Jump to content
Tuts 4 You

Leaderboard

  1. CodeExplorer

    CodeExplorer

    Moderator


    • Points

      16

    • Content Count

      3,002


  2. LCF-AT

    LCF-AT

    Full Member+


    • Points

      8

    • Content Count

      4,849


  3. Extreme Coders

    Extreme Coders

    Full Member


    • Points

      6

    • Content Count

      362


  4. Teddy Rogers

    Teddy Rogers

    Administrator


    • Points

      6

    • Content Count

      8,452



Popular Content

Showing content with the highest reputation since 01/28/2020 in all areas

  1. 5 points
    Posted a write-up about solving the keygenme. https://0xec.blogspot.com/2020/02/finally-solving-weasel-keygenme.html
  2. 2 points
  3. 2 points
    https://www.theregister.co.uk/2020/02/03/wannacry_could_have_triggered_nato_german_general_says/
  4. 2 points
    That post was just because we (the administrators) are frustrated with the situation at exetools. The TechLord situation has been getting out of hand over there, but I see no reason to go on about it here. I have been voting to ban him for years now, because this is exactly what I was afraid of happening. That is my personal opinion, not the one of my employer.
  5. 2 points
    It is indeed true that I work for Denuvo and this is public information you can see at my LinkedIn profile. We use x64dbg at work and I have assured that there in no conflicts of interest in that regard. I keep working on features I need like always. However I would like to say that those “rumors” don’t exist and my employer has no influence about what I do or say online. If you feel like you have some questions related to those “rumors” @p4r4d0x (or anybody else) you can ask those things to me directly instead of going deep in conspiracies that you hear from “senior reversers”. With regards to breaking communities, there is absolutely zero benefit like @Progman noted. The reversing community as a whole has been going downhill in my opinion for years now and if anything we need more people sharing information online, not less. @Kurapica I will keep sharing my tools and knowledge as always. Nowadays I’m more active on Github and Stack Exchange than these (and other) forums, but I’m sure you can appreciate how your available time changes if you start your first full time job 😀 Also only few people seem to write my nickname as I like it nowadays: “mrexodia”, which is surprising
  6. 1 point
    Hey, great!So simple just doing the change in default mode, hehe.Anyway, so it works now.Thank you for that info Kurapica. greetz
  7. 1 point
    Tried setting the defaults like this ? https://superuser.com/questions/581924/i-want-to-permanently-change-the-background-color-to-white-and-the-text-color-to/581926
  8. 1 point
    Console example x64plgmnrc.exe -G "C:\x64dbg_root" // Set root path for x64dbg x64plgmnrc.exe -U // Update list from server x64plgmnrc.exe -S // Show list of plugins x64plgmnrc.exe -i x64core // Install last version of x64dbg x64plgmnrc.exe -i AdvancedScript // install AdvancedScript https://github.com/horsicq/x64dbg-Plugin-Manager
  9. 1 point
  10. 1 point
    Hi, His Unpacker is for Vanilla Only not for Modded Version.
  11. 1 point
    Hi again, short info.Now I do use Win10 64 bit and I see that some of my apps arent working correctly like this app (drag / drop nothing happens / no file gets loaded and added to list similar like GaBoR said).I could fix that problems (seems to be my fault because I was using threads with 4 paramters instead of one) to get it work same like on 32 bit systems.So if anyone is still interested into this app etc then I will update it soon to release a new working version you can use on x64 too (just make some more tests but all seems to work now so far). greetz
  12. 1 point
    And here we go https://www.youtube.com/watch?v=sxXs0Yy5-0Y
  13. 1 point
    @SHADOW_UA I'm afraid there're some bugs in your tool : Console.Title = "ddd"; DateTime now = DateTime.Now; if (0.Second < 5) //error { Console.WriteLine("mmm"); } You produce wrong instruction 'ldc' rather than 'ldloc'
  14. 1 point
    You have to find out the logic behind their VM handlers and restore original opcodes using this information. Attached cleaned file. VMTest_devirted-cleaned.zip
  15. 1 point
    Thank You Brother Found its official Page -- https://www.kahusecurity.com/posts/converter_net_v0.1_released.html as soon as I used Ditto name, found in Google Search. My Bad it was not on LifeinHex I got perplexed !!
  16. 1 point
    Hi, here it is: Password: Tuts4you https://www117.zippyshare.com/v/h1iuYzXM/file.html
  17. 1 point
    https://www.zdnet.com/article/microsoft-says-it-detects-77000-active-web-shells-on-a-daily-average
  18. 1 point
    It may be that your program has its thread input attached to a Windows core process and is currently locked. You then may need to be at the same process level to kill your process. If you lookup the structures documented in Windows Dev Center you can confirm if the Windows Data Types are correct. MOUSEINPUT STRUCT dx.l dy.l mouseData.l dwFlags.l time.l dwExtraInfo.i KEYBDINPUT STRUCT wVk.w wScan.w dwFlags.l time.l dwExtraInfo.i HARDWAREINPUT STRUCT uMsg.l wParamL.w wParamH.w INPUT STRUCT type.l Union mi.MOUSEINPUT ki.KEYBDINPUT hi.HARDWAREINPUT Ends Ted.
  19. 1 point
    Really good write up, thank you for persisting and for posting your work... 👍 Ted.
  20. 1 point
    Do you have a test file that we can run? Ted.
  21. 1 point
    In theory will be possible, unfortunate current created quantum computers don't have enough qubits. Read more: How Does a Quantum Computer Work? https://www.youtube.com/watch?v=g_IaVepNDT4 How it Works: Quantum Computing https://www.youtube.com/watch?v=WVv5OAR4Nik A Beginner’s Guide To Quantum Computing https://www.youtube.com/watch?v=JRIPV0dPAd4 Lunch & Learn: Quantum Computing https://www.youtube.com/watch?v=7susESgnDv8 Understanding Quantum Entanglement - with Philip Ball https://www.youtube.com/watch?v=5_0o2fJhtSc Quantum Fields: The Real Building Blocks of the Universe - with David Tong https://www.youtube.com/watch?v=zNVQfWC_evg Dark Matter's Not Enough - with Andrew Pontzen https://www.youtube.com/watch?v=GFxPMMkhHuA Why Everything You Thought You Knew About Quantum Physics is Different - with Philip Ball https://www.youtube.com/watch?v=q7v5NtV8v6I Quantum Algorithms https://www.youtube.com/watch?v=-ysVGWtAjio How Quantum Computers Break Encryption | Shor's Algorithm Explained https://www.youtube.com/watch?v=lvTqbM5Dq4Q How Shor's Algorithm Factors 314191 https://www.youtube.com/watch?v=FRZQ-efABeQ What is Shor's factoring algorithm? https://www.youtube.com/watch?v=hOlOY7NyMfs 44 Quantum Mechanics - Quantum factoring Shor's factoring algorithm https://www.youtube.com/watch?v=YhjKWAMFBUU
  22. 1 point
    Connection timeouts for OpenSSL are based on the underlying socket being used. If you are using a blocking socket, it will block until something happens. If you wish to monitor for timeouts, then you need to use a non-blocking socket. As their docs state: You need to setup a new socket with the proper "BIO" flags to be nonblocking and then loop the connection call and monitor the returned error/value to see if the connection was successful. Then you can create any kind of timeout you wish to use.
  23. 1 point
  24. 1 point
    Phew! It has been close to 4 years and after a lot of wandering here and there I can proudly announce that I'm now able to calculate a valid serial for any name. Here are a couple. kao GCZ4B-QTD22 0xec FZNUL-THK22 Time taken to generate a key can vary from 2-5 minutes and takes about 12 GB of Physical RAM running on a Nvidia Tesla T4 GPU (2560 CUDA cores). Providing more RAM and CUDA cores may further reduce the time but I ran it on Google Colab and that's what they offer. I plan to do a write-up on my blog later but here it is in short. Initially, I felt the only way to solve the system of equations within a feasible time frame is through a quantum computer using something like Grover's search but the quantum computers available for public use (IBM Q Experience) at this time do not have enough qubits. So this approach had to be discarded. On deeper analysis, I found the system of equations is nothing but a system of Multivariate Quadratic (MQ) Polynomials. There's a field of Crypto related to this - Multivariate cryptography. Such cryptosystems are considered hard even for a Quantum Computer to attack let alone a classical machine. Luckily, there's an ongoing challenge based on the exact same idea - Fukuoka MQ challenge. It turns out small MQ systems particularly which are under-determined (more unknowns than equations) are solvable by classical machines within an accepting time frame and people have posted tools/algorithms to solve them. One of them is libFES . There's also a GPU implementation of FES which I have used here. So that's how it went. Thanks @kao for the challenge. Really learned a lot!!! Its a silver medal for now. Considering such systems of equation are solvable, generating a key within 1 sec could also be possible given the MQ challenge site posts that this cryptosystem is based on a signature scheme (Type -IV). Once we calculate the private key, generating the signature within 1s should be possible.
  25. 1 point
    VVVVVV is now open source - https://github.com/TerryCavanagh/VVVVVV Huge archive of abandonware games for various platforms: https://oldgamesdownload.com/
  26. 1 point
    Difficulty : 6 Language : C++ 14 Platform : x86 OS Version : Windows 7 + Packer / Protector : The Enigma Protector v6.4 Description : Patch HWID and unpack it. Screenshot : Enigma 6.4 UnpackMe.zip
  27. 1 point
    I have unpacked most of the protections just need someone to complete the last part of it, the calls/delegates!! Instructions: 1. Jit-dump the executable with JitDumper3/4 enable the checkbox (Dump MD). 2. Clean the (String And Flow) with SimpleAssemblyExplorer(SAE) checking the checkbox (Delegates} as well. 3. De4dot. Files.rar
  28. 1 point
    The problem is defining what a good crackme is and where we draw the line. Being able to decide whether an unpackme would be good enough would require for the moderator to essentially solve the challenge themselves as well, which might require too much time for a simple approval, or worse, it might not always be within the skill set of the moderator him-/herself. A random idea that popped into my mind today: It might be possible to incorporate a system that is similar to how crackmes.de used to do it in the past when it was still online. What they did was only approving challenges that also provided an example solution with a full disclosure on the techniques used to protect the challenge or make it interesting. The example solution would only be visible to the staff and to the original author. The way I see it, this has a couple of advantages: It makes the approval procedure more objective. Staff would judge the actual contents of the challenge, rather than having to guess or solving the challenge themselves first. It makes the approval procedure a lot less time consuming. It forces the creator of the challenge to actually think of something interesting and not impossible. Effectively, they have to be able to solve their own challenge, and be able to convince one of the staff members the challenge is interesting. Some downsides would be: UnpackMes protected by new (updates of) obfuscators might not be possible anymore this way. The author might not have the skill to reverse the new technique that is applied either and the UnpackMes is more of an incentive for other, more experienced reverse engineers to have a look at it. As a consequence of the above, collaborative reversing might also be more discouraged by this methodology, since these UnpackMes without a solution would be denied. I also don't know if the current forum software supports any kind of system like this? I can imagine staff not wanting to get spammed with private messages about approval of a challenge either, so it might require a dedicated system, which might require some more coding to get it to work. I don't think I am eligible for a moderator, nor do I think I would be having time for it.
  29. 1 point
    mirrored here https://defacto2.net/f/a91eda9
  30. 1 point
    Hello, so I keep getting asked what’s the best obfuscators around so I am posting this so I don’t keep repeating it. I have decided to give my opinion on all obfuscators if I am missing any let me know If you are a developer of any of these obfuscators don’t take what I say as an insult use it to improve DNGuard - an obfuscator I used to say was Chinese crap however I’ve recently spent some time analysing this and can say that the HVM technology is very strong and makes unpacking a lot harder. However when not using the HVM setting it makes unpacking extremely simple with jit dumping and can use codecrackers unpacker for this. Compatibility on this obfuscator is its biggest flaw (along with price) which can be a big NO for a lot of people as this protector can cause files to not run on certain .NET frameworks if they fixed this issue and improved compatibility across systems it would make this obfuscator much better. Price is extremely high but I suppose has worked in its favour with not many files around and extremely hard to get test files to test features. Eazfuscator - a .NET VM that has been around for a while now with the last unpacker for version 4.8 I think from saneki on GitHub. Since then Eazfuscator has improved a lot however the concept stays the same and sanekis unpacker is still a brilliant base to start from. Meaning that an unpacker for this isn’t extremely difficult. The compatibility and performance of this obfuscator is actually fairly good for a VM and tells the user not to overuse the VM and only apply on secret methods as to save performance. The problem with Eazfuscator is that any protection method apart from the VM isn’t good, de4dot handles the control flow perfectly and the strings can be easily decrypted by either updating de4dot code which isn’t too hard or simply invoke. So if you’re app is sensitive on performance then maybe avoid this one as for all VMs performance is hurt no matter how efficient it is. In conclusion I do think this obfuscator is one of the top of its game as even with the old unpackers it’s still a lot of work to update ILProtector - An obfuscator I really do like the concept of keeping performance and security balanced, however in recent times with the release of dynamic unpackers it has kind of died as it seems the developer is applying small patches instead of fixing this properly so each unpacker only requires a few changes. In terms of static unpacking they have this down well, it’s actually a very hard job to statically unpack this protector so if they were to patch the dynamic flaws it would quickly appear back at the top but it’s credibility has been stumped due to the release of unpackers that I think may still work on the latest version (something I haven’t checked). Compatibility and performance on this obfuscator are good but one flaw of this obfuscator is that if the dynamic method is decrypted the original ilcode is there, they apply no MSIL mangling which in my eyes they should do both. Agile.Net another .NET VM however I haven’t analysed this myself that much but a few things I have noticed is that updating de4dot to support the latest version is not all that challenging however it is time consuming, a few modifications to de4dot can make it supply all the data you need to update it for the VM. the method encryption can be removed by jit dumpers from codecracker, from what I’ve seen in de4dot the obfuscator isn’t to hard to completely unpack but we have to thank 0xd4d for all he has done on this obfuscator he has done all the hard work for us so it’s just a matter of taking his code and updating, yes this takes a very long time to do Netguard - Now this is one I’m very familiar with, as most people know netguard is a modified confuserex however a fairly heavy modification. Now the actual protection isn’t that strong however for its price it’s very good, the base of netguard is still the same concept as confuserex and many of its protections can be defeated in the exact same way, the only real changes are the native stub and mutations. However once you remove these protections like control flow and constants can be removed in the same theory as I use in my confuserex unpacker2. This obfuscator like I said is the best for its price however if you’re looking for something better there are other options if you’re willing to pay, now compatibility and performance on netguard are something that it’s known for and not in a good way, it has improved a lot recently however they still add lots of junk that adds no real benefit and just slows down code. Appfuscator - now I don’t know why people don’t use this obfuscator anymore. In my eyes it’s still extremely powerful, codecrackers tools are not stable and if you’re tool is larger than a crackme then it will fail, appfuscator uses opaque predicates and CFG to generate its control flow both of which have no public solvers for so is an extremely powerful obfuscator especially if you mix it with something custom. Performance wise this is actually negligible effect so still to this day one of the higher rated obfuscators. Babel.Net - this is similar to ilprotector in the way it makes dynamic methods however in a different approach. The good thing about this obfuscator is that it provides you with more options than just encrypt msil where you have cflow constants and other expected protections making it not as simply as dumping the dynamic method. The dynamic methods itself are not tricky to solve dynamically similar to ilprotector, invoke the correct method and you have the dynamic method ready to read with dnlib. Statically it gets slightly more complex however a few hours debugging with dnspy and some static analysis will reveal its secrets of how it decrypts the encrypted bodies. Performance and compatibility wise I don’t really know enough about it but I’ve not really seen many complaints about it ArmDot - a relatively new .NET VM which I’m fairly interested in. At its current stage it needs polishing, they currently put the whole vm into each method it’s encrypted making it extremely slow. I explained to the developer that it holds no real benefit as to devirtualize it follows the same concept as all vms which is find the instruction handlers and convert back as most are 1:1 with CIL it makes this step relatively easy once you have detected all handlers however if this obfuscator works on your file and performs well I do recommend it especially as its new and being actively worked on and the developer is always interested in seeing ways to improve which is a good thing. KoiVM - another magical creation from yck so do we expect anything other than greatness. Now this was something he sold to customers until he left the scene and trusted XenoCodeRCE with and gave it him to improve and use. Xeno decided that he would sell this to others and ended up causing it to be leaked on GitHub however let’s ignore that. KoiVM is absolutely insane and different to all other VMS we talked about so far. This doesn’t relate 1:1 with CIL and actually converts it to a form of ASM meaning if you manage to get all the code back you then need to translate ASM to CIL which again is no easy task. People think because it’s opensource it makes it not worth it. Remember confuser/ex was open source and undefeated for a long time. KoiVM is on another level compared to those. Compatibility and performance does take a hit and has limitations which you can read on koivm website now if you’re app works fine and you’re happy with performance then I would strongly suggest sticking with it. You can even make modifications to confuserex and use it with that as after all it’s a confuserex plugin. These are just my thoughts and personal opinions on these obfuscators. I do not mean any disrespect to the developers apart from what I think is good and bad. If you would like further explanation on anything let me know or any specific obfuscator that I haven’t covered as I most likely have some sort of opinion on it feel free to ask Regards Cawk
  31. 1 point
    I don't know you say .Please make a video tutorial 😢
  32. 1 point
    @p4r4d0x: enough already! If you can't stop whining about exetools and techlord, please go away - as this behavior is not bringing anything useful to this forum. :@ @mrexodia: I wish you all the best in your new job. You're extremely skillful person and I'm sure you'll enjoy the challenges this line of work will bring. And remember to learn as much new stuff as possible!
  33. 1 point
    ir.ll is a literal translation of log_ins.txt to LLVM For example: %node_449381 = add i64 %node_44931f, 1481190108 corresponds to log_ins.txt: 449381 000000014004bf0d add r12, 0x58492adc r12 = 11111110b8c7e635 -> r12 = 1111111111111111, rflags = 216 (1481190108 == 0x58492adc) ir.ll is a lot smaller than log_ins.txt because everything that is const is constfolded immediately (LLVM's IR api does that. Its not even an optimization pass). Another example: %node_44a169 = add i64 %node_44a121, 140697368289557 corresponds to: 44a169 0000000140073976 add rcx, rbx rcx = 111111118281a713, rbx = 7ff6a8a86115 -> rcx = 111191082b2a0828, rflags = 206 log_ins.txt tells us the value of RBX, which is 7ff6a8a86115, which corresponds to 140697368289557. But why was it constfolded? If you track back the creation of RBX, you'll find, that it doesnt depend on anything that is not const (check log_ins_44a169_rbx.txt for full dependency trace of RBX) Regarding predicates. You are right, Themida is full of JCC. I made an optimized version of all of them in jcc_ir.ll (the predicate funcs are selfcontained, so they will contain the same stuff again and again). You'll see that most of them are const. Some of them depend on input registers (search for "node_" in jcc_ir.ll). For example: define i1 @func_1696b_4564e5(i64 %rax, i64 %rbx, i64 %rcx, i64 %rdx, i64 %rsi, i64 %rdi, i64 %rbp, i64 %r8, i64 %r9, i64 %r10, i64 %r11, i64 %r12, i64 %r13, i64 %r14, i64 %r15, i64 %rflags) local_unnamed_addr #2 { entry: %node_456430 = add i64 %rax, -3965984730278271229 %node_456431 = and i64 %node_456430, -140697950694205 %node_456457 = xor i64 %node_456431, 140698832079904 %node_456462 = add i64 %node_456457, -140697951312666 %node_45649c = and i64 %node_456462, 135 %node_4564a2 = sub i64 %node_45649c, %node_456462 %0 = trunc i64 %node_4564a2 to i8 %cmp11.i.i = icmp eq i8 %0, -126 ret i1 %cmp11.i.i } Since it depends on RAX, Themida cannot predict the result either, so both outcomes need to be valid. My tool doesn't support that yet, but my guess is that if i follow both paths and generate corresponding IR, LLVM will be able to optimize that as well and my guess is that either one path will become a giant NOP or will be a duplicate of the other path. Btw, Themida also adds predicates to the actual application code. In this case, node_45bbd2 is part of the "fruit", yet Themida uses its result for a JCC: define i1 @func_1883f_4b1adf(i64 %rax, i64 %rbx, i64 %rcx, i64 %rdx, i64 %rsi, i64 %rdi, i64 %rbp, i64 %r8, i64 %r9, i64 %r10, i64 %r11, i64 %r12, i64 %r13, i64 %r14, i64 %r15, i64 %rflags) local_unnamed_addr #2 { entry: %node_45bbd2 = add i64 %rcx, %rax %0 = trunc i64 %node_45bbd2 to i8 %cmp11.i.i = icmp eq i8 %0, 122 ret i1 %cmp11.i.i } more_logs.rar
  34. 1 point
    Only by bruteforcing RSA key which means xxx+ years with normal pc.
  35. 1 point
    Really depends on what you want. First things first - "free" obfuscators for .NET don't do protection very well. At best they just rename the classes of your assembly, at worst they do absolutely nothing at all. When it comes to paid obfuscators, here is your options - they are bound to change as protection schemes get cracked and patched. Low End: .NETGuard is most likely your best option if you want low price protection. It does quite a nice job - when it actually works. It has a lot of issues with program compatibility & certain features not working on certain PCs, but the devs are still working on it. Medium End: ILProtector is quite good to stop script kiddies from reversing your assemblies, but recent unpackers (such as my own) have made it less worthwhile. Babel.NET's obfuscator also looks quite promising for about the same price. High End: Eazfuscator.NET is the obvious choice here. Its managed virtualization is the best on the market (as of now), and is quite difficult to deobfuscate. It also has extremely easy integration with VS and it works on almost any assembly. The only problem is that its control flow obfuscation is absolute shit and its string encryption has been broken by de4dot. I have also heard of an obfuscator named DNGuard HVM, which has a native VM obfuscation - but it is insanely expensive. There is also a few obfuscators which I recommend for you to avoid - here is the list: SmartAssembly - Its protection is complete crap (unpackable by de4dot) and is also more expensive then EAZ. Don't waste your money. .NET Reactor - Latest version is fully broken by de4dot. The project does not seem all too active also. Agile.NET - Another super expensive obfuscator that has been cracked by de4dot & is inactive. If you are going to be spending this amount of money, you are better off buying DNGuard. CryptoObfuscator - Completely broken by de4dot & inactive. Appfuscator - As of now a unpacker exists for this, but it might change at some point. Right now I suggest you to avoid until they patch their protection. Of course, all of these schemes are bound to be cracked at some point. The best protection is always to make it yourself. Custom protection is always the hardest and annoying to crack, as a cracker has no idea how the scheme works and must figure that out at their own peril.
  36. 1 point
    You have to consider that FISH Black for instance, can have handlers of up to like 100.000 instructions. Since branch-prediction is very error-prone, you can imagine the problems you could have tracing through 100.000 instructions while having to guess branches correctly. Also, the branches aren't deduced by neither a register or immediate values. They use internal state registers which has internal cryptographic behaviour across different handlers to carry encoded data to be decoded by the exact pattern in the given handler. Here's an example: 004235DA MOV CL,BYTE PTR [EBP+0xa2] 004235E1 ADD CL,0x94 004235E4 CMP CL,0x1 004235E7 JNZ 0xec (004236D9) You must know what is in [EBP+a2], where EBP refers to the VM Context, in order to deduce what branch the handler will choose. However, when you're emulating the VM behaviour to devirtualize, the registers won't be set, so you have to keep track of all the context operations and emulate performance of them on a local structure of your own, to keep track of the cryptographic datas.
  37. 1 point
    Like said JohnWho, which he is one of the best Reverser on the world, every packer protector can unpacked. The most important thing in protection is the virtualizing code. If you encrypt with virtualizing code some functions, i think it will be almost (because always there is a way, difficult maybie, but possible "uncrackable". For me Obsidium is much more strong than Themida and Vmprotect. The reasons? 1)It have much more difficult crc protection (especially if someone need to add New section in a pe file), but also much more checks in the PE code. 2)It have very strong virtualizing code, and it's not accidental that except 2-3 old versions unpacking tutorials, there is not anything else for this protector! (unblacklist serial tutorials etc). 3)It is very difficult to trace inside VM code, because it have many anti-debbuging tricks! Almost everytime you will take avery good TerminateProcess. 4)It use valid serials to decrypt the code. I know an app which is protected with Obsidium and the patches are very few and rarely. All these are just my personal opinion. So it depends how you will use a protector, to make your app strong.
  38. 1 point
    Both are good protections if used properly. Both protections can be unpacked rather easily, the difficult part is the virtualized code. So virtualizing vital functions and sub functions is very important.
  39. 1 point
    Hello everyone, Here is a small SDK example for TitanEngine Community Edition. It covers far from all features, but enough to get you started. This is the code: #include <windows.h>#include <stdio.h>#include <psapi.h>#include "TitanEngine\TitanEngine.h"PROCESS_INFORMATION* fdProcessInfo;LPVOID lpBaseOfImage;char szDumpName[MAX_PATH]="";static void log(const char* format, ...){ va_list args; va_start(args, format); char msg[1024]=""; vsprintf(msg, format, args); puts(msg);}static void cbOep(){ long long rip=GetContextData(UE_RIP); log("> OEP 0x%llX reached!", rip); log("> Dumping..."); DeleteFileA(szDumpName); //Dump the process (notice that szDumpName need to be a full path) if(!DumpProcess(fdProcessInfo->hProcess, lpBaseOfImage, szDumpName, rip)) { log("> DumpProcess failed..."); StopDebug(); return; } log("> Dumping done!"); log("> Fixing imports..."); ULONG_PTR iatStart=0; ULONG_PTR iatSize=0; //Search for IAT (Search start is 'OEP' in Scylla) ImporterAutoSearchIAT(fdProcessInfo->dwProcessId, szDumpName, rip, &iatStart, &iatSize); if(!iatStart || !iatSize) { log("> IAT not found..."); StopDebug(); return; } log("> IAT Start: 0x%llX, IAT Size: 0x%llX", iatStart, iatSize); char szSectionName[]=".unp64"; //Auto fix the file (append a section & fix IAT) if(!ImporterExportIATEx(szDumpName, szDumpName, szSectionName)) { log("> ImporterExportIATEx failed..."); StopDebug(); return; } log("> Imports fixed!"); //Stop debugging StopDebug();}static void cbNearOep(){ log("> Near OEP!"); //Step using the trap flag StepInto((void*)cbOep);}static void cbPeSpin(){ //Set a hardware breakpoint at RSP with size 8 on read/write SetHardwareBreakPoint(GetContextData(UE_RSP), UE_DR0, UE_HARDWARE_READWRITE, 8, (void*)cbNearOep);}static void cbEntry(){ //Get RIP register long long rip=GetContextData(UE_RIP); log("> Entry point 0x%llX reached!", rip); //Search for MPRESS pattern unsigned char pattern[4]= {0x5D, 0x5B, 0xC3,0xE9}; BYTE wildcard=0; long long found=Find((void*)rip, 0x1000, pattern, 4, &wildcard); if(!found) { //Search for PESpin pattern unsigned char pespin[4]= {0xFF, 0x64, 0x24, 0xF8}; long long found=Find((void*)rip, 0x1000, pespin, 4, &wildcard); if(!found) { log("> MPRESS/PESpin pattern NOT found..."); StopDebug(); return; } log("> PESpin pattern found on 0x%llX!", found); //Step over StepOver((void*)cbPeSpin); return; } //Set a simple INT3 breakpoint SetBPX(found+3, UE_BREAKPOINT, (void*)cbNearOep); log("> MPRESS pattern found on 0x%llX!", found);}static void cbCreateProcess(CREATE_PROCESS_DEBUG_INFO* CreateProcessInfo){ //Get the loaded base lpBaseOfImage=CreateProcessInfo->lpBaseOfImage; log("> Process created on 0x%llX!", lpBaseOfImage);}static bool DevicePathToPath(const char* devicepath, char* path, size_t path_size){ if(!devicepath || !path) return false; char curDrive[3]=" :"; char curDevice[MAX_PATH]=""; for(char drive='C'; drive<='Z'; drive++) { *curDrive=drive; if(!QueryDosDeviceA(curDrive, curDevice, MAX_PATH)) continue; size_t curDevice_len=strlen(curDevice); if(!_strnicmp(devicepath, curDevice, curDevice_len)) //we match the device { if(strlen(devicepath)-curDevice_len>=path_size) return false; sprintf(path, "%s%s", curDrive, devicepath+curDevice_len); return true; } } return false;}static bool GetFileNameFromHandle(HANDLE hFile, char* szFileName){ if(!GetFileSize(hFile, 0)) return false; HANDLE hFileMap=CreateFileMappingA(hFile, 0, PAGE_READONLY, 0, 1, 0); if(!hFileMap) return false; void* pFileMap=MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 1); if(!pFileMap) { CloseHandle(hFileMap); return false; } char szMappedName[MAX_PATH]=""; if(GetMappedFileNameA(GetCurrentProcess(), pFileMap, szMappedName, MAX_PATH)) { DevicePathToPath(szMappedName, szFileName, MAX_PATH); UnmapViewOfFile(pFileMap); CloseHandle(hFileMap); return true; } UnmapViewOfFile(pFileMap); CloseHandle(hFileMap); return false;}static void unpack(char* szFileName){ //Set an engine variable (hide console window of created process) SetEngineVariable(UE_ENGINE_NO_CONSOLE_WINDOW, true); //Get full file path HANDLE hFile=CreateFileA(szFileName, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0); if(hFile==INVALID_HANDLE_VALUE) { log("> File \"%s\" doesn't exist...", szFileName); return; } GetFileNameFromHandle(hFile, szDumpName); CloseHandle(hFile); log("> Unpack of file \"%s\" started...", szFileName); FILE_STATUS_INFO inFileStatus= {}; if(IsPE32FileValidEx(szFileName, UE_DEPTH_DEEP, &inFileStatus) && inFileStatus.FileIs64Bit && !inFileStatus.FileIsDLL) { log("> 64-bit PE file detected!"); //Make name of dumped file int len=strlen(szDumpName); while(szDumpName[len]!='.' && len) len--; if(!len) len=strlen(szDumpName); strcpy(szDumpName+len, "_unp64.exe"); //Start the process fdProcessInfo=(PROCESS_INFORMATION*)InitDebugEx(szFileName, 0, 0, (void*)cbEntry); if(fdProcessInfo) { log("> InitDebug OK!"); //Set a custom handler SetCustomHandler(UE_CH_CREATEPROCESS, (void*)cbCreateProcess); //Start debug loop DebugLoop(); } else log("> InitDebug failed..."); } else { log("> Invalid/x86/DLL file..."); } log("> Unpack ended");}int main(int argc, char* argv[]){ puts("unp64 v0.1\n\nSupported packers:\nMPRESS v2.19\nPESpin v1.22 (Packer only)\n"); if(argc<2) puts("usage: unp64 [file.exe]"); else unpack(argv[1]); Sleep(2500); return 0;}Example output:unp64 v0.1Supported packers:MPRESS v2.19PESpin v1.22 (Packer only)> Unpack of file "mpress.exe" started...> 64-bit PE file detected!> InitDebug OK!> Process created on 0x140000000!> Entry point 0x14000F0F3 reached!> MPRESS pattern found on 0x14000FBD7!> Near OEP!> OEP 0x140005DC8 reached!> Dumping...> Dumping done!> Fixing imports...> IAT Start: 0x14000F048, IAT Size: 0x38> Imports fixed!> Unpack endedProject files + Binaries attached.Greetings, Mr. eXoDia unp64.rar
  40. 1 point
    http://tuts4you.com/download.php?view.1560 Ted.
  41. 0 points
    Enigma Done ... KoiVM seems modded. couldn't able to do till now !!
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...