Jump to content
Tuts 4 You


  1. Teddy Rogers

    Teddy Rogers


    • Points


    • Content Count


  2. kao


    Full Member+

    • Points


    • Content Count


  3. Washi



    • Points


    • Content Count


  4. CodeExplorer



    • Points


    • Content Count


Popular Content

Showing content with the highest reputation since 05/06/2020 in all areas

  1. 7 points
  2. 6 points
    It might have a few weird instructions since i'm new to this Crackme-cleaned-Devirtualized2.zip Info: This is the first version of eaz that i analyze so i can't say how 2019.x is different from 2020.1 but its definitely not uncrackable Steps i took (as i should have included since the beginning): 1 Learn how CIL works / CIL fundamentals (there are some nice ebooks that i can't link here ) 2 Learn how the assembly reader/writer of your choice works (dnlib for example) 3 Learn how a simple VM works ( https://github.com/TobitoFatitoNulled/MemeVM (the original creator of this vm left so this is a fork to keep the project alive)) 4 https://github.com/saneki/eazdevirt See how the previous devirt was made (and you could also check previous eazvm protected executables) 5 Practice your skills trying to make MemeVM Devirt, you can message me if you have any issues with this step (You can always disable renaming on memevm to make the process easier to understand). 6 Start renaming a EazVM test assembly (you can make your own with trial) with all the knowledge you got from the previous steps (and find how crypto streams are initialized, where opcodes are located & how they are connected to the handlers etc etc etc, things that you would find in a vm) Editing saneki's eazdevirt might be a good idea, though i was more comfortable making my own base.
  3. 5 points
    Is this a hidden feature of the protection or does the app just not work?
  4. 5 points
    What's the point of this? You ran my file under de4dot and repost it? i can recognise my file ya know, i intentionally left this out (i haven't finished local types yet but i manually set the third local to int32) + i added 9 locals when only 3 get used
  5. 4 points
  6. 3 points
    Personally, I like to use the Scylla plugin of x64dbg, doing it manually by going to the memory map of x64dbg and dump the relevant memory ranges from there, or using WinDbg .writemem or the !savemodule sos extension command, depending on which debugger I am using at the moment. Also, once you're able to open the app in dnSpy, dnSpy can also reconstruct .NET modules from memory, by going to Debug > Windows > Modules and then right clicking the module you want to dump. There are probably also other tools out there that can do the same.
  7. 3 points
    New features, interesting. File correct? ggggg_cleaned.zip
  8. 3 points
    BinaryNinja has announced the new prices, and with no surprise are slowly also pushing themselves away from many users. https://binary.ninja/2020/05/11/decompiler-stable-release.html A personal (named) license is now $299 with the only 'new' thing being the not-so-exciting decompiler as seen above. They are starting to push themselves closer to IDA pricing, which is just plain stupid on their part. Ghidra's decompiler can be made to run anywhere, and thus, why would anyone pick BinaryNinja over IDA when it comes down to features? I don't feel like they are branding themselves well at all and are trying to target the wrong setups/situations. Their new blog post mentions things like: "Support for MacOS, Linux, and Windows. You’re not buying each platform separately." - Sorry but people that generally use this kind of software are users that stick to one primary OS for the most part. At most, people spin up a VM if they 'must' use a secondary OS for anything. This is not a selling point in my opinion at all. "Decompiler for all architectures." - Again, the decompiler is not impressive so far. Ghidra's can be made to run in BinaryNinja and IDA (along with anywhere else) and is 100% free. The value for this being a new reason to increase the price of BinaryNinja is just not there, at all. And sadly, like most other software companies, they still have this mindset that everyone is a student and consider their software "openly available for everyone" because they offer student pricing. Really wish companies would just stop with this nonsense. Price yourself better in general, don't selectively single out 1 small demographic. I'd wager most people in the RE scene are hobbyists, not students and are not directly in a career path that includes the use of these kinds of tools directly. The only thing BNinja has going for it that most people praise it for is a good API. Outside of that, you don't really hear anything else good/interesting about it. So this price jump is honestly a stupid move in my opinion.
  9. 2 points
    Here's the old content of Ubbelol.
  10. 2 points
    Who are you to say that it's shit? Have you made an unpacker for it? If you do, you are free to correct me but if you don't you shouldn't make these silly comments, in my opinion.
  11. 2 points
    View File Example CrackMe - Debug Blocker x64 This is an example for submitting a CrackMe in the Downloads section of the site. You can download the file and run Debug Blocker x64. Nothing too exciting will happen! The challenge here would be to patch the debug-blocker function so that it does not spawn a second process. Submitter Teddy Rogers Submitted 02/23/2020 Category CrackMe  
  12. 2 points
    This is a notification of intent to cease and close the Blogs section of the site in a months time. The reasons for the change are; lack of use, activity and popularity, and for the most part the forum categories have been and are more than capable to host similar blog like content in the future. This notification gives you the opportunity to copy any information from Blogs that you wish to retain and/ or repost in the appropriate forum... Ted. Backups - Blogs.rar
  13. 2 points
    CCtor => 0x06000034 => Clean the antitamper => Clean cflow => clean string encryption and that's it Most cleans are done by tweaking some public cleaners. The right key is "Youdidit!"
  14. 2 points
    Hi it's because of your assembly code ! read about used instruction here(repne scasb) : https://c9x.me/x86/html/file_module_x86_id_287.html Fixed code : procedure TForm1.BitBtn1Click(Sender: TObject); var pointer_check, pointer_dummy: pointer; label bp_found, bp_not_found; begin pointer_check := @check_credentials; pointer_dummy := @Dummy; asm cld mov edi,pointer_check mov ecx,pointer_dummy sub ecx, pointer_check mov al,$CC repne scasb jz bp_found jmp bp_not_found end; bp_found: application.terminate; exit; //you will findout why you should use this bp_not_found: check_credentials('user', 'pass'); end; BR, h4sh3m
  15. 2 points
    Hi , A disassembler is a software that coverts machine code (Hex) into assembly language mnemonic ex ( mov al,1) . A debugger is a program that allow you to detect and correct errors in other computer programs. A decompiler is a software which try to reverse the process of compilation to attempt to get the source code from a compiled executable . PS : try to use the google and the search button . Regards
  16. 1 point
    Hi, you dont need to parse the ASCII strings like "MZ" with each other.Just read the hex values and use them to compare it with any other values you did read in hex from any other file etc. You can use CFF Explorer to see whole PE infos at once.Maybe you wanna do or handle it like that too etc. greetz
  17. 1 point
    To clarify - I meant the "e_cblp" field you were asking about. You can put any value in it. "e_magic" of course has to be "MZ".
  18. 1 point
    I really like how you give your approach not as a full tutorial but with explanation instead of only saying "unpacked + file". Thanks you for your explanation !
  19. 1 point
    asking me ? hope @Reza-HNA PM u.
  20. 1 point
    By seeing the number of imports on your screenshot and the ollydbg.exe in upper case i would guess you tried this on ollydbg v1.10, not on ollyv2 The description don't mention it here but that thing is for v2, if you look inside the readme of the archive, it says (in french) that the code has been rewrote for olly 2. So try with v2, or recompile the dll for v1. Also i'm checking the src and this can really be improved more. Especially for the v2 as if you rename ollydbg.exe to blabla.exe, then it will look for blabla.ini, but OllyPath2 will create only 'ollydbg.ini' as this string is in hard inside.
  21. 1 point
    View File KoiVM Modified (ConfuserEx-Mod-By-Bed 1.4.1) KoiVM is a virtualizing protector for .NET applications, as a plugin of ConfuserEx. ConfuserEx is a open-source protector for .NET applications. It is the successor of Confuser project. This file is protected with KoiVM using; MD5 Hash Check Constants Renamer Anti-Tamper I took KoiVM from https://github.com/BedTheGod/ConfuserEx-Mod-By-Bed (1.4.1) and modified it to make OldRod fail devirt. Submitter 0x72 Submitted 05/20/2020 Category UnPackMe (.NET)  
  22. 1 point
    @Reza-HNA shared the solution through PM, restore body method and decrypt the string.
  23. 1 point
  24. 1 point
    Have to agree with this here. As far as I know, tuts4you is a place for educational content, not a place for showing off. What's the point of sharing just the unpacked binary, other than for bragging rights?
  25. 1 point
    Okay asked ubbe to make videos public again it should be fine now https://www.youtube.com/user/UbbeLoLHF/videos
  26. 1 point
    Malware Analysis involves Reverse Engineering. But it also involves other things like running viruses under VirtualBox or other virtual machines since you don't want original computer to get infected.
  27. 1 point
    How these Unpacking Posts are getting approved ? It is clearly written in the Rules that the solution of challenge will not be accepted if you don't describe the steps. Here everyone showing that they have cleaned it but no one is telling how ? so literally this is not a valid contribution to the forum if you don't descibe how it has been done. Just uploading files of cleaned is not all about unpacking. I think everyone must need to describe the steps or approach he has done to clean it. If I sound rude, I am sorry but this is what i feel.
  28. 1 point
    @maristroch I think I can do it except VM.
  29. 1 point
    Grand Theft Auto V Premium Edition Aegis Defenders Ted.
  30. 1 point
    Thank you for all replies. Is RE a technique that hackers and crackers using it to find security vulnerabilities and crack software? For example, a hacker find a vulnerability like it: https://www.exploit-db.com/shellcodes/48355 Is the author of this exploit did RE to found this vulnerability? I'm thankful if anyone answer me clearly. Thank you.
  31. 1 point
    1.Remove Anti Damp 2.Dump 3.Fix x86 Calls 4.Fix Delegates 5.Fix Calls 6.Constants Decode 7.Remove Fake Attributes 8.Remowe Control Flow 9.Rename Module 10.De4Dot For Rename and Clean Unused Methods Easy >.< Unpack_Me-d_noX86-Cleaned_patched-Cleaned-ConstantDec_fix_nodelegate-Cleaned-cleaned-cleaned.exe
  32. 1 point
    Thanks for reporting. Should be fixed now... https://forum.tuts4you.com/bimchatbox/ Ted.
  33. 1 point
    4228004 is 4083A4 in decimal.
  34. 1 point
    Hi Finding start point of function is easy, you just need do something like this : var StartAddr : Pointer; begin StartAddr := @check_credentials; But for finding end of function, there is several ways: 1) search for "RET" instruction (C3, C2 xx) but if you're using "try/finally/except" statement your function will have several "RET(C3)" instruction. 2) You can define dummy function right after your function and get it's start address as end of your function ! function check_credentials(user : string; pass : string):boolean; begin if (user <> 'User') and (pass <> 'S3cret') then begin showmessage('Wrong Credentials'); end else showmessage('Congratulations'); result := true; end; procedure Dummy; assembler; asm end; procedure TForm1.BitBtn1Click(Sender: TObject); var StartAddr, EndAddr : Pointer; begin StartAddr := @check_credentials; EndAddr := @Dummy; Caption := IntToHex(NativeUInt(EndAddr) - NativeUInt(StartAddr)); //will get size of your function in byte (+1 byte for Dummy function) end; BR, h4sh3m
  35. 1 point
    There are jobs like security analyst out there too but they are generally protocol oriented with background in cryptography and mathematics. Government agencies in all countries also recruit top talent. Otherwise, as a career choice unless as a malware analyst or software protection analyst or something it's too much of a niche to talk about. I got into RE because I enjoyed the challenge, and liked learning at lower levels or under the hood of how things work. Having a deeper understanding is my style for everything. That shadowy world lurks out there too but it's as organized and controlled as anything. It is a whole package deal to take that route, a lifestyle even. And even then you cant lose sight of what is right and what is wrong and where the laws draw the boundary. Fortunately merely toying around with some RE stuff is not really an issue. Software businesses and RE community have an interesting relationship but it's mostly been win-win despite occasional spats. Best hobby you can have though IMO
  36. 1 point
    I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies. If you can not understand it, you can reply me. Best wish.
  37. 1 point
    Thought I might create a thread to collect articles/papers that bring machine learning to rce... https://medium.com/@alon.stern206/cnn-for-reverse-engineering-an-approach-for-function-identification-1c6af88bca43
  38. 1 point
    Personally I find picking locks very interesting ! This channel has many great videos : https://www.youtube.com/channel/UCm9K6rby98W8JigLoZOh6FQ/videos
  39. 1 point


    A x86/Win32 reverse engineering cheat-sheet.
  40. 1 point


    Video tutorial on keygenning Kurapica KeygenMe 2011.
  41. 1 point


    A Shockwave Flash movie tutorial showing a method of keygenning Kurapica's CrackMe #15. It includes the source code for the keygen.
  42. 1 point


    A video tutorial on keygenning BadSector CrackMe #1.
  43. 1 point
    It's been a while, here is some new graph related to zbot (warning, they are heavy) Zbot graph: https://www.virustotal.com/graph/embed/gf288663e9d4245c7b8384b9ab36b64f41b58a7df62a145e3ad643bfe140ffb02 (4k nodes) With some additional details related to Microsoft citadel sinkhole operation. CCAM (atmos monitoring): https://www.virustotal.com/graph/embed/g5edbfcddab834a59a105964ffdc24492b03a6a5ab4824cca96949cd0d9a3395b With some details about in the wild locations.
  44. 1 point
  45. 1 point
    No, thanks. Compared to Themida v2, the themida v3 does not have a great improvement over the VMs. There are two types of VMs in this UnPackMe, Dolphin and Tiger.
  46. 1 point
    Nice... Tutorial Video İs Here.
  47. 1 point
    Finally Fully unpacked! steps i did to unpack: 1. I ran the application and i dumped it. 2. the anti dump got fixed by anti dump fixer. 3. i used my tool to remove all flood calls. 4. Converted all x86 methods to IL with my tool. 5. Decrypted all Constants with my tool. 6. Used de4dot to clean math mutations and junk Nops. 7. manually Removed Protection calls in Module .cctor. 8. Removed all delegates with @CodeExplorer's Delegate remover. 9. Cleaned junk nops with De4dot again. 10. Removed Proxy calls with TheProxy's Proxy call remover 11. Manually removed all fake/junk classes, attributes, and etc. 12. Renamed functions, methods, assembly, and etc. 13. Manually removed cflow (dont have good cflow remover xd) if you're asking for the rest of the files that are barely unpacked to study it, just reply xd. File: ConsoleApp1_fixed-RemovedMethod-NoX86-StringDec-cleaned2_nodelegate-cleaned_noProxy2-Renamed2.exe
  48. 1 point
    Can't you repost this challenge but with x64 version of vmp? (If you are struggling finding such a version pm-me)
  49. 1 point

    Version 1.0.0


    Hello friends. I try to prepare a classic logo for the forum. -Feel free to use in your projects or documents. I hope you will like it. note:Source file only xcf format. for GIMP. sory for photoshop users. Detailed previw ( click to support button in forum page.)
  50. 1 point
    Perhaps It was about time I should share my tool with you guys. This is a Debugger and Devirtualizer for VMP virtualized code. Notice that When I mean devirtualizer, I mean it shows what machine instructions it executes (not the actual x86 original code). Allows you to debug and place breakpoints. Please try it, and if you like it, please develop it further. Confused? Read the intro.txt file and try to follow the example. VMPDBG_0_1_0_SRC.zip
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
  • Create New...