Jump to content
Tuts 4 You

Leaderboard

  1. kao

    kao

    Full Member+


    • Points

      27

    • Content Count

      2,321


  2. TobitoFatito

    TobitoFatito

    Full Member


    • Points

      20

    • Content Count

      34


  3. CodeExplorer

    CodeExplorer

    Moderator


    • Points

      18

    • Content Count

      3,106


  4. Teddy Rogers

    Teddy Rogers

    Administrator


    • Points

      14

    • Content Count

      8,934



Popular Content

Showing content with the highest reputation since 06/05/2020 in all areas

  1. 13 points
    awesome_msil_Out.exe Approach: 1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker , and it shall be ran on NetBox 2. Code virtualization is a relatively new feature of .net reactor, added in version 6.2.0.0. Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)
  2. 6 points
    I am referring to threads and posts like these: If a solution is selectively provided only to the OP by PM then it defeats the whole purpose of the Crackme/Unpackme section. In such cases, the solution provider should not even be acknowledged unless they provide working steps for everyone to learn from. This forum is a learning platform and if solution providers are expected to share the methodologies that they used for the solution. Here is yet another thread where the posts from the solution providers who gave vague steps was approved: Basically another thread containing "show-off" posts by the solution poster. Nothing practical provided and no proper steps were shown. I mean, take this for example (from this post): EXAMPLE 2 Basically useless. It's like saying that to climb the Himalayas one needs will-power, good training, a lof of good mountaineering tools, food packs etc and that one has to read up a lot of good manuals and practice on smaller mountains first... Only posts in the Challenges section which detail proper steps which are actually reproducible should be approved by the mods. OR... ALL POSTS there should be approved from anyone. Why just approve the "show-off" posts? Are we expected to "beg" the solution poster via PM for the steps? I am quite sure that my post may get deleted, since any posts which speak the truth seem to get selective get deleted these days, but nevertheless I wanted to bring up this point! Another example of an approved post where NO STEPS were provided:
  3. 4 points
    In my opinion that solution will be acceptable only if the tool used is public.
  4. 4 points
    This is really the key point that probably should be the requirement for a post to be accepted. A solution should be reproducible, not a list of private tools that are used. Private tools are, as their name implies, private, and by definition that means it is everything but reproducible (unless this tool is shared with the reader of the solution). The only person benefiting from such a reply is the respondent themselves in the form of an ego boost. Not very productive if you'd ask me.
  5. 4 points
    It's a really good question. The answer really depends. Let me give you few recent examples. Example #1: Extreme Coders names the tools and explains HOW to solve the crackme. A lot of effort is required but all the tools can be found via Google. So I have zero issues with the solution. Example #2: Prab names the tools but no explanation is given. "x86 retranslater" definitely cannot be found not on Google. "Clean control flow" tells the obvious thing but it doesn't explain HOW to do that. What's the point of such solution? The only thing reader will learn from this is that he needs a magic wand that he can't have.
  6. 4 points
    View File Reactor v6.3 Try to unpack or alternatively provide a serial. Protections used: Necrobit Antitampering Antidebug Obfuscation Code Virtualization + Shield with SNK Submitter whoknows Submitted 06/10/2020 Category UnPackMe (.NET)  
  7. 2 points
    you shouldn't be using WD in first place.
  8. 2 points
    Pawning 40 CTFs simultaneously
  9. 2 points
    My work machine has normally running MS Teams (2GB right there..), Outlook (250MB), Chrome with 40+ tabs (6+GB), Visual Studio, 1-2 VMware Guests and IDA. Would I expect it to magically work with 8GB of RAM? F*ck no! Sure, you can find a tool that hacks around and maybe reduces the symptoms. But it doesn't fix the problem. The actual problem is that your machine is severely under-powered for that sort of a workload. Another 8GB of RAM would be a proper way to solve those issues. And it costs ~40EUR - which is less than 1-2 hours of your time you probably spent googling for such "tool".
  10. 2 points
    https://docs.microsoft.com/en-us/dotnet/api/system.string.concat Get the next 50 elements and concat them, then repeat. If you want to add a delimiter for every text use Join instead. https://docs.microsoft.com/en-us/dotnet/api/system.string.join?view=netcore-3.1#System_String_Join_System_String_System_String___ You should consider taking a programming course.
  11. 2 points
    I was facing the Same thing from long time. Here I've raised my Voice - that It makes no sense to upload Cleaned file or saying that I used de4dot modded Private bla bla bla. Some People are like, Read the Assembly language or see de4dot or VM and you will know. Oh Ghosh does it make any sense? No there's a no sense of saying this. Consider, Someone ask me How to Decrypt the encrypted Password? So Should I answer him Remember the Table of 2 to 30 or learn Counting and Alphabet. It's make no sense. Mostly Comments are like "I use My Private Tools" "I used modded de4dot" I used "Lamp of Aladdin" I used "Poseidon Trident 🔱" OH God, If You can't share or can't atleast explain little bit manual stuff, Then the Solution is utter nonsense and useless. I also think, We should allow solutions which actually are descriptive.
  12. 2 points
    Thanks to "Extreme Coders", I've never programmed in python before, but after reading all your public material and following the recommended steps in this thread I've been able to desofuscate the code. If they tell you how to do it you will understand it, but if they guide you and you have to discover how to do it you will learn martisor_unpacked.py
  13. 2 points
    Not necessary to unpack to get the key. Key: Steps :
  14. 1 point
    Probably it's like this because the HTML standard is too loose and flexible in a way that makes uniformity on security issues something unlikely to ever happen at this point. Dynamic aspects even more so are to increase security or even business model. As much as many of us want to see this be easily scrptable, businesses are working hard to ensure in fact just the opposite. So many bots doing phony stuff nowadays for one, and sometimes data leaching is desired to be prevented because the data and bandwidth have value. Some businesses want you to have to manually go through login and clicking to simply make it cumbersome to both waste your time and energy and keep things complicated enough that you might make a mistake. I would really like a script which logs in and downloads, renames appropriately and saves all bill or bank statements every month for example. But its cumbersome and tedious at best to script and if a captcha comes likely you need to interrupt the automation for a short user browser interaction before proceeding. Unless you want to automate that with special built neural nets. I've yet to see one that makes human like mouse movement but the bot networks out there probably have it albeit it's not public.
  15. 1 point
    Hi guys, thanks for the feedback again.So this really sounds like hell to build any own client code without to build a browser engine to find out what kind of validation any xy site does request.So why is this validation so dynamic?Sound like that any server could also use any own request method XY instread GET / POST etc like GET_IT or whatever you know.All in all its just bad for me now so there are too much diffrent variables to handle and to know before.This just sucks. greetz
  16. 1 point
    https://www.infoq.com/news/2020/07/mandrel-graalvm/ @CodeExplorer -- bonus pavellaptev.github.io/web-dark-ages/
  17. 1 point
    10-12TB spinning drives only this year started to get to a reasonable $/GB ratio. So, 100TB+ SSD is way, way out of reach for the ordinary consumer. And it will be out of reach for next 5-10years. BTW, the f*ing original article was talking about tape drives, not HDDs or SSDs. Personally, I wouldn't call that a drive - but English is not my native language..
  18. 1 point
    CSRF tokens https://stackoverflow.com/a/33829607 https://www.hhutzler.de/blog/using-curl/ https://www.google.com/search?q=curl+login+with+CSRF -- On all modern login system there are 'validation' like this... What I have done in the past, is to use CefSharp library (or even the plain WebBrowser of .NET frm), load the page @ browser set the values to inputboxes and submit the form to the server by clicking the submit button by JS code. ex document.querySelector('.ovm-ClassificationBarButton-18'); restoreTAB.click();
  19. 1 point
    Well it's true though right? Every OS upgrade adds more background services, more memory consumption. They always seek to maximally utilize the resources. You basically need a multi core with high RAM to do anything interesting nowadays. By forcing hardware upgrades, they sell more licenses so there is justification for this business strategy. My father told me in the 1970s these same things went on. So it's much older. They never rewrote the code to be more efficient because they wanted the system always busy so they could justify its use and further upgrades. Some things never change Does not leave us consumers with much options. As you correctly point out, tools like this are never as reliable or well understood as the OS choosing to be more efficient or flexible. To prove it further, Microsoft does not do much to stop Win10 cracks. But put a minimal Win10 with the bloat stripped out and they will DMCA it at light speed. Priorities! Instead of designing to run on certain hardware configurations as claimed, they in reality design it not to run on certain hardware specs.
  20. 1 point
    We say this with every iteration of Windows. Recalling XP being bloated... 🤔 Ted.
  21. 1 point
    Often servers have global settings and per domain or IP settings. So globally require SSL is on. But only the IPv4 address is configured for the redirect. The redirect should have been global possibly or defined also for the IPv6. Actually usually it's done on domain names which makes more sense. There are further tricks since SSL can validate IPs and there is some complexity to getting all this to work right in all scenarios such as shared certificates for multiple domains, etc.
  22. 1 point
    This site (in Chinese) explains a bit about that last parameter structure “The fourth parameter ppResult is a pointer of type PADDRINFOA, that is, a double pointer of type addrinfo” https://www.cnblogs.com/Ishore/p/4009205.html
  23. 1 point
    Seems like a tool to keep the cache empty. May be better to leave it to the OS to manage memory... Ted.
  24. 1 point
    Bed_ControlFlow_Remover.rar x86_Retranslater.rar I can't give you the rest of em ( i don't have permission to share them, hope you understand me).
  25. 1 point
    part 2 https://hot3eed.github.io/2020/06/22/snap_p2_deobfuscation.html
  26. 1 point
    etc etc https://torrentfreak.com/removing-annoying-windows-10-features-is-a-dmca-violation-microsoft-says-200611/ cheers B
  27. 1 point
    https://www.bleepingcomputer.com/news/security/expiring-ssl-certs-expected-to-break-smart-tvs-fridges-and-iots/ bonus On Systemic Debt - hxxps://thedailywtf.com/articles/on-systemic-debt linux xrdp – an open source RDP server - hxxps://github.com/neutrinolabs/xrdp
  28. 1 point
    Thanks @Teddy Rogers I agree with you but posts saying things like "He shared the solution with me via PM" and such should not be approved. That way, anyone would not be able to show-off that they solved it. If they want their post(s) to be featured on the Challenge threads as having solved something, then the requirement should strictly be that they should post a solution that anyone would be able to replicate. If any special tools are required, then unless they are willing to share the tools, their post should not be accepted. That way, one would either have to post a proper solution along with the tools used or, if they do not want to share their tools, remain silent. I am sure that some would not want to share their tools but in that case they should not get the opportunity to make posts that just serve to boost their ego. If they are not willing to share their "private tools" that they used to arrive at the solution, then their solution (or even their post which just shows the final answer without the steps or tools) should not be approved at all. Otherwise, one could just say that they used a "private tool" for every crackme/unpackme (when in reality, they just used public tools), in order to avoid detailing the steps. So, unless they are willing to share the "private tools", it does make their answer any more useful to the rest of us. While we do not expect an essay or a full video tut of very detailed steps, a person with a reasonable knowledge of RE should be able to replicate the solution with the "steps" that they provide. For example, just saying that they used DnSpy and IL Spy to solve it would be rather useless... I would say that this is more like solving a trigonometry or an algebra problem back in high school where one is expected to provide the "steps" that they performed to arrive at the solution. One would be expected to provide just enough detail so that anyone reading it would be able to (reasonably) understand how to solve similar problem.
  29. 1 point
    @Prab Do you write some tools yourself? I think you can't clean this file just with these tools, such as: Does `Constants Decryptor` support `sizeof` instruction? Do you write tools yourself to convert `sizeof` to `ldc`?
  30. 1 point
  31. 1 point
    Unpacked! So here's what i did. Removing the antitamper is really difficult if you're going to decrypt the methods by executing the method decrypt call in <module>.cctor. I think this is caused by the function that modifies some parts of metadata. The function is placed before the method decrypt function and after PE section finding part. So what i did was i modified abugger's antitamper remover and it pretty much worked. After antitamper was removed, it somehow created an error when decompressing constant data. Anyways, im too lazy to find out how removing antitamper was causing that. I just executed the original file and grabbed the decompressed byte array value for constant and moved the initializer in <module>.cctor. After that, i resolved the values of mutations. If i remember, there were sizeof, convert.toint32, math.(function) and int/short.parse. After the mutations, all you need to do is to convert the fields to locals, calli to call, resolve the delegates, and resolve and remove the proxy call delegates. You have to make your own approach on removing the proxy call delegates on this one. The values of the delegates are initialized at <module>.cctor. here's the result of what i did. (manually cleaned junk types). Unpackme_cleaned.exe screenshot:
  32. 1 point
    asking me ? hope @Reza-HNA PM u.
  33. 1 point
    without debugger detection awesome.vmp_nodbg.rar
  34. 1 point
    How these Unpacking Posts are getting approved ? It is clearly written in the Rules that the solution of challenge will not be accepted if you don't describe the steps. Here everyone showing that they have cleaned it but no one is telling how ? so literally this is not a valid contribution to the forum if you don't descibe how it has been done. Just uploading files of cleaned is not all about unpacking. I think everyone must need to describe the steps or approach he has done to clean it. If I sound rude, I am sorry but this is what i feel.
  35. 1 point
    This is a notification of intent to cease and close the Blogs section of the site in a months time. The reasons for the change are; lack of use, activity and popularity, and for the most part the forum categories have been and are more than capable to host similar blog like content in the future. This notification gives you the opportunity to copy any information from Blogs that you wish to retain and/ or repost in the appropriate forum... Ted. Backups - Blogs.rar
  36. 1 point
    I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies. If you can not understand it, you can reply me. Best wish.
  37. 1 point
    Hello everyone , I hope you're doing good , I've been searching for a while about how to write a plugin for OllyDbg , with the help of the (plugin api unit) I was able to make a simple plugin that retreives the value of the flag (BeingDebugged) which is used by the function (IsDebuggerPresent) . now the problem is that i still can't change that byte . The function WriteProcessMemory isn't working , can you give me some help please , here's the full code : thanks in advance library AADebug; uses SysUtils, plugin, windows, Classes; {$R *.res} type PEB = record Reserved1: array [0 .. 1] of Byte; BeingDebugged: Byte; Reserved2: Byte; Reserved3: array [0 .. 1] of Pointer; Ldr: Pointer; Reserved4: array [0 .. 102] of Byte; Reserved5: array [0 .. 51] of Pointer; PostProcessInitRoutine: Pointer; Reserved6: array [0 .. 127] of Byte; Reserved7: Pointer; SessionId: ULONG; end; PROCESS_BASIC_INFORMATION = record Reserved1: Pointer; PebBaseAddress: Pointer; Reserved2: array [0 .. 1] of Pointer; UniqueProcessId: cardinal; Reserved3: Pointer; end; resourcestring PLUGIN_NAME = 'Anti IsDebuggerPresent'; var g_hwndOlly: HWND; // OllyDbg Window Handle ProcessBasicInfo : PROCESS_BASIC_INFORMATION; Length:cardinal; EB : PEB; function ODBG_Plugininit(ollydbgversion:Integer;hWndOlly:HWND;features:PULONG):Integer;cdecl; begin g_hwndOlly := hWndOlly; Addtolist(0, 0, pchar(PLUGIN_NAME)); Result := 0; end; function ODBG_Plugindata(name: PChar): integer; cdecl; begin StrLCopy(name, PChar(PLUGIN_NAME), 32); Result := PLUGIN_VERSION; end; function NtQueryInformationProcess(ProcessHandle: THANDLE; ProcessInformationClass: DWORD; ProcessInformation: Pointer; ProcessInformationLength:ULONG; ReturnLength: PULONG): LongInt; stdcall; external 'ntdll.dll'; procedure Getinfo; var debugee,PID : THandle; buffer : byte; begin buffer := $00; PID := PluginGetValue(VAL_PROCESSID); debugee := OpenProcess(PROCESS_ALL_ACCESS,False,PID); NtQueryInformationProcess(debugee,0,@ProcessBasicInfo,sizeof(ProcessBasicInfo),@length); readprocessmemory(debugee,ProcessBasicInfo.PebBaseAddress,@EB,sizeof(EB),length); writeprocessmemory(debugee,@EB.beingDebugged,@buffer,sizeof(buffer),length); messagebox(g_hwndOlly,pchar('BeingDebuggedFlag : '+ inttostr(EB.beingDebugged)),pchar('info'),MB_ICONINFORMATION); end; procedure ODBG_Pluginaction(origin:Integer; action:Integer; pItem:Pointer);cdecl; begin if (origin = PM_MAIN) then begin Getinfo; end; end; exports ODBG_Plugininit name '_ODBG_Plugininit', ODBG_Plugindata name '_ODBG_Plugindata', ODBG_Pluginaction name '_ODBG_Pluginaction'; begin end.
  38. 1 point
    What makes you question either of these? Private: There are occasionally some techniques, practices (and tools) kept private to stay ahead of the game. Nothing has changed much over the years in this regard as far as I can tell. Knowledge: As @kao already mentioned most of the core techniques and information is out there to be discovered (in these forums for example). It only needs a willing and proactive individual to expand and develop on this information. As everyone seems to have their own blog (or YouTube channel) these days these generally seem to be the new format for tutorials. One day... when all my children have grown up and left home I can get my life back and get back to RCE and making traditional tutorials. Hopefully the RCE world will be an entirely new and interesting place to explore... 👍 Ted.
  39. 1 point
    This forum is overrun by lazy-ass noobs who don't really want to learn. They want to have a youtube video and automagic tool for everything. Ready-made tools are private for this exact reason. People who want to learn will find the necessary information to learn the basics. And once you show you've done your homework, knowledge and techniques are being shared freely. Maybe not 100% public but via PMs and chat.
  40. 1 point
    hello, I apologize if it has nothing to do with this post, I'm decompressing with ManagedJiterFr4.exe but I get the following errors why? how can i solve? this if i try with unpackme
  41. 1 point
    You don't need to know correct key to get the flag: Is that what you're looking for? How-to: 1) Run and dump from memory; 2) (optional) Fix imports with Scylla; 3) Load dump in IDA; 4) Find WndProc and see how WM_COMMAND is handled; 5) The key check is very convoluted but it all ends up here: ... lots of horrible operations with entered key .. strncpy(buffer, encryptedFlag, 25); for ( n = 0; n < 25; ++n ) { v3 = buffer[n]; v4 = HIDWORD(v3) ^ HIDWORD(v20) ^ HIDWORD(v21) ^ HIDWORD(v22) ^ HIDWORD(v23) ^ HIDWORD(v11); v8[2 * n] = v3 ^ v20 ^ v21 ^ v22 ^ v23 ^ v11; v8[2 * n + 1] = v4; decryptedFlag[n] = v8[2 * n]; } // check last 2 bytes of decrypted flag result = 24; if ( decryptedFlag[24] == 'Z' ) { result = 23; if ( decryptedFlag[23] == 'C' ) ... Xor key for all bytes is the same. You know encrypted flag. You know last 2 bytes of decrypted flag. So, you can deduce XOR key and decrypt the flag.
  42. 1 point
    I Released a way of patching these vm's, here https://github.com/TobitoFatitoNulled/Venturi77CallHijacker but you'll need to manually inject agile for now (will try to fix the issue asap tho.
  43. 1 point
    password: "viva la revolution" How the password verified? Here, check my entered password against the correct one, both encrypted. Obviously, the encrypted password at RVA 00011054 is 18 characters long. But, what is the encryption or decryption algorithm? Don't dive into that, instead I assume the algorithm is symmetrical. This time, I entered the right length password "123456789012345678". At entry of the subroutine, Ecx=004FF534, we can find the entered password at allocated buffer 008F0000: Copy and paste with the correct cipher password from RVA 00011054: 008F0000 12 EC C5 CB AC FC 86 96 23 7C 7D 57 46 5C 43 4F 008F0010 56 2D 2A 00 Run to the end of loop at 01323461, we got: 008F0000 12 76 69 76 61 20 6C 61 20 72 65 76 6F 6C 75 74 .viva la revolut 008F0010 69 6F 6E 00 ion.
  44. 1 point
    Beds Protector ? I found is Babel Protector .
  45. 1 point
    Run the program, put any fake password, click on "Check password" wrong msg will be prompted, open up process hacker, right click on the file process -> properties -> net module -> strings -> scan/dump and then you have a .txt file with all strings extracted from memory. Seek for the wrong msg prompt text and nearby is the password.
  46. 1 point
    my confuserex unpacker works for this with one slight modification in the anti tamper find method it fails just make it find anti tamper (easiest way just change the if (sections.Count == 3) from a 3 to a 2 this will then fix it and static route work 100%
  47. 1 point
    Yep. That is one of the sections. It may be more on larger files. BTW. Here is my script for recover VM'ed Enigma OEP. Is written back in 2015 and i don't know if is fail proof because i did not use/test for more than a year ago. // giv@reversing.ro // Script for restore VM OEP on Enigma 5.xx VM'ed OEP // Delphi files + VB6 bc lc bphwc bpmc dbh GMI eip, CODEBASE mov bazacod, $RESULT GMI eip, CODESIZE mov marimecod, $RESULT VAR INTRARE ask "Enter the EIP of the stolen OEP" mov INTRARE, $RESULT //mov INTRARE, 0041F372 BPHWS INTRARE erun bphwc INTRARE ask "Enter compiler type: 1 for Delphi 2 for Visual Basic 3 for C++" mov tipcompilator, $RESULT cmp $RESULT,1 ifeq jmp Delphi endif cmp $RESULT,2 ifeq jmp vb6 endif cmp $RESULT,3 ifeq jmp C_plus endif //Target compiler select mov delphi, 1 mov vb6, 0 mov cpp, 0 ///////////////// cmp delphi, 1 ifeq jmp Delphi endif cmp vb6, 1 ifeq jmp vb6 endif cmp cpp, 1 ifeq jmp C_plus endif Delphi: log "PUSH EBP" log "MOV EBP, ESP" log "ADD ESP, -10" BREAK: bc bphwc bpmc BPRM bazacod, marimecod erun cmp eip, INTRARE ifeq jmp BREAK endif cmp eip, bazacod+marimecod ifa jmp BREAK endif cmp eax, 01000000 ifa jmp DWORD endif cmp [eip], #FF25#, 2 ifeq jmp BREAK endif mov valoareeax, eax eval "MOV EAX, 00{valoareeax}" LOG $RESULT, "" eval "MOV ECX, 00{ecx}" log $RESULT, "" eval "MOV EDX, 00{edx}" log $RESULT, "" mov pozitie, eip eval "CALL 0{pozitie}" log $RESULT, "" GASIRE_RET: bpmc cmp [eip], #FF25#, 2 ifeq jmp BREAK endif find eip, #C3#, 5 mov adresagasitaret, $RESULT cmp adresagasitaret, 0 ifa bp adresagasitaret erun bc adresagasitaret esti gci eip, COMMAND mov stringoep, $RESULT scmpi stringoep, "PUSH 0x0", 4 cmp $RESULT, 0 ifa jmp Comanda_gci endif esti jmp Comanda_gci endif find eip, #5?C?#, 1500 mov adresagasitaret, $RESULT cmp adresagasitaret, 0 ifa mov diferenta, adresagasitaret-eip cmp diferenta, 35 ifb cmp [adresagasitaret], #5BC3#, 2 ifeq bpmc bp adresagasitaret erun esti esti jmp Comanda_gci endif cmp [adresagasitaret], #5DC2#, 2 ifeq bpmc bp adresagasitaret erun esti esti jmp Comanda_gci endif msg "Diferenta prea mica" endif mov adresacomparare, adresagasitaret add adresacomparare, 1 cmp [adresacomparare], #C3#,1 ifneq mov start, eip add start, 35 find start,#E8????????C3# bp $RESULT erun bc find eip, #5?C?# bp $RESULT erun bc esti esti jmp Comanda_gci //msg "Pauza C3" endif bp adresagasitaret erun bc adresagasitaret esti esti jmp Comanda_gci endif find eip, #5?5?5?5?C3#,500 bpmc mov adresagasitaret, $RESULT cmp adresagasitaret, 0 ifa bp adresagasitaret erun bc adresagasitaret esti esti jmp Comanda_gci endif cmp adresagasitaret, 0 Continuare_ret: bpmc ifa bp adresagasitaret bpmc erun endif bc adresagasitaret esti esti Comanda_gci: GCI eip, COMMAND mov comanda, $RESULT scmpi comanda, "PUSH 0x0", 4 ifneq jmp GASIRE_RET endif jmp BREAK DWORD: ///////// bc bphwc ///////// mov gasire, eax rev gasire mov gasire, $RESULT /////////////////// eval "{gasire}" mov gasire, $RESULT ////////////////// len gasire cmp $RESULT, 7 ifeq eval "0{gasire}" mov gasire, $RESULT jmp ansamblare_gasire endif len gasire cmp $RESULT, 6 ifeq eval "00{gasire}" mov gasire, $RESULT endif //log gasire, "" ansamblare_gasire: eval "#{gasire}#" mov gasire, $RESULT findmem gasire, bazacod mov adresa_p, $RESULT cmp adresa_p, 0 ifeq msg "Pointer negasit" pause endif ifa eval "MOV EAX, DWORD PTR[{adresa_p}]" log $RESULT, "" cmp ecx, 401000 ifa eval "MOV ECX, 00{ecx}" log $RESULT, "" endif cmp edx, 401000 ifa eval "MOV EDX, 00{edx}" log $RESULT, "" endif mov pozitie, eip eval "CALL 0{pozitie}" log $RESULT, "" jmp GASIRE_RET vb6: findmem #5642??21#, bazacod mov variabilapush, $RESULT cmp variabilapush,0 ifeq msg "Pattern not found for push value - VB6" jmp Sfarsit endif eval "PUSH 00{variabilapush}" LOG $RESULT, "" asm eip, $RESULT mov variabilacall, eip-6 eval "CALL 00{variabilacall}" LOG $RESULT, "" asm eip+5, $RESULT jmp Sfarsit C_plus: bc bphwc bpmc BPRM bazacod, marimecod erun MOV intrarecallc, eip EVAL "CALL {intrarecallc}" log $RESULT, "" ASM INTRARE, $RESULT bc bphwc bpmc rtr esti BPRM bazacod, marimecod erun MOV jmpc, eip EVAL "JMP {jmpc}" log $RESULT, "" ASM INTRARE+5, $RESULT jmp Sfarsit Sfarsit: msg "Script is finished"
  48. 1 point
    Small modification of ragdog's idea: 1) breakpoint on LoadBitmapA; 2) look at parameters to the call: 0012F740 00AC119D /CALL to LoadBitmapA from 00AC1198 0012F744 00AC0000 |hInst = 00AC0000 0012F748 00AC3000 \RsrcName = "MyBitmap" So, the DLL is loaded at address AC0000. 3) Dump memory at address AC0000. I used PETools, so it calculated size of dump automatically (EC000 bytes). But you can always use other tool and dump more memory, it won't hurt. 4) Open dump with CFF and use its resource editor function to extract BMP.
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...