Jump to content
Tuts 4 You

Leaderboard

Popular Content

Showing content with the highest reputation since 08/24/2021 in Posts

  1. https://githacks.org/vmp2/vmdevirt vmdevirt lifts vmp IL generated by vmemu to llvm ir which can then be optimized and compiled back to native instructions. I have released a pretty rough/early version of EasyAntiCheat devirtualized here: https://www.unknowncheats.me/forum/anti-cheat-bypass/468099-easyanticheat-sys-devirtualized-version-1-optimizations.html The goal has been to generate semantically correct native so that you can execute the binary... here is hello world devirtualized: https://githacks.org/-/snippets/45 If you have any input/suggestions for llvm you can reply or email me at _xeroxz@back.engineer P.S vmdevirt will also be used for vmp3 as the lifters/profiles are pretty much the same. All I need to do to support vmp3 is to recode some of vmemu...
    6 points
  2. This is a prime example of how combining obfuscators can only work in your favour if you actually use them properly. Spoiler alert: they are not used correctly in this unpackme Approach: TestCawkMod-cleaned.exe
    5 points
  3. Code of Main method is pre-compiled (AOT) and stored in assembly resource. It is not possible to restore original MSIL code from this but since algorithm is very simple it can just be rewritten. To get key we need to attach through x64dbg and analyze it dynamically. Final key is: 68 01 f6 c4 47 5b 04 ad ca 75 45 d2 2b f1 2c 28 or aAH2xEdbBK3KdUXSK/EsKA== in base64 format.
    3 points
  4. fixed src using @sama files and added also project file for winASM. + aboutbox spinning dna strand project alone because it's lovely. SND.Reverser.Tool.1.5b1.SRC.fixed.zip Spinning DNA strand.zip
    3 points
  5. Alternatively, you can use CyberChef. It has basically every encryption / encoding / hashing algorithm you can think of, and they are easily combined together with the drag n drop interface that they have: https://gchq.github.io/CyberChef/
    3 points
  6. @pepegaswiper69: the direction is right, just one of your assumptions is wrong.
    2 points
  7. A MUST HAVE COMPUTER.... greetz
    2 points
  8. You can get challenges from old REA here (under copy protection): https://github.com/Info-security/binary-auditing-training It was later transformed to binary auditor. Unfortunately no solutions / math + fun / crypto.
    2 points
  9. ProtonMail deletes 'we don't log your IP' boast from website after French climate activist reportedly arrested www.theregister.com/2021/09/07/protonmail_hands_user_ip_address_police/ ProtonMail received a legally binding order from Swiss authorities which obligated to comply with protonmail.com/blog/climate-activist-arrest/ Commodore 64 ads from the 1980s lunduke.substack.com/p/commodore-64-ads-from-the-1980s-still A Generation of American Men Give Up on College www.wsj.com/articles/college-university-fall-higher-education-men-women-enrollment-admissions-back-to-school-11630948233 Revolt: Open-source alternative to Discord written in Rust revolt.chat/ Automatically replace jQuery from existing projects and generate vanilla js alternatives (lol) github.com/sachinchoolur/replace-jquery Larry Page: I think we should look into acquiring YouTube (2005) twitter.com/TechEmails/status/1433837480449613839 Google introduces $50 4G smartphone www.globalvillagespace.com/google-introduces-50-4g-smartphone-to-enable-billions-of-people/ The number of legal chess positions estimated at 4.5x10^44 github.com/tromp/ChessPositionRanking Malware found preinstalled in classic push-button phones sold in Russia therecord.media/malware-found-preinstalled-in-classic-push-button-phones-sold-in-russia/ Today Sci-Hub is 10 years old. I'll publish 2M new articles to celebrate (05/09) twitter.com/ringo_ring/status/1434356217208623106 Melatonin: Much More Than You Wanted to Know (2018) slatestarcodex.com/2018/07/10/melatonin-much-more-than-you-wanted-to-know/ PayPal Mafia (haha good to know) en.wikipedia.org/wiki/PayPal_Mafia Back Orifice (1998) web.archive.org/web/20180715070715/http://www.cultdeadcow.com/tools/bo.html news.ycombinator.com/item?id=28413994 US Air Force chief software officer quits www.theregister.com/2021/09/03/usaf_chief_software_officer_quits_angry_post/ Dynamic visualization of your WiFi signal blog.ui.com/2021/08/19/wifiman-introduces-enhanced-signal-tracking-features/ git-cliff: generate changelog files from the Git history github.com/orhun/git-cliff news.ycombinator.com/item?id=28423843 El Salvador becomes first country to adopt Bitcoin as an official currency theverge.com/2021/9/7/22660457/el-salvador-bitcoin-legal-tender-currency-cryptocurrency-chivo-wallet
    2 points
  10. Since Firefox 69, you must go into about:config and set “toolkit.legacyUserProfileCustomizations.stylesheets” to “true” The userChrome.css file does not exist by default, you first have to create the file in the appropriate location inside your Firefox profile folder. howtogeek.com/334716/how-to-customize-firefoxs-user-interface-with-userchrome.css/ ---- latest #1# Go to about:support in Firefox. Search for Application Basics, find Profile Directory and click on Open Directory. Copy the userContent.css into the chrome folder (usually has -release at the end, and you should create the chrome folder if it doesn't already exist). #2# Go to about:config in Firefox. Search for toolkit.legacyUserProfileCustomizations.stylesheets and set it to true by clicking on the arrow button. Restart Firefox. src github.com/FirefoxCSSThemers/Natura-for-Firefox/tree/main/chrome *no tested*
    2 points
  11. Mozilla - uBlock Origin review addons.mozilla.org/blog/ublock-origin-everything-you-need-to-know-about-the-ad-blocker/ Flying a Stunt Plane Through TWO Tunnels (2.2km / 43.44sec) hyperlol www.facebook.com/RedBullMotorsports/videos/375390900880444/
    2 points
  12. Don't know of a tool that will do it all for you easily, but you can either make one or make use of a few separate tools and a bit of work. For finding things, you can use Cheat Engine: https://www.cheatengine.org/ Scan a programs memory for known patterns of file type headers. For example, PNG's header information can be found here: http://www.libpng.org/pub/png/spec/1.2/PNG-Structure.html Knowing the first 8 bytes are always '89 50 4E 47 0D 0A 1A 0A' you can scan for this array of bytes and find matches in a programs memory. Once found, you can use a tool like 010 Editor: https://www.sweetscape.com/010editor/ You can use this hex editor to remotely open memory of another process and map data structures via templates onto the memory. This can help with finding valid full images, as in this example PNGs, in memory. You can also then use this tool to know how much data to copy out and save to a new file as the templates will hold all the data needed for the PNG to be valid on disk once saved. Then rinse and repeat for all file types you want to do. Otherwise, you can make your own app to do all these steps as well: Open a remote target for reading. (OpenProcess) Dump the processes memory to a local buffer for faster scanning. (ReadProcessMemory) Scan for known byte patterns within the dumped data, like above, to find known file types you wish to find. At the start of each found entry, begin reading the file type like any other app would to determine if the full file is there/valid. (Use file header information for known file types and such to know how to read the various files you want to dump.) If a valid file is found, dump it from the local buffer into a new file with just the data needed to make said file valid. And so on. Rinse and repeat for each file type you want to scan for etc.
    2 points
  13. thx for uploading the DNA animation btw i've also made a mod for the Starfield effect coded by takerZ , just added some RGB effect and only static text :
    2 points
  14. i heard some files are missing? (all credits to the dev.) have a nice day MissingFiles.rar
    2 points
  15. There has been an update of Keygener Assistant from v2.1.0 to v2.1.1 March 1st, 2016 - Fixed bug with RSA Encrypt/Decrypt (buggy FGIntRSA changed). - Update Interface : - Skin removed Download: KeygenerAssistantV2.1.1Remix
    2 points
  16. My Delphi binding for Intel X86 Encoder-Decoder. https://github.com/Pigrecos/XED_Delphi
    2 points
  17. twitter.com/ForumCovid/status/1439893319048380419 Raspberry Pi gets $45M to meet demand for low-cost PCs and IoT techcrunch.com/2021/09/21/raspberry-pi-gets-45m-to-meet-demand-for-low-cost-pcs-and-iot/ Lithuanian government warns about secret censorship features in Xiaomi phones therecord.media/lithuanian-government-warns-about-secret-censorship-features-in-xiaomi-phones/ Distribution Of Global Wealth www.visualcapitalist.com/distribution-of-global-wealth-chart/ WHO global air quality guidelines 2021 apps.who.int/iris/handle/10665/345329 Reasons to Quit Social Media durmonski.com/life-advice/reasons-to-quit-social-media/ Why You Should Stop Reading News fs.blog/2013/12/stop-reading-news/ World War 3 To Be Fought Over Semiconductors? goldsilver.com/blog/world-war-3-to-be-fought-oversemiconductors-wealthion/ Waydroid – Run Android containers on Ubuntu waydro.id/ Authenticated Boot and Disk Encryption on Linux http://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html EU proposes mandatory USB-C on all devices www.theverge.com/2021/9/23/22626723 FDA Vaccine Panel Comes Out Against Deadly Injections infowars.com/posts/bombshell-testimony-from-fda-vaccine-hearing-reveals-injections-killing-more-than-saving-driving-variants/
    1 point
  18. @Darth Blue: you got this far, so you certainly have skills. I'm sure you'll figure it out. To answer your question - it's not strictly necessary but might help you with *something*. You'll know more once you analyze the binary.
    1 point
  19. DOS Subsystem for Linux github.com/haileys/doslinux YouTube recommendation system blog.youtube/inside-youtube/on-youtubes-recommendation-system/ NEWScan files.rayogram.com/news/ freedomforum.org/todaysfrontpages/ A collection of modern games for the TI-99/4A http://tigameshelf.net/asm.htm India says Google abused Android dominance www.engadget.com/google-abused-android-dominance-india-antitrust-124019374.html AMD Chipset Vulnerability Leaks Passwords, Patch Available www.tomshardware.com/news/amd-chipset-vulnerability-leaks-passwords Library Genesis libgen.is/ Belgian ISP under 250 Gbps DDoS for days on end issues.edpnet.be/
    1 point
  20. It probably depends on which compiler & what settings you use. My VS2019 builds your code perfectly for both x86 and x64. If your compiler keeps being stupid, try using this: hthread = CreateThread(0, 0, &animate, hWnd, 0, 0);
    1 point
  21. View File SecureVM This file is protected with SecureVM - a new VM to protect your code (based on CawkVM modification). You have to completely unpack the code in order to pass this challenge. Make sure your unpacked file should be able to run. Submitter BlackHat Submitted 09/07/2021 Category UnPackMe (.NET)  
    1 point
  22. Hi, this seems to be yet another example of someone else using DNGuard as their own protector and stacking it over something else... In this CawkVM "mod" not a lot has changed so exploiting runtime implementation of dynamic methods is still possible. You can also reverse engineer the new changes using a debugger after bypassing the anti debugger checks and statically decrypt and parse the method data. Not much different from regular CawkVM just runtime obfuscated with a renamed DNGuard I have successfully dumped the CawkVM protected entry point method: TestCawkMod-Protected-unpacked.exe
    1 point
  23. Australia’s new mass surveillance mandate digitalrightswatch.org.au/2021/09/02/australias-new-mass-surveillance-mandate/ DeepFaceLive: Live Deep Fake github.com/iperov/DeepFaceLive Unity patents ECS pdfpiw.uspto.gov/.piw?PageNum=0&docid=10599560 Anbernic RG280M Review christine.website/blog/rg280m-review
    1 point
  24. Hi, i'm using a more simple thing with no enclosure, switch, etc.. just quick access/change. https://www.amazon.co.uk/gp/product/B016UBXH3O digital storage capacity up to 10tb, i use it mostly to backup my server hdds, copying whole internal disk (8tb drives) to the external one. works ok with my debian and windows and for the usage that i do with it.
    1 point
  25. This can be used to monitor any user login sessions that transpire on a Server or Standalone system using services API call (yes this could probably be coded as an ACTUAL service but that's left for another day) Compile and run (I've tested this on a basic user account with no ACL except their own profile folder ACLs and it gathers all logged in users maintaining an array and comparing it against the total number of logged in sessions) Note: various source codes were changed around I just don't remember all the sites i used to put this together There is an embedded smtp mailer that will connect to zoho (for this example) along with a way to email the alerts to a phone number for smtp->text youll need to find your cell phone carriers smtp and find an email service that allows smtp IMAP connections using System; using System.Collections.Generic; using System.Linq; using System.Windows.Forms; using System.Net.Mail; using System.Runtime.InteropServices; namespace SmtpWatch { static class Program { public const int WTS_CURRENT_SERVER_HANDLE = 0; public const int WTS_CURRENT_SESSION = -1; [DllImport("WTSApi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] public static extern bool WTSSendMessage(IntPtr hServer, int SessionId, string pTitle, int TitleLength, string pMessage, int MessageLength, int Style, int Timeout, out int pResponse, Boolean bWait); [DllImport("WTSApi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] public static extern bool WTSEnumerateSessions(IntPtr hServer, int Reserved, int Version, out IntPtr ppSessionInfo, out int pCount); [DllImport("WTSApi32.dll", SetLastError = true, CharSet = CharSet.Auto)] public static extern void WTSFreeMemory(IntPtr pMemory); [DllImport("WTSApi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] public static extern bool WTSQuerySessionInformation(IntPtr hServer, int SessionId, WTS_INFO_CLASS WTSInfoClass, out IntPtr ppBuffer, out uint BytesReturned); public enum WTS_INFO_CLASS { WTSInitialProgram, WTSApplicationName, WTSWorkingDirectory, WTSOEMId, WTSSessionId, WTSUserName, WTSWinStationName, WTSDomainName, WTSConnectState, WTSClientBuildNumber, WTSClientName, WTSClientDirectory, WTSClientProductId, WTSClientHardwareId, WTSClientAddress, WTSClientDisplay, WTSClientProtocolType, WTSIdleTime, WTSLogonTime, WTSIncomingBytes, WTSOutgoingBytes, WTSIncomingFrames, WTSOutgoingFrames, WTSClientInfo, WTSSessionInfo, WTSSessionInfoEx, WTSConfigInfo, WTSValidationInfo, WTSSessionAddressV4, WTSIsRemoteSession } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct WTS_SESSION_INFO { public int SessionId; // session id public string pWinStationName; // name of WinStation this session is connected to public WTS_CONNECTSTATE_CLASS State; // connection state (see enum) } public enum WTS_CONNECTSTATE_CLASS { WTSActive, // User logged on to WinStation WTSConnected, // WinStation connected to client WTSConnectQuery, // In the process of connecting to client WTSShadow, // Shadowing another WinStation WTSDisconnected, // WinStation logged on without client WTSIdle, // Waiting for client to connect WTSListen, // WinStation is listening for connection WTSReset, // WinStation is being reset WTSDown, // WinStation is down due to error WTSInit, // WinStation in initialization } public static string[] sysun; public static string allsysun = ""; //============================================================== [STAThread] static void Main() { usermanip(0); MessageBox.Show("CURRENT LOGGED IN USERS: " + allsysun); string emallsysun = "CURRENT LOGGED IN USERS: " + allsysun; sendmail(emallsysun); while (true) { //check for new logons usermanip(1); allsysun = ""; } } //============================================================== //============================================================== static void sendmail(string str) { try { MailMessage mail = new MailMessage(); SmtpClient SmtpServer = new SmtpClient("smtp.zoho.com"); mail.From = new MailAddress("xxxxxxx@zohomail.com"); mail.To.Add("XXXXXXXXXXX@tmomail.net"); mail.Subject = "SYSTEM ACTIVITY (USERS)"; mail.Body = str; SmtpServer.Port = 587; SmtpServer.Credentials = new System.Net.NetworkCredential("jmc31337", "XXXXXXXXXXXXXXXX"); SmtpServer.EnableSsl = true; SmtpServer.Send(mail); } catch (Exception) { MessageBox.Show("SendMail Error Occurred"); } } //============================================================== //============================================================== static void usermanip(int softplc) { IntPtr pSessions = IntPtr.Zero; int nSessions; if(WTSEnumerateSessions((IntPtr)WTS_CURRENT_SERVER_HANDLE, 0, 1, out pSessions, out nSessions)) { int nDataSize = Marshal.SizeOf(typeof(WTS_SESSION_INFO)); IntPtr pCurrentSession = pSessions; if(sysun == null) { Array.Resize(ref sysun,nSessions); softplc = 0; } for (int Index = 0; Index < nSessions; Index++) { WTS_SESSION_INFO si = (WTS_SESSION_INFO)Marshal.PtrToStructure(pCurrentSession, typeof(WTS_SESSION_INFO)); uint nBytesReturned = 0; IntPtr pUserName = IntPtr.Zero; bool bRet = WTSQuerySessionInformation((IntPtr)WTS_CURRENT_SERVER_HANDLE, si.SessionId, WTS_INFO_CLASS.WTSUserName, out pUserName, out nBytesReturned); string sUserName = Marshal.PtrToStringUni(pUserName); //Console.WriteLine("User Name: {0}", sUserName); if(softplc == 0) { sysun[Index] = sUserName; allsysun += sUserName + " "; } if(sysun.Length > nSessions) { Index = 0; sysun = null; break; } if(sysun.Length < nSessions && !sysun.Contains(sUserName)) { if (sUserName != null) { //sysun[Index] = sUserName; string usrmail = sUserName; usrmail += " (LOGGED ON)"; MessageBox.Show(sUserName + " LOGGED ON"); //DING! sendmail(usrmail); sysun = null; break; } } pCurrentSession += nDataSize; } WTSFreeMemory(pSessions); } } //============================================================== //============================================================== } } --just found out coding all that in the STATHREAD section of the .net app keeps the winapp icon from appearing in taskbar and alt-tab app switcher (couldnt find the shrugger emoji) thnx for the thnx
    1 point
  26. https://www.amazon.co.uk/gp/product/B076X4WWZY
    1 point
  27. This requires knowledge of git internals. All versions of pyamor ever released can be found on their GitHub repo: https://github.com/dashingsoft/pyarmor-core/ Essentially what you need to do is hash search (md5/sha etc) your target pyarmor dll/pyd in that repo to find the file and thus the commit. However there's another point to keep note of. As mentioned in this thread, pyarmor now bundles the license data within the dll/pyd. Hence the license data would led to a different hash in-spite of the rest of the dll/pyd contents being the same. To solve this problem, instead of hashing the whole file you can hash only a part (say the last 10KiB of the target dll/pyd which excludes the license data) and search all blobs in the repo which have the same hash for the last 10 KiB bytes. You can use a library like gitdb for searching. Using this you should be able to pinpoint the exact commit and the corresponding file on the repo. As for the other question, the mode use can be deciphered from the numerical prefix. 0 => NONE (dll) 7 => JIT, ANTI-DEBUG, ADV (dll) 11 => JIT, ANTI-DEBUG, SUPER (pyd) 21 => VM, ANTI-DEBUG, ADV (dll) 25 => VM, ANTI-DEBUG, SUPER (pyd) For example, windows.x86_64.25.py39 implies VM + ANTI-DEBUG + ADV modes using the dll pyd.
    1 point
  28. reddit.com/r/FirefoxCSS/comments/p2chzn/bookmark_height_spacing_ff_910_update/
    1 point
  29. If it's not protected or packed then strings will be located in the .text section wherever this section is mapped in memory. all you need is to find the scan the process memory for any occurrences of that string and then patch it correctly giving attention to the length of that string. https://reverseengineering.stackexchange.com/questions/22130/how-to-find-the-starting-address-of-text-section-of-a-dll-inside-a-process-64
    1 point
  30. SND.Reverser.Tool.1.5b1 with sources https://mega.nz/file/EoFjmCjI#obPLdFKURn9JIF7uEKWVxqeN4OngWawjKtiEi2sZhKs SND.Reverser.Tool.1.5b1.zip
    1 point
  31. Hi again and thanks for the tool infos. All are working good so far (also that nice offline webpage tool).Only the old SND_RT tool gets deleted by Defender (Ransomeware). Anyway, the other tools also having pretty same functions included I can use there.Thank you. greetz
    1 point
  32. You can get this from our own forum and also read the fll thread in the process: Download it: https://forum.tuts4you.com/applications/core/interface/file/attachment.php?id=8499
    1 point
  33. Both of Your Challenges are Unpacked Successfully. How to Unpack ? Proof - HVM-hvm.exe HVM-cleaned_debug.exe
    1 point
  34. How to Unpack ? Solution - 3.9.5.3.zip
    1 point
  35. Hi! I think you are looking for something like this: Link: http://www.kahusecurity.com/tools.html Or something like "Keygener Assistant": Link: https://www35.zippyshare.com/v/ZcLY8Dxm/file.html
    1 point
  36. Yup. It is a Stolen DNGuard. You have to restore the Bodies from the Runtime and then append in the main assembly. After devirt you can remove the strings or proxies. There is nothing much to tell as the answer is already given. ! I was testing something. So I took this unpackme as test. Unpackme-cleaned.exe
    1 point
  37. Nirvana sued by Spencer Elden, who appeared on Nevermind’s album cover as a baby www.bbc.com/news/entertainment-arts-58327844 arstechnica.com/gaming/2021/08/adult-who-used-to-be-the-nevermind-baby-says-nirvana-album-cover-is-child-porn/ Scientists 3D bioprint Wagyu beef-like meat (WTF) eandt.theiet.org/content/articles/2021/08/scientists-3d-print-wagyu-beef-like-meat/ Samsung says it can remotely disable stolen TVs www.theverge.com/2021/8/25/22640876/samsung-television-block-function-stolen-tv-sets-south-africa
    1 point
  38. I am of the opinion that any solution posted here should be reproducible (hence the name tuts4you). Anyone reading my solution should be able to follow the steps and get to the same conclusion. For the case of a VM, since they are complicated beasts, it means it gives me only two options: I would have to release the source code of any type of devirtualizer that I would've made, or I would have to spend an entire blog post talking about how VMP's VM works and how to reverse it. While I genuinely enjoy doing both, both options take a lot of time, something I have very little of these days. But even if I had the time, it's arguably not really worth it. If I were to make a devirtualizer for VMP and release it, it will not take long for the VMP developers to catch on and update their software. Unless the devirtualizer was made in such a way that it would be resistant towards the kinds of changes (which again, takes more time), it means it is probably only going to be useful for a short period. Just doing this for a single unpackme posted on a forum does not really make it worth it for me. Also, while I generally don't have any problem with publishing articles or source code (unlike other people that post solutions here it seems), I do have a problem with potentially harming other people's businesses. I am not a fan of releasing devirtualizers or unpackers for protectors that are still in business and have customers. From a legal and ethical perspective, that's just not something I would do easily. Generally speaking though, with reverse engineering it is often not required to fully unpack anyways. You extract what you need and leave out the unimportant business. In a lot of cases that does not require a full deobfuscation. Especially not with keygenme's like these. Maybe someone else thinks differently about that, and does pick this up as a challenge though
    1 point
  39. Methodology - Since It is a CrackMe I won't bother myself to generate/find a Valid Serial by understanding the Algo. So I simply gonna patch it to accept any Key or show Valid Message from any of that. Thanks to RCE Community Members from all those diff Forums who shared their Knowledge with Public. Valid Key - Steps - Image - Method 2 - Since it is a Crack Me so these method makes sense but in Real World App, these are not so useful. We must need to Devirt the App to fully Read the Code. So You can follow my 1st Comment regarding Complete Unpacking of Your Code.
    1 point
  40. fixed in v1.7 https://githacks.org/vmp2/vmemu/-/releases/v1.7 (make sure your commandline arguments are also correct)... Also be aware that vmemu currently does NOT support dumped modules as it uses LoadLibraryExA - DONT_RESOLVE_DLL_REFERENCES to load the module... Support for dumped modules will come very shortly, as well as an auto unpacking/drag & drop project.
    1 point
  41. Everyone knows it's DnGuard, just put in dnspy or ILSpy to know. He buys or jailbreaks a copy of dnguard, then runs it on the server, when the user uploads the source for packaging, it also saves the original to steal the NetProtect user's code. Then go around saying its netprotect is number 1, no one can unzip it. I was going to say that a few times, but seeing how many of his fans are, I gave up. But to protect the file, you have to upload the entire source code to his server, which exposes your entire source code.
    1 point
  42. Hello, This isn't anything new... It's just DNGuard 3.9.6.2 with some additional attributes and slight attempts at rebranding. We can also see this in the native dll it drops This is not the first time NETProtect.IO is using other protectors under their own brand name. First it was NETGuard, then Agile.NET, CawkVM, and now DNGuard 😕 As for unpacking DNGuard, i have not done a lot of research into it. If anyone has and is willing to share the research and knowledge i think we all would be thankful
    1 point
  43. No, it really isn't. It stops 10-year olds from running ready made tools, and that's about it. Password is: There are 3 ways to solve it: Easy way (1/10) : open file in hex editor, check the strings and find solution there. Slightly harder (2/10): run crackme under any tracer/profiler, see what functions it calls, see correct string as one of the parameters. "Extremely hard" (3/10): open DnSpy and Visual Studio and fix OldRod source code. You'll need like 5 minutes for that. 1) Compare original KoiVM method handlers with DiamondVM method handlers: KoiVM: DiamondVM: As you can see, DiamondVM has 2 useless string arguments and "id" parameter has been moved from 2nd position to 1st. Side note - DiamondVM author tried to get rid of "id" parameter and use A_3.Length instead. However he/she failed miserably and "id" is still there.. Open OldRod file OldRod.Pipeline\Stages\VMMethodDetection\VMMethodDetectionStage.cs" and change method signatures + parameter count: //..around line 36.. /* private static readonly IList<string> Run1ExpectedTypes = new[] { "System.RuntimeTypeHandle", "System.UInt32", "System.Object[]" }; private static readonly IList<string> Run2ExpectedTypes = new[] { "System.RuntimeTypeHandle", "System.UInt32", "System.Void*[]", "System.Void*", }; */ private static readonly IList<string> Run1ExpectedTypes = new[] { "System.UInt32", // moved "System.String", // useless "System.RuntimeTypeHandle", "System.String", // useless "System.Object[]" }; private static readonly IList<string> Run2ExpectedTypes = new[] { "System.UInt32", // moved "System.String", // useless "System.RuntimeTypeHandle", "System.String", // useless "System.Void*[]", "System.Void*", }; // ...around line 158 ... switch (method.Signature.ParameterTypes.Count) { //case 3: case 5: if (HasParameterTypes(method, Run1ExpectedTypes)) info.RunMethod1 = method; break; //case 4: case 6: if (HasParameterTypes(method, Run2ExpectedTypes)) info.RunMethod2 = method; break; } Build your modified OldRod and run it with parameter "--koi-stream-name #VM " to work around other change in DiamondVM. Done! Devirtualized file attached. UnpackMe.exe_VM-cleaned.zip
    1 point
  44. Necrobit To mess up the old de4dot implementation, the .Net reactor changed the P / Invoke methods, but for the unpack, you can use the SMD from Code Cracker, which will do an excellent job of this. Control Flow To break de4dot.blocks, ezriz added a number of instructions to the flow cases, which de4dot cannot process, it's easy to fix it, just repeat after me) String Encrypt Ezriz changed the resource encryption algorithm for strings, which messed up the old decryptor implementation. This problem is solved by dynamic emulation of the method, with obtaining LDC.I4 values for initializing the decrypt method, I will show an example of getting MethodDef by the Call dnlib operand Hide Methods Calls NEW! New reactor protection, taken half from open source fuser. The bottom line is that system methods are initialized from delegates. It sounds scary, let's try to figure it out)) Well, we won the new reactor, I hope you enjoyed this article, thanks for reading)) All The Credit Goes to Eshelon Mayskih
    1 point
  45. Since the challenge description allows it, I'm going for the quick serial fish for now Approach:
    1 point
  46. Your topic has not been approved. You did not follow the correct posting format and/or provided enough information regarding the challenge. You have 48 hours to correct your topic before it will be moved to the Trashcan. For further details regarding the formatting of the topic please refer to the topic in the below link... [This is an automated reply]
    1 point
  47. [.NET]实战UnpackMe.mp4 -> https://mega.nz/#!YxwQSAxA!Lwd9XStVyue8fdYKZXmYkoDxE0Y7ftsyNYtBKLTRrGM
    1 point
×
×
  • Create New...