawing them on each WM_DRAWITEM event? If you are going to add frames remember to do this after you have filled the rectangle with your gradient... Ted. 37. 1 point ## How to use RoundRects with Gardient Color? You will need to give me a bit more info on the first problem. How are you filling the round rectangle area and when? Regarding the second problem. After filling the rectangle create a pen and define its width, PS_SOLID should work fine. Then select it for the device context and then redraw the round rectangle... Pen = CreatePen_(#PS_SOLID, 2,$0) SelectObject_(bmpHDC, Pen) RoundRect_(bmpHDC, r\left, r\top, r\right, r\bottom, 128, 128) Ted.
38. 1 point

https://www.bleepingcomputer.com/news/microsoft/windows-10-start-menu-gets-its-own-process-in-build-1903/ This should have happened a long time ago though it could be an indication Start is becoming bloated under Windows 10... Ted.
39. 1 point

## Opera Pink?WTF!

LCF-AT is a woman that doesn't like the pink color... strange! Maybe is just that specific pink color.
40. 1 point

## Millions using 123456 as password...

If you think a website is not worthy of a unique and strong password you may as well use a 10 minute throwaway email address to register - or a shared account. I think it good practice to be encouraging users in general and of websites to use and enforce unique and strong passwords. A website may be valuable to you and not to others. The option shouldn't be left open for a person whom values a site risk losing it from using a weak password because there are other users out there that don't care what they use... Ted.
41. 1 point

## Millions using 123456 as password...

I really, really disagree. Not all websites are valuable. And not all passwords should chosen to be secure. In fact, this was something I wanted to write about for a long time already, so here it goes: https://lifeinhex.com/my-password-is-password/ (shameless self-promo, I know! )
42. 1 point

43. 1 point

44. 1 point

## z3 SMT solver for Pascal

https://github.com/Pigrecos/Z34Delphi My new repository for using Z3 in delphi(porting z3 c api to delphi). I tried and there were no tools for symbolic execution in delphi
45. 1 point

## latest Malware analysis and threat intel

Yes, Anomali Forum: https://forum.anomali.com/
46. 1 point

47. 1 point

## Eazfuscator.NET v5.8.251.246 w/ Virtualization + Agile License Schema

Unpacked, devirted Unpacked_Devirt.zip
48. 1 point

## .Net Crack Me - ConfuserEx Mod

Very Nice Protection Elinize sağlık antitamper_fix.exe cracked.exe
49. 1 point

## dumping serial SPI and I2C chips

thought I would post this since it's extremely useful for working on some embedded targets. the basic principle is you use a cheap logic analyzer to intercept read requests to the chip ( usually from the microprocessor of your target ) since some designs they store special information in small chips on PCB, like serial number, password, settings, etc. after the CPU reads all the addresses its interested in over the SPI or I2C bus your logic analyzer sees the waveforms and captures the data. then this utility will convert the logic analyzer file to a binary dump of the chip by reconstructing the flash memory contents so you can see what's inside and load into IDA. very useful source code and intro https://github.com/alainiamburg/sniffROM/wiki/Getting-Started https://github.com/alainiamburg/sniffROM
50. 1 point

ForceJit.zip