Jump to content
Tuts 4 You

Leaderboard

  1. Teddy Rogers

    Teddy Rogers

    Administrator


    • Points

      25

    • Content Count

      8,847


  2. Kurapica

    Kurapica

    Full Member


    • Points

      19

    • Content Count

      828


  3. CodeExplorer

    CodeExplorer

    Moderator


    • Points

      18

    • Content Count

      3,083


  4. kao

    kao

    Full Member+


    • Points

      18

    • Content Count

      2,294



Popular Content

Showing content with the highest reputation since 04/25/2020 in all areas

  1. 5 points
    What's the point of this? You ran my file under de4dot and repost it? i can recognise my file ya know, i intentionally left this out (i haven't finished local types yet but i manually set the third local to int32) + i added 9 locals when only 3 get used
  2. 5 points
    It might have a few weird instructions since i'm new to this Crackme-cleaned-Devirtualized2.zip Info: This is the first version of eaz that i analyze so i can't say how 2019.x is different from 2020.1 but its definitely not uncrackable Steps i took (as i should have included since the beginning): 1 Learn how CIL works / CIL fundamentals (there are some nice ebooks that i can't link here ) 2 Learn how the assembly reader/writer of your choice works (dnlib for example) 3 Learn how a simple VM works ( https://github.com/TobitoFatitoNulled/MemeVM (the original creator of this vm left so this is a fork to keep the project alive)) 4 https://github.com/saneki/eazdevirt See how the previous devirt was made (and you could also check previous eazvm protected executables) 5 Practice your skills trying to make MemeVM Devirt, you can message me if you have any issues with this step (You can always disable renaming on memevm to make the process easier to understand). 6 Start renaming a EazVM test assembly (you can make your own with trial) with all the knowledge you got from the previous steps (and find how crypto streams are initialized, where opcodes are located & how they are connected to the handlers etc etc etc, things that you would find in a vm) Editing saneki's eazdevirt might be a good idea, though i was more comfortable making my own base.
  3. 3 points
    New features, interesting. File correct? ggggg_cleaned.zip
  4. 3 points
    BinaryNinja has announced the new prices, and with no surprise are slowly also pushing themselves away from many users. https://binary.ninja/2020/05/11/decompiler-stable-release.html A personal (named) license is now $299 with the only 'new' thing being the not-so-exciting decompiler as seen above. They are starting to push themselves closer to IDA pricing, which is just plain stupid on their part. Ghidra's decompiler can be made to run anywhere, and thus, why would anyone pick BinaryNinja over IDA when it comes down to features? I don't feel like they are branding themselves well at all and are trying to target the wrong setups/situations. Their new blog post mentions things like: "Support for MacOS, Linux, and Windows. You’re not buying each platform separately." - Sorry but people that generally use this kind of software are users that stick to one primary OS for the most part. At most, people spin up a VM if they 'must' use a secondary OS for anything. This is not a selling point in my opinion at all. "Decompiler for all architectures." - Again, the decompiler is not impressive so far. Ghidra's can be made to run in BinaryNinja and IDA (along with anywhere else) and is 100% free. The value for this being a new reason to increase the price of BinaryNinja is just not there, at all. And sadly, like most other software companies, they still have this mindset that everyone is a student and consider their software "openly available for everyone" because they offer student pricing. Really wish companies would just stop with this nonsense. Price yourself better in general, don't selectively single out 1 small demographic. I'd wager most people in the RE scene are hobbyists, not students and are not directly in a career path that includes the use of these kinds of tools directly. The only thing BNinja has going for it that most people praise it for is a good API. Outside of that, you don't really hear anything else good/interesting about it. So this price jump is honestly a stupid move in my opinion.
  5. 3 points
    Hi , A disassembler is a software that coverts machine code (Hex) into assembly language mnemonic ex ( mov al,1) . A debugger is a program that allow you to detect and correct errors in other computer programs. A decompiler is a software which try to reverse the process of compilation to attempt to get the source code from a compiled executable . PS : try to use the google and the search button . Regards
  6. 2 points
    Here's the old content of Ubbelol.
  7. 2 points
    Who are you to say that it's shit? Have you made an unpacker for it? If you do, you are free to correct me but if you don't you shouldn't make these silly comments, in my opinion.
  8. 2 points
    View File Example CrackMe - Debug Blocker x64 This is an example for submitting a CrackMe in the Downloads section of the site. You can download the file and run Debug Blocker x64. Nothing too exciting will happen! The challenge here would be to patch the debug-blocker function so that it does not spawn a second process. Submitter Teddy Rogers Submitted 02/23/2020 Category CrackMe  
  9. 2 points
    This is a notification of intent to cease and close the Blogs section of the site in a months time. The reasons for the change are; lack of use, activity and popularity, and for the most part the forum categories have been and are more than capable to host similar blog like content in the future. This notification gives you the opportunity to copy any information from Blogs that you wish to retain and/ or repost in the appropriate forum... Ted.
  10. 2 points
    CCtor => 0x06000034 => Clean the antitamper => Clean cflow => clean string encryption and that's it Most cleans are done by tweaking some public cleaners. The right key is "Youdidit!"
  11. 2 points
    Hi it's because of your assembly code ! read about used instruction here(repne scasb) : https://c9x.me/x86/html/file_module_x86_id_287.html Fixed code : procedure TForm1.BitBtn1Click(Sender: TObject); var pointer_check, pointer_dummy: pointer; label bp_found, bp_not_found; begin pointer_check := @check_credentials; pointer_dummy := @Dummy; asm cld mov edi,pointer_check mov ecx,pointer_dummy sub ecx, pointer_check mov al,$CC repne scasb jz bp_found jmp bp_not_found end; bp_found: application.terminate; exit; //you will findout why you should use this bp_not_found: check_credentials('user', 'pass'); end; BR, h4sh3m
  12. 2 points
    Hi Finding start point of function is easy, you just need do something like this : var StartAddr : Pointer; begin StartAddr := @check_credentials; But for finding end of function, there is several ways: 1) search for "RET" instruction (C3, C2 xx) but if you're using "try/finally/except" statement your function will have several "RET(C3)" instruction. 2) You can define dummy function right after your function and get it's start address as end of your function ! function check_credentials(user : string; pass : string):boolean; begin if (user <> 'User') and (pass <> 'S3cret') then begin showmessage('Wrong Credentials'); end else showmessage('Congratulations'); result := true; end; procedure Dummy; assembler; asm end; procedure TForm1.BitBtn1Click(Sender: TObject); var StartAddr, EndAddr : Pointer; begin StartAddr := @check_credentials; EndAddr := @Dummy; Caption := IntToHex(NativeUInt(EndAddr) - NativeUInt(StartAddr)); //will get size of your function in byte (+1 byte for Dummy function) end; BR, h4sh3m
  13. 2 points
    Hello Here is unpacker source : https://ghostbin.co/paste/5vb67 Here is screenshot of unpacked file : https://i.imgur.com/NwIyqFd.png Here is unpacked file : https://www.sendspace.com/file/8nj8d4
  14. 2 points
    There are jobs like security analyst out there too but they are generally protocol oriented with background in cryptography and mathematics. Government agencies in all countries also recruit top talent. Otherwise, as a career choice unless as a malware analyst or software protection analyst or something it's too much of a niche to talk about. I got into RE because I enjoyed the challenge, and liked learning at lower levels or under the hood of how things work. Having a deeper understanding is my style for everything. That shadowy world lurks out there too but it's as organized and controlled as anything. It is a whole package deal to take that route, a lifestyle even. And even then you cant lose sight of what is right and what is wrong and where the laws draw the boundary. Fortunately merely toying around with some RE stuff is not really an issue. Software businesses and RE community have an interesting relationship but it's mostly been win-win despite occasional spats. Best hobby you can have though IMO
  15. 2 points
    If the only reason you want to learn RE is to have a unique skill for your resume/job application, you're very mistaken. Don't even try that. Anyone can learn to write (crappy) JavaScript/PHP/CSS in a few weeks and call himself/herself a "freelance web developer". Not everyone can become a reverse engineer - it requires a specific mindset and dedication. As for job positions, it really depends where you live and what your area of expertise would be. Analyzing malware requires a totally different skillset than finding bugs in hardware chips. Entry level positions usually are paid similarly to entry level developer positions. However, as a developer, you will have a pretty well-defined career path. As a reverse engineer, the path is less defined and really depends on your talent and dedication. It is possible to freelance and make a good living out of it - but again, it depends on your area of expertise. One of the best recent examples that come to mind, is Azeria (https://twitter.com/Fox0x01) - her ARM reverse engineering skills are superb. And there are freelancers who make $100k/year on HackerOne - but that's quite an extreme example. And then there is "dark side" - reverse engineers that work on not-exactly-legit tasks. For example, the entire game hacking industry is based on those. If you're a superstar, the customers will wait in line and the money is great. If you're just starting, you won't be able to make more than few hundred bucks a month - as you'll be competing with hundreds of Indians, Filipinos and Vietnamese in a very crowded market. First step would be to define the area you want to explore. As I mentioned above, reverse engineering hardware chips is totally different from reversing Windows malware. Once you know exactly what you want to learn, it will be much easier to suggest a specific book or course. Hope this helps. kao.
  16. 2 points
    When the cache gets up to speed you shouldn't see these topics in the activity stream/s. Any replies by moderators and administrators to topics in the Trashcan are for the topic starters eyes only... Ted.
  17. 1 point

    Version 11.10.2017

    23 downloads

    When using OllyDbg as a portable version (e.g. on an USB stick) there are always problems with the UDD/Plugin path not being set correctly. The features: DLL, which sets Plugins, UDD and win32.hlp paths automatically Dummy export so it's easy to add the DLL to your olly mod Open source Attached is DLL + Source, I hope it's useful for somebody. Feel free to modify to your needs, just credit where you think it's needed. P.S. To add the DLL to your mod: Use CFF explorer to add the import "dummy" (which does nothing) to ollydbg.exe, this will execute the DllMain function (which can be considered illegal) and set the paths in the INI file. OllyPath2.dll must be in the same directory than ollydbg.exe
  18. 1 point
    Civ VI Free on Epic Store https://www.epicgames.com/store/en-US/product/sid-meiers-civilization-vi/home
  19. 1 point
    @maristroch I think I can do it except VM.
  20. 1 point
    Short reply is yes. Of course a Malware Analyser must know more things, not only about reversing.
  21. 1 point
    Thank you for all replies. Is RE a technique that hackers and crackers using it to find security vulnerabilities and crack software? For example, a hacker find a vulnerability like it: https://www.exploit-db.com/shellcodes/48355 Is the author of this exploit did RE to found this vulnerability? I'm thankful if anyone answer me clearly. Thank you.
  22. 1 point
  23. 1 point
    Thanks for reporting. Should be fixed now... https://forum.tuts4you.com/bimchatbox/ Ted.
  24. 1 point
    4228004 is 4083A4 in decimal.
  25. 1 point
    When a debugger sets a Softwarebreakpoint, it writes the opcode-byte 0xCC to the address where the breakpoint is set. Thus, a way to scan and detect breakpoints is to compare the first by of all the instructions you want to protect against breakpoints to 0xCC - if you find one, you found a breakpoint. In the example, protected_code_start and _end refer to the limits of the code you are scanning. This could be the start and end of a critical function you wish to protect. The code is bad though: it blindly compares ALL bytes in range against 0xCC, whereas you should compare the first byte of each instruction only. Longer instructions might contain legitimate 0xCC bytes as data. Consider mov al, 0xCC ==> b0 cc . IDT hooking is something completely different.
  26. 1 point
  27. 1 point
    Mine is a laptop and was ordered as a custom build so everything was pre-installed on arrival. The only things I have changed really are software settings, disabled startup items, services etc.and being a laptop not really sure of the motherboard specs I used to do a lot with hardware when I had my Desktop but really haven't kept up to date with latest hardware differences for a few years now since buying my laptop which was the best spec I could afford at the time so I could hopefully keep it for a few years with no problems It has i7-6820HK Quad Core 2.7GHz Overclocked to 4.1GHz, 8mb Cache with 32gb of DDR4 RAM with GTX1070 GPU with 8gb GDDR5 The BIOS is a pre-boot environment so although you can update it in Windows you cannot change any settings in Windows or via software, you either need to select recovery or similar in Windows settings which will then restart into it or press hotkey on restart Maybe someone else can advise you on BIOS settings for your hardware and BIOS manufacturer I used to get problems with my old Desktop and I found HWMonitor to be excellent to show problem temperatures due to inefficient fans
  28. 1 point
    I've also found the number of cores in the CPU to be absolutely vital. Quad pr hexi core is basically a minimum spec for a Win10 power user. Dual cores no longer cut it partly due to the sheer amount of background activity. Have you used utilities to change CPU core parking??? Turboboost also can have its settings tweaked. If anything this could also fix IO issues. QuickCPU or ParkControl apps should help in this regard
  29. 1 point
    If you have good qualifications (certificates in the relevant fields) then easy to get job. Without them the burden of proof is on you to convince them to hire you. Or you can do freelance jobs as already discussed in Kao's post above.
  30. 1 point
    Yes that is normal mine is the same... C:\>fsutil behavior query DisableDeleteNotify NTFS DisableDeleteNotify = 0 (Disabled) ReFS DisableDeleteNotify = 0 (Disabled) C:\>
  31. 1 point
    This is an explanation from an app I use... Run this from cmd... fsutil behavior query DisableDeleteNotify 0 means TRIM is enabled
  32. 1 point
    That's all the code in it, It was a simple Seek and Replace small program Need any help ?
  33. 1 point
    I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies. If you can not understand it, you can reply me. Best wish.
  34. 1 point
    It's really cool that you done it so fast, thank you very much! My plugin works too, I'm just seeking a bug. If I close x64dbg Qt tries to free stuff of the already unloaded plugin and I don't know why. I'm releasing v0.3 as plugin package if I fixed it.
  35. 1 point
    1) There was nothing new, unlike the old versions, I did not replace the HWID, I just found the button in the NAG and patched the execution result, because the file did not have a constant, it worked. 2) One of the functions was under the virtual machine, not counting the EP. CISC vm is a simple virtual machine and the code was small. mfcapplication1_unpacked.rar
  36. 1 point

    7 downloads

    A quick video tutorial on keygenning TccT KeygenMe #2 by Tarequl.
  37. 1 point

    8 downloads

    A Shockwave Flash movie tutorial showing a method of keygenning Kurapica's CrackMe #15. It includes the source code for the keygen.
  38. 1 point

    7 downloads

    Video tutorial on keygenning Kurapica KeygenMe 2011.
  39. 1 point

    11 downloads

    RSA Tutorial 01 - Keygenning RSA RSA Tutorial 02 - Serial Fishing RSA RSA Tutorial 03 - How to Find RSA Primes
  40. 1 point

    11 downloads

    MD5 Keygenning (Part 1) MD5 Keygenning (Part 2)
  41. 1 point
    .NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch. Here is unpacked version of your file unpackme -cleaned.exe
  42. 1 point
    It's been a while, here is some new graph related to zbot (warning, they are heavy) Zbot graph: https://www.virustotal.com/graph/embed/gf288663e9d4245c7b8384b9ab36b64f41b58a7df62a145e3ad643bfe140ffb02 (4k nodes) With some additional details related to Microsoft citadel sinkhole operation. CCAM (atmos monitoring): https://www.virustotal.com/graph/embed/g5edbfcddab834a59a105964ffdc24492b03a6a5ab4824cca96949cd0d9a3395b With some details about in the wild locations.
  43. 1 point
    Hey there, i've been playing with VirusTotal graph since some weeks. Originally i did a graph just for building a landscape of files for ATM Wall, the graph can be seen here: https://www.virustotal.com/graph/embed/g9521270d163a4778aa5bc376c0d80375b11f2d95beee484498dbdaafc989ee5f I got the idea of doing this after having seen the work of @vanjasvajcer about ATM malware classification. But i started to got vicious with VT graph so here is some interesting graphs i did based with VT and kernelmode.info: Zeus World (v2.1.0.1 and inferior): https://www.virustotal.com/graph/embed/gf17a46025f554bc4a4d0edaff78d4aabee6388c959584ac8981961ae32af6994 Big nebula of zeus builders since code leak of v2.0.8.9, contain also few very old builders and some have funny messages inside destined to AV vendors. IceIX World (v1.2.5 and v1.2.6): https://www.virustotal.com/graph/embed/g3e3dfb66d191404593284509fbf9028c5253ee1651ee4da9b24225bf262634bf Citadel World (v1.3.4.5 and v1.3.5.1): https://www.virustotal.com/graph/embed/g1d0637aa096e45b2b1336844fe81e1e286a588fa049a4d529357c0a1d2f1646d Atmos World (v1.01): https://www.virustotal.com/graph/embed/ga7f70bed1f6f4394b4b503b5dcee997c66251a48418b4b3fba03119d3196389e Builders, releases, fews files. SpyEye World: https://www.virustotal.com/graph/embed/g98d5440408854a90b8e5fce2bd4003b40a7295519d5c4e0abe39a470a9fcadb5 Research about plugins are based on the spyeye thread on kernelmode.info, contain a nice timeline of the versioning and most of interesting files i guess. Carberp 'krabs.7z': https://www.virustotal.com/graph/embed/gd6210da59ece445f8e0469a7408a4905126fa5722cdb4b759330e073a29e7429 Files annotation based on kernelmode.info thread again (https://www.kernelmode.info/forum/viewtopic.php?f=16&t=2793), chaos mosaic at the image of the archive. BestAV affiliate: https://www.virustotal.com/graph/embed/g0741bdd40e4b4bc7a4c77e8240de0667f2ea89df4124484b87717ad081f741aa Lot of FakeAV files found with communicating IPs, graph based also on fews posts on kernelmode and also from my personal archive about thoses guys And not related to malware but you can do also funny things: Looking for an ollydbg modification ? https://www.virustotal.com/graph/embed/gd11e600f461c476082159553dadde7ac102288cd74df42d38f84291e97f2263a You have lost your SoftIce CD ? https://www.virustotal.com/graph/embed/g7534bcb28a2a439a8d466f69542374127b54265b605c4589adbf97191a1b0467 a small landscape about dongle piracy https://www.virustotal.com/graph/embed/g035609ac24c94751ae94aef309b6599010d8ccd1549f49f3b8ef7e20febd3f9f
  44. 1 point
    I created this experimental project. I hope someone can be useful. any collaboration and improvement is welcome thank you https://github.com/Pigrecos/Triton4Delphi
  45. 1 point
    Heres ilprotector removed Unpackme_dump_bodyRestored.exe
  46. 1 point
    I'm not a big fan of Kip Irvine's book. But I can't recommend any particular book instead of it - I learned ASM by reading source codes of DOS-era viruses. There were no ASM books available in my country at that time, so I just had to figure it out on my own.. Since you seem to be mostly interested in reverse-engineering aspect of ASM language, I would recommend reading https://sensepost.com/blogstatic/2014/01/SensePost_crash_course_in_x86_assembly-.pdf - it's a pretty decent summary and contains links to other useful resources as well. One thing I can tell you - you need to start from the beginning and work methodically. Currently you're jumping from C sample code to VMProtect to driver disassembly. It makes no sense and is actually slowing you down.
  47. 1 point

    Version 1.0.0

    46 downloads

    Hello friends. I try to prepare a classic logo for the forum. -Feel free to use in your projects or documents. I hope you will like it. note:Source file only xcf format. for GIMP. sory for photoshop users. Detailed previw ( click to support button in forum page.)
  48. 1 point
    View File PR PSD TEMPLATE PR BY ALFARES AT4RE.rar Submitter alfares Submitted 06/18/2016 Category AT4RE Skins
  49. 1 point
    here is attached combinator_uppp_skin.rar
  50. 1 point
    Hello All, I wrote a little paper about reducing the file size of a cpp project. Covers some basic stuff like removing cruntime, merging sections etc.. Hope it helps someone and of course if you have improvements, other techniques or found bugs then feel free to write me. ~Zer0Flag Decrease_WinCppProject_FileSize.pdf
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...