Jump to content
Tuts 4 You


  1. kao


    Full Member+

    • Points


    • Content Count


  2. TobitoFatito


    Full Member

    • Points


    • Content Count


  3. CodeExplorer



    • Points


    • Content Count


  4. Teddy Rogers

    Teddy Rogers


    • Points


    • Content Count


Popular Content

Showing content with the highest reputation since 06/02/2020 in all areas

  1. 13 points
    awesome_msil_Out.exe Approach: 1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker , and it shall be ran on NetBox 2. Code virtualization is a relatively new feature of .net reactor, added in version Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)
  2. 6 points
    I am referring to threads and posts like these: If a solution is selectively provided only to the OP by PM then it defeats the whole purpose of the Crackme/Unpackme section. In such cases, the solution provider should not even be acknowledged unless they provide working steps for everyone to learn from. This forum is a learning platform and if solution providers are expected to share the methodologies that they used for the solution. Here is yet another thread where the posts from the solution providers who gave vague steps was approved: Basically another thread containing "show-off" posts by the solution poster. Nothing practical provided and no proper steps were shown. I mean, take this for example (from this post): EXAMPLE 2 Basically useless. It's like saying that to climb the Himalayas one needs will-power, good training, a lof of good mountaineering tools, food packs etc and that one has to read up a lot of good manuals and practice on smaller mountains first... Only posts in the Challenges section which detail proper steps which are actually reproducible should be approved by the mods. OR... ALL POSTS there should be approved from anyone. Why just approve the "show-off" posts? Are we expected to "beg" the solution poster via PM for the steps? I am quite sure that my post may get deleted, since any posts which speak the truth seem to get selective get deleted these days, but nevertheless I wanted to bring up this point! Another example of an approved post where NO STEPS were provided:
  3. 4 points
    In my opinion that solution will be acceptable only if the tool used is public.
  4. 4 points
    This is really the key point that probably should be the requirement for a post to be accepted. A solution should be reproducible, not a list of private tools that are used. Private tools are, as their name implies, private, and by definition that means it is everything but reproducible (unless this tool is shared with the reader of the solution). The only person benefiting from such a reply is the respondent themselves in the form of an ego boost. Not very productive if you'd ask me.
  5. 4 points
    It's a really good question. The answer really depends. Let me give you few recent examples. Example #1: Extreme Coders names the tools and explains HOW to solve the crackme. A lot of effort is required but all the tools can be found via Google. So I have zero issues with the solution. Example #2: Prab names the tools but no explanation is given. "x86 retranslater" definitely cannot be found not on Google. "Clean control flow" tells the obvious thing but it doesn't explain HOW to do that. What's the point of such solution? The only thing reader will learn from this is that he needs a magic wand that he can't have.
  6. 4 points
    View File Reactor v6.3 Try to unpack or alternatively provide a serial. Protections used: Necrobit Antitampering Antidebug Obfuscation Code Virtualization + Shield with SNK Submitter whoknows Submitted 06/10/2020 Category UnPackMe (.NET)  
  7. 2 points
    Pawning 40 CTFs simultaneously
  8. 2 points
    My work machine has normally running MS Teams (2GB right there..), Outlook (250MB), Chrome with 40+ tabs (6+GB), Visual Studio, 1-2 VMware Guests and IDA. Would I expect it to magically work with 8GB of RAM? F*ck no! Sure, you can find a tool that hacks around and maybe reduces the symptoms. But it doesn't fix the problem. The actual problem is that your machine is severely under-powered for that sort of a workload. Another 8GB of RAM would be a proper way to solve those issues. And it costs ~40EUR - which is less than 1-2 hours of your time you probably spent googling for such "tool".
  9. 2 points
    https://docs.microsoft.com/en-us/dotnet/api/system.string.concat Get the next 50 elements and concat them, then repeat. If you want to add a delimiter for every text use Join instead. https://docs.microsoft.com/en-us/dotnet/api/system.string.join?view=netcore-3.1#System_String_Join_System_String_System_String___ You should consider taking a programming course.
  10. 2 points
    I was facing the Same thing from long time. Here I've raised my Voice - that It makes no sense to upload Cleaned file or saying that I used de4dot modded Private bla bla bla. Some People are like, Read the Assembly language or see de4dot or VM and you will know. Oh Ghosh does it make any sense? No there's a no sense of saying this. Consider, Someone ask me How to Decrypt the encrypted Password? So Should I answer him Remember the Table of 2 to 30 or learn Counting and Alphabet. It's make no sense. Mostly Comments are like "I use My Private Tools" "I used modded de4dot" I used "Lamp of Aladdin" I used "Poseidon Trident 🔱" OH God, If You can't share or can't atleast explain little bit manual stuff, Then the Solution is utter nonsense and useless. I also think, We should allow solutions which actually are descriptive.
  11. 2 points
    Thanks to "Extreme Coders", I've never programmed in python before, but after reading all your public material and following the recommended steps in this thread I've been able to desofuscate the code. If they tell you how to do it you will understand it, but if they guide you and you have to discover how to do it you will learn martisor_unpacked.py
  12. 2 points
    Is this a hidden feature of the protection or does the app just not work?
  13. 2 points
    Not necessary to unpack to get the key. Key: Steps :
  14. 1 point
    CSRF tokens https://stackoverflow.com/a/33829607 https://www.hhutzler.de/blog/using-curl/ https://www.google.com/search?q=curl+login+with+CSRF -- On all modern login system there are 'validation' like this... What I have done in the past, is to use CefSharp library (or even the plain WebBrowser of .NET frm), load the page @ browser set the values to inputboxes and submit the form to the server by clicking the submit button by JS code. ex document.querySelector('.ovm-ClassificationBarButton-18'); restoreTAB.click();
  15. 1 point
    Well it's true though right? Every OS upgrade adds more background services, more memory consumption. They always seek to maximally utilize the resources. You basically need a multi core with high RAM to do anything interesting nowadays. By forcing hardware upgrades, they sell more licenses so there is justification for this business strategy. My father told me in the 1970s these same things went on. So it's much older. They never rewrote the code to be more efficient because they wanted the system always busy so they could justify its use and further upgrades. Some things never change Does not leave us consumers with much options. As you correctly point out, tools like this are never as reliable or well understood as the OS choosing to be more efficient or flexible. To prove it further, Microsoft does not do much to stop Win10 cracks. But put a minimal Win10 with the bloat stripped out and they will DMCA it at light speed. Priorities! Instead of designing to run on certain hardware configurations as claimed, they in reality design it not to run on certain hardware specs.
  16. 1 point
    @akkaldama: I use browser tabs as bookmarks for commonly used staff. Browser tab is one click away, bookmark is "..."->"Bookmarks->Find the folder and click->Scroll down and click. Way too slow. If you want details, most of it is Kibana, Apache Impala queries and company internal system dashboards/interfaces. And I didn't say it's "normal", I said that it's unreasonable to expect that to work without a proper amount of RAM. EDIT: oh I see.. It should be "has usually/commonly running". Sorry for my Engrish.
  17. 1 point
    Often servers have global settings and per domain or IP settings. So globally require SSL is on. But only the IPv4 address is configured for the redirect. The redirect should have been global possibly or defined also for the IPv6. Actually usually it's done on domain names which makes more sense. There are further tricks since SSL can validate IPs and there is some complexity to getting all this to work right in all scenarios such as shared certificates for multiple domains, etc.
  18. 1 point
    This site (in Chinese) explains a bit about that last parameter structure “The fourth parameter ppResult is a pointer of type PADDRINFOA, that is, a double pointer of type addrinfo” https://www.cnblogs.com/Ishore/p/4009205.html
  19. 1 point
    Your IPv4 info resembles a typical website attempting to enforce SSL where all http:// traffic is forwarded to the proper https:// instead. Your IPv6 info resembles a server misconfigured for the same thing and not properly handling the forwarding.
  20. 1 point
    Bed_ControlFlow_Remover.rar x86_Retranslater.rar I can't give you the rest of em ( i don't have permission to share them, hope you understand me).
  21. 1 point
    part 2 https://hot3eed.github.io/2020/06/22/snap_p2_deobfuscation.html
  22. 1 point
    This is just a follow up as all too often someone makes a post about something then that is it nothing else. I was fortunate enough to chat with someone on another forum and i was able to make a dump of the bios, and he was able to give me the original password in a couple of minutes, and this has got me interested in the bios dump itself and what it contains. Yes i could have attempted to use CmosPwd 5 or try to reset it with pulling Cmos out for 20 mins, but I'm not sure that would work anymore. The old trick of mistyping the password 3 times to get the code followed by using bios-pw does not work on these newer bios, you still have 3 attempts but no longer do you get a code just a freeze/lock which then means you have to restart the device and start over
  23. 1 point
    Used it quite a lot - the speed will depend largely on your GPU though I suggest you take the time to read through the different attack types. Some of the custom permutations and things are super powerful - I usually have more success with those on a small, well thought out dict (<5MB) than just using a massive dictionary file.
  24. 1 point
    Bro i agree with your each word my full vote for you and also @BlackHat words also... I need to tell one thing for all if past reverse they don't let some revering learning sufft then new reverse will never born..
  25. 1 point
    Thanks @Teddy Rogers I agree with you but posts saying things like "He shared the solution with me via PM" and such should not be approved. That way, anyone would not be able to show-off that they solved it. If they want their post(s) to be featured on the Challenge threads as having solved something, then the requirement should strictly be that they should post a solution that anyone would be able to replicate. If any special tools are required, then unless they are willing to share the tools, their post should not be accepted. That way, one would either have to post a proper solution along with the tools used or, if they do not want to share their tools, remain silent. I am sure that some would not want to share their tools but in that case they should not get the opportunity to make posts that just serve to boost their ego. If they are not willing to share their "private tools" that they used to arrive at the solution, then their solution (or even their post which just shows the final answer without the steps or tools) should not be approved at all. Otherwise, one could just say that they used a "private tool" for every crackme/unpackme (when in reality, they just used public tools), in order to avoid detailing the steps. So, unless they are willing to share the "private tools", it does make their answer any more useful to the rest of us. While we do not expect an essay or a full video tut of very detailed steps, a person with a reasonable knowledge of RE should be able to replicate the solution with the "steps" that they provide. For example, just saying that they used DnSpy and IL Spy to solve it would be rather useless... I would say that this is more like solving a trigonometry or an algebra problem back in high school where one is expected to provide the "steps" that they performed to arrive at the solution. One would be expected to provide just enough detail so that anyone reading it would be able to (reasonably) understand how to solve similar problem.
  26. 1 point
    @Prab Do you write some tools yourself? I think you can't clean this file just with these tools, such as: Does `Constants Decryptor` support `sizeof` instruction? Do you write tools yourself to convert `sizeof` to `ldc`?
  27. 1 point
    Unpacked! So here's what i did. Removing the antitamper is really difficult if you're going to decrypt the methods by executing the method decrypt call in <module>.cctor. I think this is caused by the function that modifies some parts of metadata. The function is placed before the method decrypt function and after PE section finding part. So what i did was i modified abugger's antitamper remover and it pretty much worked. After antitamper was removed, it somehow created an error when decompressing constant data. Anyways, im too lazy to find out how removing antitamper was causing that. I just executed the original file and grabbed the decompressed byte array value for constant and moved the initializer in <module>.cctor. After that, i resolved the values of mutations. If i remember, there were sizeof, convert.toint32, math.(function) and int/short.parse. After the mutations, all you need to do is to convert the fields to locals, calli to call, resolve the delegates, and resolve and remove the proxy call delegates. You have to make your own approach on removing the proxy call delegates on this one. The values of the delegates are initialized at <module>.cctor. here's the result of what i did. (manually cleaned junk types). Unpackme_cleaned.exe screenshot:
  28. 1 point
    Personally, I like to use the Scylla plugin of x64dbg, doing it manually by going to the memory map of x64dbg and dump the relevant memory ranges from there, or using WinDbg .writemem or the !savemodule sos extension command, depending on which debugger I am using at the moment. Also, once you're able to open the app in dnSpy, dnSpy can also reconstruct .NET modules from memory, by going to Debug > Windows > Modules and then right clicking the module you want to dump. There are probably also other tools out there that can do the same.
  29. 1 point
    asking me ? hope @Reza-HNA PM u.
  30. 1 point
    By seeing the number of imports on your screenshot and the ollydbg.exe in upper case i would guess you tried this on ollydbg v1.10, not on ollyv2 The description don't mention it here but that thing is for v2, if you look inside the readme of the archive, it says (in french) that the code has been rewrote for olly 2. So try with v2, or recompile the dll for v1. Also i'm checking the src and this can really be improved more. Especially for the v2 as if you rename ollydbg.exe to blabla.exe, then it will look for blabla.ini, but OllyPath2 will create only 'ollydbg.ini' as this string is in hard inside.
  31. 1 point
    without debugger detection awesome.vmp_nodbg.rar
  32. 1 point


    Today I release - finally - the series of unpacking tutorials about manually unpacking The Enigma Protector. I will discuss all protections of Enigma which are fully detailed as possible. I have to say thanks to LCF-AT, she helped me a lot with this. Introduction ~ 9:28 Unpacking with patterns ~ 33:03 Finding patch-places without patterns ~ 19:56 Dealing with SDK API's & Custom Emulated API's ~ 28:23 Internal & External VM's (Using Plugin) ~ 5:40 Enigma's Registration Scheme ~ 15:37 EN-DE-Cryption ~ 33:21 Inline patching + Final Words ~ 11:56
  33. 1 point
    Thought I might create a thread to collect articles/papers that bring machine learning to rce... https://medium.com/@alon.stern206/cnn-for-reverse-engineering-an-approach-for-function-identification-1c6af88bca43
  34. 1 point
    Hello everyone , I hope you're doing good , I've been searching for a while about how to write a plugin for OllyDbg , with the help of the (plugin api unit) I was able to make a simple plugin that retreives the value of the flag (BeingDebugged) which is used by the function (IsDebuggerPresent) . now the problem is that i still can't change that byte . The function WriteProcessMemory isn't working , can you give me some help please , here's the full code : thanks in advance library AADebug; uses SysUtils, plugin, windows, Classes; {$R *.res} type PEB = record Reserved1: array [0 .. 1] of Byte; BeingDebugged: Byte; Reserved2: Byte; Reserved3: array [0 .. 1] of Pointer; Ldr: Pointer; Reserved4: array [0 .. 102] of Byte; Reserved5: array [0 .. 51] of Pointer; PostProcessInitRoutine: Pointer; Reserved6: array [0 .. 127] of Byte; Reserved7: Pointer; SessionId: ULONG; end; PROCESS_BASIC_INFORMATION = record Reserved1: Pointer; PebBaseAddress: Pointer; Reserved2: array [0 .. 1] of Pointer; UniqueProcessId: cardinal; Reserved3: Pointer; end; resourcestring PLUGIN_NAME = 'Anti IsDebuggerPresent'; var g_hwndOlly: HWND; // OllyDbg Window Handle ProcessBasicInfo : PROCESS_BASIC_INFORMATION; Length:cardinal; EB : PEB; function ODBG_Plugininit(ollydbgversion:Integer;hWndOlly:HWND;features:PULONG):Integer;cdecl; begin g_hwndOlly := hWndOlly; Addtolist(0, 0, pchar(PLUGIN_NAME)); Result := 0; end; function ODBG_Plugindata(name: PChar): integer; cdecl; begin StrLCopy(name, PChar(PLUGIN_NAME), 32); Result := PLUGIN_VERSION; end; function NtQueryInformationProcess(ProcessHandle: THANDLE; ProcessInformationClass: DWORD; ProcessInformation: Pointer; ProcessInformationLength:ULONG; ReturnLength: PULONG): LongInt; stdcall; external 'ntdll.dll'; procedure Getinfo; var debugee,PID : THandle; buffer : byte; begin buffer := $00; PID := PluginGetValue(VAL_PROCESSID); debugee := OpenProcess(PROCESS_ALL_ACCESS,False,PID); NtQueryInformationProcess(debugee,0,@ProcessBasicInfo,sizeof(ProcessBasicInfo),@length); readprocessmemory(debugee,ProcessBasicInfo.PebBaseAddress,@EB,sizeof(EB),length); writeprocessmemory(debugee,@EB.beingDebugged,@buffer,sizeof(buffer),length); messagebox(g_hwndOlly,pchar('BeingDebuggedFlag : '+ inttostr(EB.beingDebugged)),pchar('info'),MB_ICONINFORMATION); end; procedure ODBG_Pluginaction(origin:Integer; action:Integer; pItem:Pointer);cdecl; begin if (origin = PM_MAIN) then begin Getinfo; end; end; exports ODBG_Plugininit name '_ODBG_Plugininit', ODBG_Plugindata name '_ODBG_Plugindata', ODBG_Pluginaction name '_ODBG_Pluginaction'; begin end.
  35. 1 point
    You're writing to the wrong address. It should be something like: WriteProcessMemory(debugee,pointer(dword(ProcessBasicInfo.PebBaseAddress) + 2),@buffer,sizeof(buffer),length); Since Delphi doesn't have a pretty way to get field offset, I had to hardcode the "2" instead of writing something prettier like "offsetof(PEB, BeingDebugged)". You could do some of the ugly tricks mentioned here: https://stackoverflow.com/questions/14462103/delphi-offset-of-record-field but to me it's not worth the effort.
  36. 1 point
  37. 1 point
    I Released a way of patching these vm's, here https://github.com/TobitoFatitoNulled/Venturi77CallHijacker but you'll need to manually inject agile for now (will try to fix the issue asap tho.
  38. 1 point
    password: "viva la revolution" How the password verified? Here, check my entered password against the correct one, both encrypted. Obviously, the encrypted password at RVA 00011054 is 18 characters long. But, what is the encryption or decryption algorithm? Don't dive into that, instead I assume the algorithm is symmetrical. This time, I entered the right length password "123456789012345678". At entry of the subroutine, Ecx=004FF534, we can find the entered password at allocated buffer 008F0000: Copy and paste with the correct cipher password from RVA 00011054: 008F0000 12 EC C5 CB AC FC 86 96 23 7C 7D 57 46 5C 43 4F 008F0010 56 2D 2A 00 Run to the end of loop at 01323461, we got: 008F0000 12 76 69 76 61 20 6C 61 20 72 65 76 6F 6C 75 74 .viva la revolut 008F0010 69 6F 6E 00 ion.
  39. 1 point
    my confuserex unpacker works for this with one slight modification in the anti tamper find method it fails just make it find anti tamper (easiest way just change the if (sections.Count == 3) from a 3 to a 2 this will then fix it and static route work 100%
  40. 1 point
    Can't you repost this challenge but with x64 version of vmp? (If you are struggling finding such a version pm-me)
  41. 1 point
    Hacking Android Apps Using Backup Techniques http://resources.infosecinstitute.com/android-hacking-security-part-15-hacking-android-apps-using-backup-techniques/ Cracking Android App Binaries http://resources.infosecinstitute.com/android-hacking-security-part-17-cracking-android-app-binaries/ Android Application hacking with Insecure Bank Part 4 http://resources.infosecinstitute.com/android-application-hacking-with-insecure-bank-part-4/ Android Application hacking with Insecure Bank – Part 3 http://resources.infosecinstitute.com/android-application-hacking-with-insecure-bank-part-3/ Android Application hacking with Insecure Bank Part 2 http://resources.infosecinstitute.com/android-application-hacking-insecure-bank-part-2/ Android Application hacking with Insecure Bank Part 1 http://resources.infosecinstitute.com/android-application-hacking-insecure-bank-part-1/ Understanding Disk Encryption on Android and iOS http://resources.infosecinstitute.com/understanding-disk-encryption-android-ios/ Getting Started with Android Forensics http://resources.infosecinstitute.com/getting-started-android-forensics/ Penetration Testing Apps for Android Devices http://resources.infosecinstitute.com/pen-test-apps-android-devices/ Android Hacking and Security, Part 3: Exploiting Broadcast Receivers http://resources.infosecinstitute.com/android-hacking-security-part-3-exploiting-broadcast-receivers/ Android Hacking and Security, Part 2: Content Provider Leakage http://resources.infosecinstitute.com/android-hacking-security-part-2-content-provider-leakage/ Android Hacking and Security, Part 1: Exploiting and Securing Application Components http://resources.infosecinstitute.com/android-hacking-security-part-1-exploiting-securing-application-components/ Android Application Security Testing Guide: Part 2 http://resources.infosecinstitute.com/android-app-sec-test-guide-part-2/ Android Application Security Testing Guide: Part 1 http://resources.infosecinstitute.com/android-application-security-testing-guide-part-1/ Exploiting Debuggable Android Applications http://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/ Android App Permissions and Security: What You Need to Know http://resources.infosecinstitute.com/android-app-permissions-security-need-know/ Security and Hacking apps for Android devices http://resources.infosecinstitute.com/security-hacking-apps-android/ Android Forensics: Cracking the Pattern Lock Protection http://resources.infosecinstitute.com/android-forensics-cracking-the-pattern-lock-protection/ Sniffing Network Traffic on Android http://resources.infosecinstitute.com/sniffing-network-traffic-android/ Creating a kewl and simple Cheating Platform on Android https://deepsec.net/docs/Slides/2014/Creating_a_kewl_and_simple_Cheating_Platform_on_Android_-_Milan_Gabor-Danijel_Grah.pdf Racing with DROIDS http://2014.zeronights.org/assets/files/slides/racingwithdroids.pdf Steroids for your App Security Assessment http://2014.zeronights.org/assets/files/slides/grassi.pdf Hey, we catch you - dynamic analysis of Android applications https://pacsec.jp/psj14/PSJ2014_Wenjun_Hey- We Catch You - Dynamic Analysis of Android Applications.pdf An Infestation of Dragons: Exploring Vulnerabilities in the ARM TrustZone Architecture https://pacsec.jp/psj14/PSJ2014_Josh_PacSec2014-v1.pdf Making Android's Bootable Recovery Work For You http://matasano.com/research/eko2014_recovery.pdf Mobile Hacking – Reverse Engineering the Android OS http://www.slideshare.net/EC-Council/hacker-halted-2014-reverse-engineering-the-android-os MAN IN THE BINDER: HE WHO CONTROLS IPC, CONTROLS THE DROID https://www.blackhat.com/docs/eu-14/materials/eu-14-Artenstein-Man-In-The-Binder-He-Who-Controls-IPC-Controls-The-Droid.pdf Hide Android Applications in Images https://www.blackhat.com/docs/eu-14/materials/eu-14-Apvrille-Hide-Android-Applications-In-Images.pdf BREAKING “SECURE” MOBILE APPLICATIONS http://conference.hitb.org/hitbsecconf2014kul/materials/D2T1 - Dominic Chell - Breaking Secure Mobile Applications.pdf TACKYDROID: Pentesting Android Applications in Style http://conference.hitb.org/hitbsecconf2014kul/materials/D2T2 - Chris Liu and Matthew Lionetti - TackyDroid.pdf Android Forensics: The Joys of JTAG https://ruxcon.org.au/assets/2014/slides/tty0x80-Ruxcon Presentation-12th-October-2014-for-release.pdf Enter The Snapdragon! https://www.hacktivity.com/en/downloads/archives/319/ A distributed approach to malware analysis https://speakerdeck.com/nviso/a-distributed-approach-to-malware-analysis-brucon-0x06-daan-raman Bypassing wifi pay-walls with Android http://www.slideshare.net/rootedcon/pau-olivafora-rootedcon2014 Play Flappy Bird while you pentest Android in style http://hitcon.org/2014/downloads/P1_10_Chris Liu - Matthew Lionetti - TackyDroid Slides.pptx On the Feasibility of Automa3cally Generating Android Component Hijacking Exploits http://hitcon.org/2014/downloads/P1_09_Daoyuan Wu - On the Feasibility of Automatically Generating Android Component Hijacking Exploits.pdf Peeking into Your App without Actually Seeing it: UI State Inference and Novel Android Attacks https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-chen.pdf ASM: A Programmable Interface for Extending Android Security https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-heuser.pdf Android Packers:Separating from the pack http://www.fortiguard.com/paper/Android-Packers--Hacktivity2014/ Sprobes: Enforcing Kernel Code Integrity on the TrustZone Architecture http://mostconf.org/2014/slides/s2p3-slides.pdf A Systematic Security Evaluation of Android's Multi-User Framework http://mostconf.org/2014/slides/s3p3-slides.pptx Enter Sandbox: Android Sandbox Comparison http://mostconf.org/2014/slides/s3p1-slides.pdf Exploiting the Bells and Whistles: Uncovering OEM Vulnerabilities in Android http://thecobraden.com/uploads/Valletta - CarolinaCon X - Exploiting the Bells and Whistles.pdf Execute this! Looking into code-loading techniques on Android http://warsaw2014.honeynet.org/slides/honeynet2014-day1-Sebastian.pdf Post-Mortem Memory Analysis of Cold-Booted Android Devices http://www.homac.de/publications/Post-Mortem-Memory-Analysis-of-Cold-Booted-Android-Devices-slides.pdf Tricks for image handling in Android http://www.slideshare.net/tyronenicholas/devoxx-images-android Pentesting Android Applications http://www.slideshare.net/clviper/pentesting-android-applications Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware http://www.syssec-project.eu/m/documents/eurosec14/RATVM.pdf Pre-installed Android application poisoning https://speakerdeck.com/owaspjapan/pre-installed-android-application-poisoning-number-appsecapac2014 AirBag: Boosting Smartphone Resistance to Malware Infection http://yajin.org/papers/ndss14_airbag.pdf SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps https://www.utdallas.edu/~zxl111930/file/NDSS14b.pdf AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications http://sycurelab.ecs.syr.edu/~mu/AppSealer-ndss14.pdf Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications https://anonymous-proxy-servers.net/paper/android-remote-code-execution.pdf DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket http://filepool.informatik.uni-goettingen.de/publication/sec//2014-ndss.pdf Reverse Engineering, Pentesting and Hardening of Android Apps https://speakerd.s3.amazonaws.com/presentations/25bc54e0728001318b20063debaef239/DroidconIT2014.pdf Predatory Hacking of Mobile: Real Demos http://www.rsaconference.com/writable/presentations/file_upload/mbs-w03-predatory-hacking-of-mobile-real-demos-v2.pdf Touchlogger on iOS and Android http://www.rsaconference.com/writable/presentations/file_upload/mbs-w01-touchlogger-on-ios-and-android-v2.pdf Beginners Guide to Reverse Engineering Android Apps http://www.rsaconference.com/writable/presentations/file_upload/stu-w02b-beginners-guide-to-reverse-engineering-android-apps.pdf Mobile Analysis Kung Fu, Santoku Style http://www.rsaconference.com/writable/presentations/file_upload/anf-w03-mobile-analysis-kung-fu-santoku-style_v2.pdf Android FakeId Vulnerability https://bluebox.com/technical/blackhat-fake-id-talk-material-and-follow-up/
  42. 1 point
    Perhaps It was about time I should share my tool with you guys. This is a Debugger and Devirtualizer for VMP virtualized code. Notice that When I mean devirtualizer, I mean it shows what machine instructions it executes (not the actual x86 original code). Allows you to debug and place breakpoints. Please try it, and if you like it, please develop it further. Confused? Read the intro.txt file and try to follow the example. VMPDBG_0_1_0_SRC.zip
  43. 1 point
    Frankly speaking, it's a challenging experiment I've never done before. I decided to take a try.On the WM_INITDIALOG message, a thread of which the lpStartAddress is 00401233 was created. The ThreadProc takes care of all the VK_1 ~ VK_7 keystrokes. This thread function itself is a loop, exits if user32.EndDialog flag set. vKey Functions00401259 E8 9F000000 CALL 004012FD ; VK_10040126F E8 E9000000 CALL 0040135D ; VK_200401285 E8 3F010000 CALL 004013C9 ; VK_30040129B E8 95010000 CALL 00401435 ; VK_4004012B1 E8 EB010000 CALL 004014A1 ; VK_5004012C7 E8 41020000 CALL 0040150D ; VK_6004012E0 E8 94020000 CALL 00401579 ; VK_7004012FD E9 24850000 JMP 004098260040135D E9 4F9B0000 JMP 0040AEB1004013C9 E9 2BC30000 JMP 0040D6F900401435 E9 3CD40000 JMP 0040E876004014A1 E9 C26B0000 JMP 004080680040150D E9 CD7E0000 JMP 004093DF00401579 E9 A9730000 JMP 00408927You can see, all jumps go to the ".vmp0" section, which means these functions are mutated or virtualized. Let's dive into several subroutines to look for something fun. As HellSpider stated, "most of the virtualized blocks of code are quite similar with each other." Procedures almost the same, call user32.wsprintfA to get the message and user32.MessageBoxA to display it. We focus mainly on how the "Control value" generated and on different features in the subroutine. ************* 004012FD VK_1 ************* Control Value: 0x04E6509A This part is for mutation demo, relative ease. Lots of branches VMProtect produced. Basically, all forks do identical operation, the result can be reached simply by tracing the main routine only. After demutation, the equivalent asm instructions look like: 004012FD C8 000100 ENTER 0x100, 0x000401301 60 PUSHAD00401302 9C PUSHFD00401303 BB 06000000 MOV EBX, 0x600401308 B8 E1020000 MOV EAX, 0x2E10040130D 33D2 XOR EDX, EDX0040130F F7FB IDIV EBX ; 05:7A00401311 83C2 03 ADD EDX, 0x3 ; 0800401314 92 XCHG EAX, EDX00401315 33C2 XOR EAX, EDX ; 7200401317 33D2 XOR EDX, EDX ; <- this seems useless00401319 69C0 B5000B00 IMUL EAX, EAX, 0xB00B5 ; 04E6509A0040131F 8D5C24 24 LEA EBX, [ESP+0x24]00401323 50 PUSH EAX ; Control value00401324 68 03214000 PUSH 0x402103 ; ASCII "VMProtect Mutation block has been executed!",CR,LF,CR,LF,"Control value: 0x%08X"00401329 53 PUSH EBX ; lpOut0040132A E8 E7020000 CALL 00401616 ; <JMP.&user32.wsprintfA>0040132F 83C4 0C ADD ESP, 0xC00401332 6A 40 PUSH 0x40 ; uType, combination of flags: MB_OK|MB_ICONASTERISK|MB_APPLMODAL00401334 68 5C204000 PUSH 0x40205C ; Title = "DevirtualzeMe"00401339 53 PUSH EBX ; Text: the message to be displayed0040133A FF75 08 PUSH DWORD PTR [EBP+0x8] ; hWnd of owner0040133D E8 F2020000 CALL 00401634 ; <JMP.&user32.MessageBoxA>00401342 9D POPFD00401343 61 POPAD00401344 C9 LEAVE00401345 C2 0400 RETN 0x4It can be considered as a template of the rest subroutines, only the algorithms of Control Value are different from each other. The only doubt here is Control Value algo. What is the mutation? "replacing the source instruction with its analog (or a certain instruction sequence), which gives the same result as the source instruction.", VMProtect officially claimed. So, I'm not very sure whether the control value algo does exist. Maybe the control value just PUSHed out there. It's hard to say, need HellSpider to confirm this.Note: the above patch works only when key '1' pressed, never stroke other number key, it crashes certainly. This area is full of the VM interpreter/handler code. ************* 0040135D VK_2 ************* Control Value: 0x0546416E Algorithm: 0000281B (= 00000009 ^ 00002812)0000281B ROR 3 = 60000503Low Byte 03 ^ 45(IMM) = 4660000546 SHL 10 = 0546000005460000 | 416E = 0546416EThis function is simply virtualized without additional options. Again, similar to mutation, it's also difficult to identify the primitive constants used in a target before getting protected. The only thing I can do is to guess from the hardcode immediates in this portion of virtualized bytecode. This part roughly covers 0x229 virtual machine instructions, not so complicated. ************* 004013C9 VK_3 ************* Control value: 0x0D619F21 Since virtualized with the "VM integrity check option", it's much sophisticated than the above. It's a painful journey, you’re gonna get brain-burned from this stuff!We trace the Control Value first. Here is an excerpt of virtual instructions executed for the Control Value calculation: HIWORD------StepNum. vEIP vOpcode Operand-------- ---- ------- -------000000C1 00407674: vPushImm4 8D175218000000C2 0040766F: vPushImm4 0040849E000000C3 0040766A: vPushImm4 ABD7E33F000000C4 00407665: vPushImm4 0040A816000000C5 00407660: vReadMemDs4 54281CC8 = [0040A816]000000C6 0040765F: vAdd4 54281CC8 + ABD7E33F = 00000007000000C8 0040765C: vPopReg4 vR1 00000007000000C9 0040765A: vReadMemDs4 72E8B450 = [0040849E]000000CA 00407659: vAdd4 72E8B450 + 8D175218 = 00000668000000CC 00407656: vPopReg4 vR14 00000668 dw [0040A816] = 54281CC8 + IMM32 ABD7E33F = 00000007 dw [0040849E] = 72E8B450 + IMM32 8D175218 = 00000668000000EE 0040761E: vIdiv4 00000000 00000668 / 00000007 = Q000000EA R00000002000001A7 004088E2: vAdd4 000000EA + 00000007 = 000000F10000029F 004088E2: vAdd4 000000EA + 000000F1 = 000001DB000003A3 00407FF9: vPushImm1 00000059000003A5 00407FF2: vPushImm4 80F30437000003C0 00407FB5: vReadMemDs4 7F0D323A = [00409269]000003C1 00407FB4: vAdd4 7F0D323A + 80F30437 = 00003671 dw [00409269] = 7F0D323A + IMM32 80F30437 = 00003671000003C4 00407FAF: vNand4 000001DB ~& 00003671 = FFFFC804000003C8 00407FAA: vNand4 FFFFC804 ~& FFFFC804 = 000037FB => 000001DB | 00003671 = 000037FB000003CB 00407FA5: vReadMemDs1 000000A9 = [0040882C]000003CC 00407FA4: vAdd1 000000A9 + 00000059 = 00000002 <- shift count b [0040882C] = A9 + IMM 59 = 02000003D1 00407F9D: vShrd 000037FB 000037FB >> 00000002 = C0000DFE 000037FB shrd 02 = C0000DFE <- *** byte3 0x0D shows up000003D4 00407F98: vPushImm1 00000059 IMM 59000003D5 00407F96: vPushImm4 0040862E000003D6 00407F91: vReadMemDs1 00000046 = [0040862E] b [0040862E] = 46000003D7 00407F90: vPushImm1 0000006F000003D8 00407F8E: vPushImm4 0040ADD1000003D9 00407F89: vReadMemDs1 000000A1 = [0040ADD1] b [0040ADD1] = A1000003DA 00407F88: vPushImm2 00006D8A000003DB 00407F85: vPushImm4 00410569000003DC 00407F80: vPushImm1 00000074 IMM 74000003DD 00407F7E: vPushImm4 0040BFD3000003DE 00407F79: vReadMemDs1 000000EC = [0040BFD3] b [0040BFD3] = EC + IMM8 74 = 60000003DF 00407F78: vAdd1 000000EC + 00000074 = 00000060000003E1 00407F75: vPushReg1 vR13LB 000000FE here vR13=C0000DFE(Step #000003D1)000003E2 00407F73: vPushReg1 vR13LB 000000FE000003E3 00407F71: vNand1 000000FE ~& 000000FE = 00000001000003E4 00407F70: vPopReg4 vR0 00000202000003E5 00407F6E: vNand1 00000001 ~& 00000060 = 0000009E000003E6 00407F6D: vPopReg4 vR0 00000282000003E7 00407F6B: vPushImm1 000000C9000003E8 00407F69: vPushImm4 00407567000003E9 00407F64: vReadMemDs1 000000D6 = [00407567]000003EA 00407F63: vAdd1 000000D6 + 000000C9 = 0000009F b [00407567] = D6 + IMM8 C9 = 9F000003EB 00407F62: vPopReg4 vR10 00000287000003EC 00407F60: vPushReg1 vR13LB 000000FE000003ED 00407F5E: vNand1 000000FE ~& 0000009F = 00000000000003EE 00407F5D: vPopReg4 vR7 00000246000003EF 00407F5B: vNand1 00000000 ~& 0000009E = 00000061 => 9F ^ FE = 61 <- *** byte2000003F0 00407F5A: vPopReg4 vR1 00000202000003F1 00407F58: vPopReg1 vR13LB 00000061 now vR13=C0000D61000003F2 00407F56: vReadMemDs2 00009276 = [00410569]000003F3 00407F55: vAdd2 00009276 + 00006D8A = 00000000000003F4 00407F54: vPopReg4 vR1 00000257000003F5 00407F52: vPushReg2 vR13LW 00000D61000003F6 00407F50: vPopReg4 vR1 00000D61000003F7 00407F4E: vAdd1 000000A1 + 0000006F = 00000010 b [0040ADD1] = A1 + IMM8 6F = 10 <- shift count000003F8 00407F4D: vPopReg4 vR10 00000213000003F9 00407F4B: vPushReg4 vR1 00000D61000003FA 00407F49: vShl4 00000D61 << 00000010 = 0D610000000003FB 00407F48: vPopReg4 vR5 00000206000003FC 00407F46: vPopReg4 vR0 0D610000 <- *** HIWORDLOWORD------000003FD 00407F44: vAdd1 00000046 + 00000059 = 0000009F b [0040862E] = 46 + IMM8 59 = 9F <- *** byte1000003FE 00407F43: vPushImm1 00000098000003FF 00407F41: vPushImm4 0040921D00000400 00407F3C: vReadMemDs1 00000089 = [0040921D] b [0040921D] = 89 + IMM8 98 = 21 <- *** byte000000401 00407F3B: vAdd1 00000089 + 00000098 = 0000002100000402 00407F3A: vPopReg4 vR10 00000A1700000403 00407F38: vPopReg1 vR0LB 00000021 now, vR0=0D61002100000404 00407F36: vPopReg4 vR10 00000A8600000405 00407F34: vPopReg1 vR0HB 0000009F now, vR0=0D619F21At this point we already have 0x405 steps, not yet including the two API calls. The computation process can be summarized and simplified as: 00000668 IDIV 00000007 => Quotient: 000000EA, Remainder: 00000002000000EA * 2 + 00000007 = 000001DB000001DB | 00003671 = 000037FB000037FB ROR 00000002 = C0000DFEC0000DFE ^ 9F = C0000D61C0000D61 SHL 00000010 = 0D6100000D610000 | 9F21 = 0D619F21The very important concept "VM integrity check" in VMProtect appears in the second half of virtualized code. There is an integrity check table. Each record in the table has a size of 9 bytes: DWORD - encrypted checking address RVABYTE - checking lengthDWORD - negative of the Valid HashChecking procedure: 1) generating a random number by vRdtsc handler 2) modulus operating the total records count of the table 3) multiplying it by the record size, got record offset in the table 4) decrypting address RVA in the record 5) computing the Hash by getHash(vCheck) handler 6) the result Hash + Valid Hash(NEG) + return address of vRet HandlerNoted here, the last step is the so-called "Silent Check"! No comparison, just a ADD operation! This implies that, if the integrity check failed, vRet will be lead to some unknown address, finally causing the application crash. Virtual instructions of this block: 00000444 00407EAC: vRdtsc 0000107E:804F0139 only LOWORD used00000451 00407E94: vNand2 32AA ~& FEC6 = 0111 ~32AA & 0139 = 011100000459 00407E83: vNand2 CDF1 ~& 0139 = 32060000045B 00407E80: vNand2 3206 ~& 0111 = CCE800000464 00407E6D: vDiv2 CCE8 / 002D = Q 048D R 001F CCE8 % 2D0000046B 00407E5E: vMul2 001F * 0009 = 00000117 idx * size = record ptr0000047B 00407E3A: vAdd4 0040642A + 00000117 = 00406541 offset in table0000048B 00407E17: vReadMemDs1 000000FA = [00406545] length: FA...000004C9 00407D95: vAdd4 B6B2EBF7 + 494D6A88 = 0000567F Offset RVA000004D0 00407D84: vAdd4 00400000 + 0000567F = 0040567F +Modulebase...000004D5 00407D7C: vCheck offset: 0040567F, length: 000000FA, Hash: A7563B85000004DE 00407D68: vReadMemDs4 58A9C47B = [00406546] NEG Hash stored in table000004DF 00407D67: vAdd4 58A9C47B + A7563B85 = 00000000 SHOULD BE ZERO!!!000004E0 00407D66: vPopReg4 vR3 00000257000004E1 00407D64: vAdd4 00000000 + 00401616 = 00401616 <- *** Silent Check000004E2 00407D63: vPopReg4 vR9 00000202 Address SHOULD BE Call user32.wsprintfA!!!000004E3 00407D61: vPushReg4 vR5 00000206000004E4 00407D5F: vPushReg4 vR0 0D619F21000004E5 00407D5D: vPushReg4 vR8 00000000000004E6 00407D5B: vPushReg4 vR2 00400000000004E7 00407D59: vPushReg4 vR15 000000EA000004E8 00407D57: vPushReg4 vR10 00C2FE84000004E9 00407D55: vPushReg4 vR7 00406541000004EA 00407D53: vPushReg4 vR4 004121F0000004EB 00407D51: vPushReg4 vR11 00C2FFA8000004EC 00407D4F: vPushReg4 vR0 0D619F21000004ED 00407D4D: vPushReg4 vR9 00000202000004EE 00407D4B: vRet 00401616 | <JMP.&user32.wsprintfA> [esp+00]: 0040E362 return address after call [esp+04]: 00C2FE84 out buffer [esp+08]: 004021A2 ASCII "VMProtect Virtualization (+ VM integrity check) block has been executed!",CR,LF,CR,LF,"Control value:..." [esp+0C]: 0D619F21 Control valueRandom Memory Check Table-------------------------Table address: 0040642A, Items: 0000002DItem. Offset <- Decrypt Length Hash Read <- NEG Hash Calc.#00000001: 00401302|BA017BA2 00000057 516DF676|AE92098A 516DF676#00000002: 00401362|BA0D7BA2 00000065 3290E84D|CD6F17B3 3290E84D...#00000020: 0040567F|B3B11BA2 000000FA A7563B85|58A9C47B A7563B85...#0000002C: 00406226|B025FBA2 000000FB 3C31C786|C3CE387A 3C31C786#0000002D: 00406321|B0055BA2 000000F6 A19E32E3|5E61CD1D A19E32E3Decrypt Algo. for Offset RVA: shrd 1F, ~, ++, shld 12, ~, ^6BA308FF, +B6B2EBF7Thereafter, the "VM Integrity Check" performed two times, each just before calling user32.MessageBoxA and vRet to return address of VK_3 subroutine.Have fun, see you.MistHill
  44. 1 point
    Hi, ok I have checked this file and bypassed also the password check. I also made a short script which does patch the ID & Pass check so that you get the file running as you can see on my picture below. ////////////////////////////////////////////////////////////// // // HWID Patch & Password Bypass Script // // Example Script for only this UnpackMe.... // // The Enigma Protector-4.3-X32 [patch HWID and unpackme] // // LCF-AT ////////////////////////////////////////////////////////////// bphwc bc alloc 1000 mov SECTION, $RESULT var ID_HOOK var PASS_HOOK var TEMP var AT exec push 0 call {GetModuleHandleA} ende add AT, 00FF2C05+eax add ID_HOOK, 000693D0+eax add PASS_HOOK, 00FE7FE6+eax bphws ID_HOOK esto bphwc mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500# mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3# gpa "lstrlenA", "kernel32.dll" mov TEMP, $RESULT eval "call {TEMP}" asm SECTION+2D, $RESULT mov [SECTION+41], SECTION gci ID_HOOK, DESTINATION mov TEMP, $RESULT eval "jmp {TEMP}" asm SECTION+48, $RESULT add SECTION, 29 eval "jmp {SECTION}" asm ID_HOOK, $RESULT sub SECTION, 29 bphws PASS_HOOK bpgoto PASS_HOOK, PASS_HOOK_STOP //////////////////////////////// RUN: esto pause pause //////////////////////////////// PASS_HOOK_STOP: cmp [esp+14], AT jne RUN mov eip, SECTION+4D bphwc esto pause ret greetz
  45. 1 point
    Small modification of ragdog's idea: 1) breakpoint on LoadBitmapA; 2) look at parameters to the call: 0012F740 00AC119D /CALL to LoadBitmapA from 00AC1198 0012F744 00AC0000 |hInst = 00AC0000 0012F748 00AC3000 \RsrcName = "MyBitmap" So, the DLL is loaded at address AC0000. 3) Dump memory at address AC0000. I used PETools, so it calculated size of dump automatically (EC000 bytes). But you can always use other tool and dump more memory, it won't hurt. 4) Open dump with CFF and use its resource editor function to extract BMP.
  46. 1 point
    return from LoadBitmapA have you the pointer of this picture ;-) Now must you dump it and write the Bitamp header Here is a example for safe the bitmap (dumper) from rohitab //if you want to save the bitmap to a file now that you have it on your computer,here (i dont take credit for this function) void SaveBitmap(char *szFilename,HBITMAP hBitmap) { HDC hdc=NULL; FILE* fp=NULL; LPVOID pBuf=NULL; BITMAPINFO bmpInfo; BITMAPFILEHEADER bmpFileHeader; do{ hdc=GetDC(NULL); ZeroMemory(&bmpInfo,sizeof(BITMAPINFO)); bmpInfo.bmiHeader.biSize=sizeof(BITMAPINFOHEADER); GetDIBits(hdc,hBitmap,0,0,NULL,&bmpInfo,DIB_RGB_COLORS); if(bmpInfo.bmiHeader.biSizeImage<=0) bmpInfo.bmiHeader.biSizeImage=bmpInfo.bmiHeader.biWidth*abs(bmpInfo.bmiHeader.biHeight)*(bmpInfo.bmiHeader.biBitCount+7)/8; if((pBuf = malloc(bmpInfo.bmiHeader.biSizeImage))==NULL) { MessageBox( NULL, "Unable to Allocate Bitmap Memory", "Error", MB_OK|MB_IConerror); break; } bmpInfo.bmiHeader.biCompression=BI_RGB; GetDIBits(hdc,hBitmap,0,bmpInfo.bmiHeader.biHeight,pBuf, &bmpInfo, DIB_RGB_COLORS); if((fp = fopen(szFilename,"wb"))==NULL) { MessageBox( NULL, "Unable to Create Bitmap File", "Error", MB_OK|MB_IConerror); break; } bmpFileHeader.bfReserved1=0; bmpFileHeader.bfReserved2=0; bmpFileHeader.bfSize=sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+bmpInfo.bmiHeader.biSizeImage; bmpFileHeader.bfType='MB'; bmpFileHeader.bfOffBits=sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER); fwrite(&bmpFileHeader,sizeof(BITMAPFILEHEADER),1,fp); fwrite(&bmpInfo.bmiHeader,sizeof(BITMAPINFOHEADER),1,fp); fwrite(pBuf,bmpInfo.bmiHeader.biSizeImage,1,fp); }while(false); if(hdc) ReleaseDC(NULL,hdc); if(pBuf) free(pBuf); if(fp) fclose(fp); }
  47. 1 point
    Hi They Mostly focus on their VM engine, and they upgraded a lot. Unpacking method is same as old version.
  48. 1 point
    Hi Here is the Unpacked File:) KinD Regards Unpacked.rar
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
  • Create New...