Jump to content
Tuts 4 You

# Leaderboard

Moderator

71

2,799

2. ## Teddy Rogers

Administrator

16

7,848

Full Member+

16

2,152

Full Member

14

713

## Popular Content

Showing content with the highest reputation since 04/24/2019 in all areas

1. 6 points

## Can You See The Code?

Everyone can see the code because Cawk's ConfuserEx unpacker works just fine.
2. 5 points

## PE Viewer - plugin for x64dbg

Download: https://github.com/horsicq/pex64dbg/releases Sources: https://github.com/horsicq/pex64dbg More Info: http://n10info.blogspot.com/2019/05/pe-viewer-plugin-for-x64dbg.html
3. 4 points

## Firefox disabled all AddOns!

Hmmmm... Could it be because you didn't do time travel and never experienced 4th of May 2019 before? The expired certificate is inside your outdated copy of Firefox 56. And, as you said it yourself - you refuse to update it. So, how on earth do you expect Mozilla to fix something that's on your computer? Should they send Santa with magic powers to your home? Solution: download the XPI file from above. Extract files from it. Base64-decode new certificate from api.js. Add new certificate into your old Firefox (Tools-Options-Certificates). Done. Takes less time than writing those whiny posts. Full disclaimer: I couldn't test it 100% because I don't use Firefox on a daily basis and I couldn't find portable Firefox 56 with 3rd party addons.
4. 3 points

## Crackme Baby

That is most likely not your crackme. But what the hell.. Load it in IDA, decompile serial check and it will look like this: if ( ++idx >= 29 ) { if ( count_of_sevens == 1 && String[6] == '7' ) { v5 = (unsigned __int8)entered_key[0]; if ( entered_key[0] ) { LOBYTE(v5) = entered_key[4]; if ( v5 ) { LOBYTE(v5) = entered_key[8]; if ( v5 ) { LOBYTE(v5) = entered_key[12]; if ( v5 ) { LOBYTE(v5) = entered_key[16]; if ( v5 ) { LOBYTE(v5) = entered_key[21]; if ( v5 ) { part1 = getintfromkey(0, 4, 0); part2 = getintfromkey(0, 4, v6); part3 = getintfromkey(0, 4, v7); part4 = getintfromkey(0, 4, v8); part5 = getintfromkey(0, 5, v9); part6 = getintfromkey(0, 8, v10); v11 = part1 * (unsigned __int8)entered_key[7]; v12 = part1 * (unsigned __int8)entered_key[6]; v13 = part1 * (unsigned __int8)entered_key[4]; if ( v11 == part5 && v12 == part3 && !(part1 * (unsigned __int8)entered_key[5]) && v13 == part4 && 1000 * v13 + 10 * v12 + v11 == part6 ) { ...show good boy message... There are some checks for specific character values: * char 6 must be "7", there may not be any other "7" in the key; * char 5 must be "0"; * chars 4,8,12,16,21 may not be "0"; Key is split into in several parts: part1 = first 4 chars part3 = chars 8..11 part4 = chars12..15 part5 = chars16..20 part6 = chars21..28 Then it does some simple multiplication and checks the result. At this point you have 2 options: - make a tool that will randomly choose part1 and chars 4 and 7, do the multiplication to calculate parts 3, 4, 5, 6 and see if it passes all checks. - remember math lessons from school and figure out the only possible combination that will pass all checks. First one is much faster, second one will be .. challenging. Either way, you should arrive at the only possible solution: Well, in fact, there is infinite number of valid keys. You can append random characters to the key above, they are not checked..
5. 3 points

## NFD x64dbg plugin - Linker/Compiler/Tool detector

Download: https://github.com/horsicq/nfdx64dbg/releases Sources: https://github.com/horsicq/nfdx64dbg More Info: https://n10info.blogspot.com/2017/05/nfd-plugin-for-x64dbg.html
6. 3 points

## [DevirtualizeMe] ArmDot

And here is the fully deobfuscated file with strings decrypted i havent ran through de4dot since this will simplify your button click method to one messagebox.show Unpacked.exe
7. 3 points

## [DevirtualizeMe] ArmDot

Here is the code without strings decrypted more to show that i havent just remade the method from scratch but have actually devirtualised the file obfuscator is not that good in all honesty once you get your head around everything in one method its just like any other vm private void button1_Click(object sender, EventArgs e) { int num = 0; if (num != 0) { object obj; char[] value = obj = new char[16]; obj[0] = (2049885642 ^ 2049885579); obj[1] = (721969625 ^ 721969580); obj[2] = (1722827470 ^ 1722827450); obj[3] = (675984423 ^ 675984463); obj[4] = (1647779473 ^ 1647779505); obj[5] = (1793770717 ^ 1793770638); obj[6] = (640259843 ^ 640259958); obj[7] = (959731082 ^ 959731177); obj[8] = (1744869780 ^ 1744869879); obj[9] = (237600744 ^ 237600653); obj[10] = (492056264 ^ 492056251); obj[11] = (327956409 ^ 327956426); obj[12] = (688741927 ^ 688741953); obj[13] = (658212064 ^ 658211989); obj[14] = (454212694 ^ 454212666); obj[15] = (28756323 ^ 28756290); MessageBox.Show(new string(value)); } else { object obj; char[] value2 = obj = new char[10]; obj[0] = (1435200779 ^ 1435200842); obj[1] = (853162666 ^ 853162719); obj[2] = (2119875586 ^ 2119875702); obj[3] = (712244489 ^ 712244577); obj[4] = (1541140050 ^ 1541140082); obj[5] = (2107783153 ^ 2107783095); obj[6] = (1703953462 ^ 1703953495); obj[7] = (1864360465 ^ 1864360568); obj[8] = (2035746888 ^ 2035746852); obj[9] = (620298057 ^ 620298088); MessageBox.Show(new string(value2)); } }
8. 2 points

## Opera Pink?WTF!

@LCF-AT Open T:\Program Files\brave\73.2.17.13\brave_resources.pak to a hex editor (dont try w/ notepad++) ASCII search for : brave_new_tab.js replace it with arave_new_tab.js or whitespace whole @ : <script src="chrome://newtab/brave_new_tab.js"></script> tested & working greets @NeWOT
9. 2 points

## ‘Unhackable’ Biometric USB Offers Up Passwords in Plain Text

Embarrassing. Don't trust anything that looks like a pregnancy test kit... Ted.
10. 2 points

## Black Hat Lucifer (Anti Dump + IL Protection + Enigma Protector)

Run the target first with NETBox so won't kill .NET PE. Dump with MegaDumper. In dumped exe change Image Base to 400000 Fix relocation with Universal Fixer Native DLL UnpackMePlease.dll missing: DllSaver break if module contains UnpackMePlease Unpacked exes: https://www112.zippyshare.com/v/26CxsdFV/file.html
11. 2 points

## ConfuserEx Mod

login pass: steps to unpack: 1. removed anti tamper and some junk calls 2. cleaned cflow (Thanks to Tesla for cflow cleaning) 2. removed proxy calls 3. removed proxy calls again 4. converted x86 methods to IL 5. decrypted all constants 6. cleaned cflow again (Thanks to Tesla for cflow cleaning) 7. cleaned some small stuff with de4dot. UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe
12. 2 points

## Modified ConfuserEx

well, your post is in the crackme section. it means unpacking doesn't really matter. but since you want the file unpacked. here you go. serial key: steps: 1. removed anti tamper 2. converted x86 methods to IL 3. decrypted strings 4. removed delegates 5. attempted to clean cflow (but its not very clean.) 6. cleaned with de4dot CrackMe_fixed-NoX862.exe_unpacked-StringDec_nodelegate-cleaned-cleaned.exe
13. 2 points

## Global ATM Malware Wall

All samples has been pulled into hybrid-analysis.com sandboxes also looks like we disturbed someone: http://atm.cybercrime-tracker.net/index.php?x=threat&hash=b57bc410683aba4c211e407320e6b7746ce25e06d81ddf480711228efd921a6c
14. 2 points

## Debugging in Turbo Pascal like it's 1994

https://www.youtube.com/watch?v=bcByQtkpmPg
15. 2 points

## Debugging in Turbo Pascal like it's 1994

Best days of programming before all this Java and Android chaos
16. 2 points

## Strings x64dbg plugin

Thanks a lot for testing. Please download the new version of the plugin: https://github.com/horsicq/stringsx64dbg/releases
17. 2 points

## Firefox disabled all AddOns!

Here is the hotfix for anyone who wants to install without turning on Data Collection and Use... hotfix-update-xpi-intermediate@mozilla.com-1.0.2-signed.xpi
18. 2 points

## Windows Start Menu to Run in Own Process StartMenuExperienceHost.exe...

https://www.bleepingcomputer.com/news/microsoft/windows-10-start-menu-gets-its-own-process-in-build-1903/ This should have happened a long time ago though it could be an indication Start is becoming bloated under Windows 10... Ted.
19. 2 points

## How to set diffrent colors in a single menu string?

You can still read menu item strings using the GetMenuString function. What I meant previously was that you have to change my example code to work differently with the DrawText function as the string of characters for, "Tuts 4 You", was not saved in the menu structure. The next example has, "Tuts 4 You", saved in the menu structure so you will be able to find this using GetMenuString. Each character is individually retrieved from the menu string and DrawText is used to display it. It also cycles through each RGB colour as before. When you click on a menu item GetMenuString is used to get the menu item text. It is then displayed in a message. I have attached both x32 and x64 this time. Apologies for the previous compile mistake! Ted. Appended Menu Items x64.exe Appended Menu Items x32.exe
20. 2 points

## MineSweeper

It builds a lot on your previous crackmes. So, most of the answers are already there. 1) Finding first 2 checks - they are in 2 separate dynamic methods. You can simply patch those; 2) Third check is in yet another dynamic method. You can patch it, and play the game till the end. However, the game never shows success screen. I think it's a bug in the crackme, as I could not find any code that would set the required field; 3) There are different ways to get IL code of the dynamic method, for example, this breakpoint might help: 4) To patch crackme, you need to understand how it stores information about dynamic methods. See previous crackmes and solutions for some details and hints. 5) Also you'll need to understand how jit hook decrypts IL code. There's nothing original in it: VirtualProtect -> decrypt code in-place -> jit it -> encrypt code back -> VirtualProtect. Very easy to break in several different ways. So, attached are 2 different versions of solution. First solution patches all 3 checks, you can play the game till the end but not get the success screen. Second solution gives you instant win and shows success screen. Bonus: the secret "cheat" code is checked on timer procedure. If you type it quickly enough, it will show the playing field: minesweeper-solution-kao.zip
21. 1 point

31. 1 point

## Free Ubisoft and Epic PC Games...

World of Goo is currently free at the moment... Ted.
32. 1 point

## Strings x64dbg plugin

Bug? x32dbg wrong address.
33. 1 point

## Night Protector 2.0

after few months, i decided to try again and i have finally unpacked it! steps: 1. decrypted strings for parameter. 2. converted str that is actually an int value. 3. resolved all sizeOfs. 4. converted reference proxy calli to normal calls and removed the proxy calls. 5. Removed some Cflow. 6. calculated the integer values that uses xor to get the value. 7. decrypted all the strings. 8. cleaned cflows and the rest acrack-me_obfuscated_Unpacked.exend also renamed. Credits: Tesla - Helping remove cflow crack-me_obfuscated_Unpacked.exe
34. 1 point

## ConfuserEx Fork

Unpacked! 1. Used dnspy to remove antitamper and the calls 2. converted all integer values that has something to do with strings ex: "epic".Length (my tool) 3. Resolved all SizeOf values with my tool 4. Calculated all math calls like Math.Truncate or Math.log10 with my tool 5. used de4dot to calculated the remaining stuff to get the field values. 6. grabbed the field values and removed the fields(marked as empty Types) with my tool 7. removed the cos and junk call that will always return 0 with any uint value you use in the parameter also marked as(marked as empty Types) (my tool) 8. cleaned the rest of math calculations with de4dot 9. TheProxy used his cflow killer to kill all the cflow Credits: TheProxy - Helping to remove the Cflow Mighty - helped me to get the types from operand (for sizeOf resolver) Autori and Blank - for tips pass: 1830 Screenshot: File: CrackMe3-StrToIntResolved-SizeOfRemoved-SysMathCallFixed-cleaned-EmptyTypesRemoved-EmptyTypesRemoved-cleaned_unpacked-StringDec-Cleaned.exe
35. 1 point

## How to use RoundRects with Gardient Color?

I would check your gradient structure and rectangle work area dimensions are correctly sized. Make sure you have no other drawing events going on in the device context - before or after drawing the rectangle. Can you try drawing your bitmaps when your program starts up as it seems a bit unnecessary redrawing them on each WM_DRAWITEM event? If you are going to add frames remember to do this after you have filled the rectangle with your gradient... Ted.
36. 1 point

## How to use RoundRects with Gardient Color?

You need to set a clipping path for drawing rounded rectangles and filling with a gradient. It is only a few lines of code so fairly straight forward. BeginPath_(bmpHDC) RoundRect_(bmpHDC, r\left, r\top, r\right, r\bottom, 128, 128) EndPath_(bmpHDC) SelectClipPath_(bmpHDC, #RGN_COPY) GdiGradientFill(bmpHDC, @pVertex(), 2, @pMesh, 1, #GRADIENT_FILL_RECT_V) Full PB example code is in the spoiler below and I have attached working example for you... Ted. RoundedRect + GdiGradientFill.exe
37. 1 point

## Opera Pink?WTF!

LCF-AT is a woman that doesn't like the pink color... strange! Maybe is just that specific pink color.
38. 1 point

## How to set diffrent colors in a single menu string?

If you want to display an icon in the menu you can use something like DrawIconEx. If it is a bitmap you can BitBlt or similar. The icon needs to be placed at the beginning of the menu, you then offset the placement of any subsequent text in the menu after the icon. I am not entirely sure what you mean by dynamic icons or what you are trying to achieve - I'll have a guess... The menu will be drawn each time it is requested to be shown, any icons can be reloaded and used in any preferred order. You will need to keep a track of your images and icons as you will need to free up these resources at some time otherwise you will risk GDI leaks. If I am guessing at what you are trying to do with dynamic icons (and if I guessed correctly) there is no way around it, you will have to track your icons handles. I have had to do something similar in the past and used structured arrays with defined types. A dynamic example would be tracking windows; titles, position, order, icon, window handle, etc. This information is captured and stored in a structured array and then the necessary information is displayed in the menu. In the below example I have expanded on the previous code I posted and added icons in to the menu. Code is a bit crude though it gives you the idea... Ted. Coloured Menu Item + Icon.exe
39. 1 point

## Crack electromagnetic cards????

If you look for a good reader for your pc get yourself a proxmark3 and if you just want to look into mifare 1k just get a cheap ACR122U from ebay. if you want to have fun get yourself and arduino or rpi with a pn532 module, it's capable of reading mifare 1k and i had already fun with it too, hacking few weak card systems and making portable nfc card cloner, with this module from adafruit, but there is alternatives who are cheaper. if you have a smartphone capable of nfc reading you can try android apps such as Tag NFC Cloner, work fine too. edit: related to credit card reading i don't now, but i'm sure something should exist in github.
40. 1 point

## Feedback and Ideas

Hi again, not sure about that so its not same like making some kind of single reply bookmarks you know.In the profile page for example I can choose "see reputation activity" and get a list of all who pressed a like button etc and something like that I would like to have for single replys I do mark for myself (as I told before already).Maybe its possible to add another button into the like button list..."Thanks,Haha,Confused,Sad,Like,......--> Mark <--"....you know.Just my idea so far.Not sure whether you can do that or whether its possible to make that on this forum but you know what I mean right.I think its a good idea. About MFC.So in this case I only can follow a topic.If the topic has many sites and tons of replys then I also can not find quickly what I am looking for you know.Its not same like the idea about marking / bookmark single replys. greetz
41. 1 point

## z3 SMT solver for Pascal

https://github.com/Pigrecos/Z34Delphi My new repository for using Z3 in delphi(porting z3 c api to delphi). I tried and there were no tools for symbolic execution in delphi
42. 1 point

## PandaObfuscator, with custom VM

Unpacked Use any long key to pass checks. GetMe_unp.zip
43. 1 point

## latest Malware analysis and threat intel

Yes, Anomali Forum: https://forum.anomali.com/
44. 1 point

## Winlicense-Themida Unpacking X64 using x64dbg

Please friends, post your knowledge regarding themida x64 unpacking for x64dbg. please post your scripts also.
45. 1 point

## scylla is getting wrong va and size.

Just check the IAT start & End / Size manually in Olly and correct it if needed and then you are on the safe way.No big deal to do this quickly by yourself without always to trust blind any import tool.In this case ImpRec shows all correctly but also ImpRec can fail etc.Just wanna say that you should verify the found and shown results you know. greetz
46. 1 point

## Eazfuscator.NET v5.8.251.246 w/ Virtualization + Agile License Schema

time consumed is 10 seconds plus however long it took to find his devirtualizer
47. 1 point

## Eazfuscator.NET v5.8.251.246 w/ Virtualization + Agile License Schema

Unpacked, devirted Unpacked_Devirt.zip
48. 1 point

## .Net Crack Me - ConfuserEx Mod

Very Nice Protection Elinize sağlık antitamper_fix.exe cracked.exe
49. 1 point

## dumping serial SPI and I2C chips

thought I would post this since it's extremely useful for working on some embedded targets. the basic principle is you use a cheap logic analyzer to intercept read requests to the chip ( usually from the microprocessor of your target ) since some designs they store special information in small chips on PCB, like serial number, password, settings, etc. after the CPU reads all the addresses its interested in over the SPI or I2C bus your logic analyzer sees the waveforms and captures the data. then this utility will convert the logic analyzer file to a binary dump of the chip by reconstructing the flash memory contents so you can see what's inside and load into IDA. very useful source code and intro https://github.com/alainiamburg/sniffROM/wiki/Getting-Started https://github.com/alainiamburg/sniffROM
50. 1 point

## [unpackme] UnpackMe with PV Logiciels

ForceJit.zip
• ### Newsletter

Want to keep up to date with all our latest news and information?

Sign Up
×
×
• Create New...