Jump to content
Tuts 4 You


Popular Content

Showing content with the highest reputation since 02/22/2019 in Posts

  1. 9 points
    It's a really nice challenge, thank you! Pseudo-solution: Step 1: make type/function/variable names readable. De4dot to the rescue. Step 2: get some idea how the VM works. In this case, we have P-Code stored in MemoryStream and stream.Position tells us which instruction we're currently executing (aka. EIP). Step 3: put some smart breakpoints and trace execution of the VM. We're looking for good boy/bad boy jumps, so focus on changes in stream.Position. I put a breakpoint in UnmanagedMemoryStream.Seek: Step 4: look at the log data and identify good boy/bad boy jump. In my case, logged data with some comments looked like this. So, we need to trace few instructions starting from EIP=16F4. Turns out that comparison instruction is at EIP=172B and good boy jump is EIP=173D. Step 5: patch P-Code or VM engine. I decided to patch P-Code directly, as integrity checks for the P-Code were not enabled. I changed comparison instruction to compare 2 identical values, so the check always succeeds and good boy jump is always taken. Mission accomplished. EDIT: attached file should not be in the middle of sentence. Out-patched-by-kao.zip
  2. 6 points
    Strings plugin for x64dbg. Download: https://github.com/horsicq/stringsx64dbg/releases Sources: https://github.com/horsicq/stringsx64dbg/ More Info: http://n10info.blogspot.com/2019/03/strings-plugin-for-x64dbg.html
  3. 5 points
    Hi there, With few guys we made a zoo dedicated to malware targeting ATM platforms, as far as i know nobody has made a similar public project so voila. You will find here malwares that specifically targets ATMs, and reports (notice) about them. Files of interest got harvested from kernelmode.info, but also virustotal and various other services and peoples interested about the project. I'm using binGraph, pedump, Python, bintext, for the engine on reports. Some samples exist in 'duplicate' on the wall (we also provide unpacks for few files), if it is the case: it's mentioned on the report. We have hashs who are without references (i mean not associated in a white paper or something) thoses files are regrouped on the statistics page, we tried to make the stat page interesting enough for everyone to have fun exploring the zoo from the stats. We have IoCs that others seem to don't have, e.g kaspersky report about winpot, that leaded also to funny react from ppl selling it no worry, everyone have it now. We have also a page that includes some yara rules for detecting some of these malwares, and a page with goodies, voila! Everything provided in old skool style, intro also available! CyberCrime quality http://atm.cybercrime-tracker.net/ Feedback welcome, enjoy the ride ! 💳🏧
  4. 5 points
    Language : .NET Platform : .NET/Mono OS Version : All Packer / Protector : Custom Description : This is something I've stopped working on over the last few months, but if someone's interested in taking up the project with me I'll gladly accept. The original password is hashed to prevent string equality hooking, so the goal here is just to make it respond correctly. Cracking : If you do crack this, please post in the thread (or DM me) about how you did it. It doesn't have to be step-by-step; a simple "after doing X all you need to do is Y" is fine. If you have any suggestions for additional obfuscation, please include those as well. Any method is acceptable (besides printing the correct string yourself):^) Screenshots are attached. Out.exe
  5. 3 points
    Yep, looks like Dotwall. But the main executable is totally boring - the interesting stuff is in .NET resources. So, don't waste much time trying to deobfuscate main executable. There are 2 malicious PE files in .NET resources - XOR-encrypted with key 76 00 6F 00 52 00 4E 00 66 00 48 00 73 00 44 00 One is Aspire.dll, protected with .NET Reactor - that's some sort of malware launcher. Other one is password stealer written in Delphi.
  6. 3 points
    REDasm 2.0 is available for download at http://redasm.io, binary packages has been tested on Windows and Linux. I have attached some screenshots to see how it looks now. Source Code: https://github.com/REDasmOrg/REDasm Changelog - Brand new disassembler engine. - Brand new disassembler widget. - Brand new Signature Engine (SDB files). - Brand new Hex Widget. - Multithreaded analysis. - QtWebEngine powererd graphs. - Simplified LibREDasm API. - Reimplemented Emulation APIs. - Improved ARM/Thumb switch heuristics. - Improved ARM listing. - Added IDA style popup on symbols. - Added Dark Theme. - Added jump arrows in listing. - Recent file support. - Projects support (RDB files). - Improved keyboard shortcuts. - CMake Porting. - UI/LibREDasm/Database split. - MSVC RTTI Analysis. - MSVC Demangling. - Improved VB Decompiler. - Implemented GBA Loader (WIP). - Implemented N64 Loader (WIP). - Unified loader for ELF Format (Little/Big endian, 32/64 bits). - Unified loader for PE Format (Little/Big endian). - Clang support on 64bit. - UI Redesign. - Lots of bug fixes.
  7. 3 points
    - version 2.8 : 1- fix a lot of bugs in calculations and get values. 2- F11 run/stop script now Enabled, F12 step script. 3- get values for nasted variables like $x[$z+1] 4- add new commands (ret ,GetAPIName ,ResizeArray ,GetArraySize ,Write2File ,inputbox). 5- add Dependency and samples Script as separate package. releases 2.8 this is sample to write a tracer: varx str,path,"E:\temp1\log.txt" varx str,addr varx str,APIname varx int,OEP,0000000140226B80 varx array,temp[1] varx int,i,0 if {rip}=$OEP,int,14d,7d resizearray $temp,1 setx $addr,{rax} GETAPIName $APIname,$addr setx $temp[$i],$addr $APIname setx $i,$i + 1 go goto 6d varx int,sizeArray,0 GetArraySize $temp,$sizeArray if $sizeArray=0,int,19d,17d write2file $path,1,$temp[$sizeArray] setx $sizeArray,$sizeArray -1 goto 16d AdvancedScript_2.8.zip
  8. 2 points
    After the security researchers informed WinRAR of their findings, the team patched the vulnerability with version 5.70 beta 1 of the software. Rather than attempt to fix the issue, the team opted to drop support for ACE archives entirely, which was probably the sensible option considering the only program capable of creating the archives, WinACE, hasn’t been updated since 2007. https://www.theverge.com/2019/2/21/18234448/winrar-winace-19-year-old-vulnerability-patched-version-5-70-beta-1 bonus link - hirensbootcd.org
  9. 2 points
    Just to clarify as well, I'm not saying Ghidra is bad or to not use it. Sorry if what I'm saying is coming across like that, that isn't my intention or what I mean to imply. I do actually like Ghidra and I am happy to see something finally be on par with IDA's feature set. Given that Ghidra is new and has a small team of like 2? people, there is a lot of room for improvement. And the better part is that they do plan to open source it fully, which is nothing but even better for it. Something I do foresee though with it becoming open source is that people will port it to a different language because of how slow Java is in general. I'd guess we'll see a C# port at some point or eventually a C++ port depending on how decides to tackle it which I'm all for seeing happen. Overall, it is a nice tool and I'm glad to see it happen, I just hope to see it get better over time, especially with speed improvements.
  10. 2 points
    I use this addon https://addons.mozilla.org/en-US/firefox/addon/save-all-images-webextension/ Features: 1. Can detect all images loaded in the current page regardless whether they are loaded in nested iframes or not 2. Many filtering rules to find and download only needed extensions 3. Can catch images in links, background script and CSS files 4. Display images in a gallery view before downloading them 5. Support two-level deep image searching Filters: 1. Filter by file-size 2. Filter by image dimension 3. Filter by image type 4. Filter by image URL (regular expression matching) 5. Filter by same origin policy
  11. 2 points
    Github — source code (will be available soon) Download GHIDRA 9.0 — software package, slides, and exercises Installation Guide — basic usage documentation Cheat Sheet — keyboard shortcuts Issue Tracker — report bugs
  12. 2 points
    Hi! This is my first post on tuts4 you I hope that this is the right section, if not, please delete this post! Ok so... Few months ago I have made public my internal project called REDasm on GitHub. Basically it's a cross platform disassembler with an interactive listing (but it's still far, if compared to IDA's one) and it can be extended with its API in order to support new formats, assemblers and analyzers. Currently it supports: Portable Executable VB5/6 decompilation . It can detect Delphi executables, a decompiler is WIP. .NET support is WIP. Debug symbols are displayed, if available. ELF Executables Debug symbols are displayd, if available. DEX Executables Debug symbols are displayed, if available. x86 and x86_64 is supported. MIPS is supported and partially emulated. ARM support is implemented but still WIP. Dalvik assembler is supported. Most common assemblers are implemented by using Capstone library, Dalvik assembler is written manually and even the upcoming MSIL/CIL assembler will be implemented manually. The entire project is written in C++ and its UI is implemented with Qt5, internally, the disassembler is separated in two parts: LibREDasm and UI. LibREDasm doesn't contains any UI related dependencies, it's just pure C++, one day I will split it in two separate projects. Some links with source code, nightlies and wiki: Source Code: https://github.com/REDasmOrg/REDasm Nightly Builds (for Windows and Linux): https://github.com/REDasmOrg/REDasm-Builds Wiki: https://github.com/REDasmOrg/REDasm/wiki And some screenshots:
  13. 2 points
    slugsnacks reversing series by c0lo: Link: https://kienmanowar.wordpress.com/slugsnacks-reversing-series-by-c0lo/slugsnacks-reversing-series-5/
  14. 1 point
    https://stackoverflow.com/questions/7057501/x86-assembler-floating-point-compare https://c9x.me/x86/html/file_module_x86_id_88.html This part looks weird to me, why if is bigger will jump to @EQUAL ???
  15. 1 point
    @CyberGod your Problem is not Problem of plugin from @hors, its bug of x64dbg , try to move other Tabs and you will see the same error!
  16. 1 point
    Here is a yara rule as it seem to rain samples according to mcafee /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP { meta: description = "Generic rule for hostile ACE archive using CVE-2018-20250" author = "xylitol@temari.fr" date = "2019-03-17" reference = "https://research.checkpoint.com/extracting-code-execution-from-winrar/" // May only the challenge guide you strings: $string1 = "**ACE**" ascii wide $string2 = "*UNREGISTERED VERSION*" ascii wide // $hexstring1 = C:\C:\ $hexstring1 = {?? 3A 5C ?? 3A 5C} // $hexstring2 = C:\C:C:.. $hexstring2 = {?? 3A 5C ?? 3A ?? 3A 2E} condition: $string1 at 7 and $string2 at 31 and 1 of ($hexstring*) } so far it matched all my know files. ================================================================================================================================================================ ---------- MATCH: CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP FILE >>>>> C:/SBOX/temp/ace/0312885f07b5a028e64c6a2a440a8584c67adf2c0986e99447328c4bede4e102 FILE >>>>> C:/SBOX/temp/ace/0a8d46694dcd3c817ca507d3004366352926bed39897aa19c605bf407841605e FILE >>>>> C:/SBOX/temp/ace/4bde9006a960da9388d3c45cbebb52ff5015e0fbe0c4d80177b480cba8abd5a0 FILE >>>>> C:/SBOX/temp/ace/642018f0cc2afa550f51516db2015d25f317be8dd8cdf736428dfc1e8d541909 FILE >>>>> C:/SBOX/temp/ace/7871204f2832681c8ead96c9d509cd5874ed38bcfc6629cbc45472b9f388e09c FILE >>>>> C:/SBOX/temp/ace/a49d55cd7ca0dab2d84308d56bf3f7d6b3903135b9eccd8924ab1b695bb18d93 FILE >>>>> C:/SBOX/temp/ace/dcda4a01ab495145ba56c47ff2fe28dbd0b1088fb5c102577a75d9988e8e7203 FILE >>>>> C:/SBOX/temp/ace/e6e5530ed748283d4f6ef3485bfbf84ae573289ad28db0815f711dc45f448bec
  17. 1 point
    Had some more time with Ghidra last night to compare speed to IDA. So this is a small comparison to IDA 7, default settings, minimal plugins loaded (none that should affect load times) and Ghidra also stock settings, default analyaze options. Target Executable: A game .exe close to 200MB in size, no protection, no packer, no special tricks/obfuscation or anything. IDA: Took about 15-20mins to load into IDA and be considered ready. (The initial autoanalysis has been finished.) Ghidra: Still analyzing, 9 hours later. Be it poor coding, poor optimization, or just the fact that its coded in Java, Ghidra is extremely slow when compared to IDA in this regard. For simple/small targets like malware samples, it may be fine to use on a daily basis, but for larger scale targets like full applications, games, etc. this is definitely going to need work to be considered a viable option to use at all. For this thing to still be going 9 hours later is a bit ridiculous.
  18. 1 point
    thx for plug bug: an error occurs if I move the tab
  19. 1 point
    Chrono Download Manager for Chrome has a sniffer part where it can scan for images and videos and you can batch download them: https://chrome.google.com/webstore/detail/chrono-download-manager/mciiogijehkdemklbdcbfkefimifhecn?hl=ro
  20. 1 point
    The vulnerability might have put millions "at risk", but realistically most likely affected not one single person at all.
  21. 1 point
    Most addons / grabbers just search html for image tags... <img src="Image.jpg"> But this image might be full or might be thumbnail a better search would be for standalone image tags or image tags in href tags... <a href="FullImage.jpg" ><img src="Thumbnail.jpg"></a> i think the regex solution would work for you so you can setup your own regex to only grab full and ignore the thumbnails
  22. 1 point
    Hi, I just wonder why are there some AddOns who saying to download images / batch etc but they can not do it and just grabbing thumbnails.I do remember that I did tried earlier AddOns like ImageHost Grabber (with some older Firefox) but this worked with RegEx paramters to customize what to do for each single Site and Imagehosts.Dont remember the RegEx commands anymore.Also dont wanna check that out anymore (too lazy for this now).Seems that there isnt any simple method to automize any select & download thing without to do that steps manually. 😕 greetz
  23. 1 point
    After getting to play with this a bit now on the updated version, this is my personal opinion on it. To start, I don't feel this even comes close to competing with IDA or BinaryNinja for the time being. This is not to say it is junk/useless, it is just still very early on to really recommend it or suggest it so far. Feature-wise, it is not really on par with the competition it is up against currently, making it a hard recommendation to give. Given that it is also so new to being public now, I wouldn't recommend it to others with the fact that it is going to rapidly change starting now. The amount of new eyes and hands on it are going to have countless ideas, suggestions and pull requests come pouring in, even more so when it fully open sources in the near future. That said, there is not going to be much consistency with it for a while until a more solid framework/core of the application has been completed. I was looking forward to the newer decompiler, however it feels like nothing more than a modified version of Snowman ported to Java. It feels rather weak and lacking compared to HexRays. While it does work, it has similar output and results to Snowman which in my opinion are fairly low-end / junk results. So there is a lot of room for improvement there. UI wise, I feel the disassembler has a lot of wasted white space and over-kill tabbing for certain information (ie the PE header data) making it a bit annoying to look at. A lot of times, these tools are ran in VMs with limited screen space or lower end resolutions, and I feel Ghirda makes very poor use of the space it has, mainly in the disassembler window. I am keeping my hopes up though since this is planned to be fully open source in the near future. I really hope the community can get behind it and help improve it vastly.
  24. 1 point
    Since cookies, HTTP headers like browser or source site, along with even HTTP posts or other things could potentially be used, and even the filename can be difficult to ascertain if you want a nice consistent original one, this is not really something easy for a universal solution. A plugin which has a right click menu option sounds pretty good here. Or just classic wget with mirroring the site for a certain depth using certain file extensions or other heuristics to decide if this in fact an image or not (HTTP headers, file headers, etc). It is amazing that these types of things lack any elegant and clear universal solutions still. Often due to the nature of the web, a series of actions may need to be performed from a login, to clicking buttons or what have you, then finally a download. I have tried to write a full comprehensive web scripting and file mirroring tool which would try to automatically do things like check for new software releases on original websites by navigating from the front page. But its a pretty large task full of nuances of the web evolution.
  25. 1 point
  26. 1 point
    just a try to add more feature's to x64dbg script system History Section: - version 2.0: 1-all numbers are hex numbers. 2-more nested in arguments. 3-Build bridge to make plugin system Compatible with x64dbg script system. 4-create parallel Functions to x64dbg Functions, like ( cmp >> cmpx ). 5-rename new name (Varx Getx Setx) and fix array index entry. 6-add VarxClear ( clear all variable to help user in test's ) , memdump with print style. - version 1.6: 1- add Parser system to recognize arguments. 2- begin build Script system. 3- add more Helper Functions. - version 1.4: 1- make StrCompx in separate Thread and add Sleep time to wait x64dbg to finish process. 2- Fix Hex2duint function add length check in case it less than 2 . - version 1.3: 1- Add another argument to cbLogxJustAtBP for printing on LogxWindow. 2- now it accept bool argument like this (true/false-on/off-1/0). 3- add StrComp_BP function for compare string in memory at BP. 4- compiled x32. Source Code: https://github.com/Ahmadmansoor/AdvancedScript If you find it useful please let me know, and if you want to add more feature's please leave a comment. support both x86 and x64 BR AdvancedScript.v2.0.rar
  27. 1 point
    AdvancedScript beta version it is beta version it could have bug, so please report and if u like to add more features let me know. version 2.5 beta : 1- Script window is sperate. 2- Create Folder for script,form Load script with category. 3- add more mirror Functions (xorx - pushx ...), and Functions like ( if , goto,writestr ) to shortcut the work. 4- show all variables in a list with it's values. 5- edit script onfly. 6- enable to define array with range like z[n]. 7- writestr Function. 8- run from anyware in the script. 9- rest variables list in case maintenance. 10- insert rows as much as you need. 11- insert from clipboard replace all script. 12- insert from clipboard inside the script. 13- copy separated lines to used in other script. 14- insert description without confusing . 15- add the dll file of c++ runtime for each package. 16- add some scripts samples. 17- as it is beta version so it support one step not auto step , use F12 for step, sorry for that I need to check if it work then I will add auto step :} note : I forget to say use (Scriptw) command to show the Script window , but git has stop working and copy the script sample to ur script folder in x64dbg folder and pls read the help first AdvancedScript_2.5beta.zip
  28. 1 point
    For unpacking 1) cawk unpacker 2) dump after decryption 3) fix EP 4) Proxy call fixer by Davicore 5) Strings decryptor by CC 6) Switch killer by CC 7) Dump resources (empty) 😎 Clean cctor and <module>methods (maybe 4, 5 and 6 can be replaced by cawk unpacker again) I will check the key algo tomorrow, don't have time now. a29p-EP-anti2_noproxy_stringdec-cleaned_deobfuscated-res2-cctor-module.exe -------------------------------------------------------- Username = "Usuario" Code = "161308" int length = username.length(); int num2 = length + 2 - 4 + 40 + 10; return Convert.ToString(419 * num2 * length - length); --------------------------------------------------- EDIT2: I have received a few PMs asking how to fix EP, so I will post the videos I used as reference here. Following this 2 videos you should be able to unpack confuserex fully.
  29. 1 point
    Last night I dreamt my football team would win 0-1. The next morning I heard the score over the radio that they had won the game 0-1. A betting man would want to have these dreams the night before... Ted.
  30. 1 point
    @mr.exodia congrats my Friend BR , Apuromafo CLS
  31. 1 point
    @p4r4d0x: enough already! If you can't stop whining about exetools and techlord, please go away - as this behavior is not bringing anything useful to this forum. :@ @mrexodia: I wish you all the best in your new job. You're extremely skillful person and I'm sure you'll enjoy the challenges this line of work will bring. And remember to learn as much new stuff as possible!
  32. 1 point
    Tools: dnSpy, ConfuserEx Tools, de4dot ConsoleApplication3_unpacked.exe
  33. 1 point
    Unpackers tools - source code C# My source code: https://gitlab.com/CodeCracker https://github.com/CodeCrackerSND https://bitbucket.org/CodeCrackerSND/ I will NOT share (anymore) the rest of my tools!
  34. 1 point
    @collins: apparently h4sh3m deleted it. Copy attached. version.rar
  35. 1 point
    Tutorial: 1. MegaDumper, get ResourceAssembly.dll (assembly than contains resources) 2. Use ConfuserDelegateKiller to remove delegates from UnpackMe.exe (google it) 3. de4dot with parameters (-p un --strtyp delegate --strtok 06000043) 4. CryptoObfuscator constant fixer by me (pm if you need) 4. Remove all instructions from <Module>.cctor 5. Attach resources with ResourceManager (use file from step 1) 6. Clean from junk classes and delegates
  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up
  • Create New...