Jump to content
Tuts 4 You

Leaderboard

  1. kao

    kao

    Full Member+


    • Points

      28

    • Content Count

      2,322


  2. TobitoFatito

    TobitoFatito

    Full Member


    • Points

      20

    • Content Count

      34


  3. CodeExplorer

    CodeExplorer

    Moderator


    • Points

      17

    • Content Count

      3,106


  4. whoknows

    whoknows

    Full Member


    • Points

      14

    • Content Count

      519



Popular Content

Showing content with the highest reputation since 06/08/2020 in all areas

  1. 13 points
    awesome_msil_Out.exe Approach: 1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker , and it shall be ran on NetBox 2. Code virtualization is a relatively new feature of .net reactor, added in version 6.2.0.0. Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)
  2. 6 points
    I am referring to threads and posts like these: If a solution is selectively provided only to the OP by PM then it defeats the whole purpose of the Crackme/Unpackme section. In such cases, the solution provider should not even be acknowledged unless they provide working steps for everyone to learn from. This forum is a learning platform and if solution providers are expected to share the methodologies that they used for the solution. Here is yet another thread where the posts from the solution providers who gave vague steps was approved: Basically another thread containing "show-off" posts by the solution poster. Nothing practical provided and no proper steps were shown. I mean, take this for example (from this post): EXAMPLE 2 Basically useless. It's like saying that to climb the Himalayas one needs will-power, good training, a lof of good mountaineering tools, food packs etc and that one has to read up a lot of good manuals and practice on smaller mountains first... Only posts in the Challenges section which detail proper steps which are actually reproducible should be approved by the mods. OR... ALL POSTS there should be approved from anyone. Why just approve the "show-off" posts? Are we expected to "beg" the solution poster via PM for the steps? I am quite sure that my post may get deleted, since any posts which speak the truth seem to get selective get deleted these days, but nevertheless I wanted to bring up this point! Another example of an approved post where NO STEPS were provided:
  3. 4 points
    In my opinion that solution will be acceptable only if the tool used is public.
  4. 4 points
    This is really the key point that probably should be the requirement for a post to be accepted. A solution should be reproducible, not a list of private tools that are used. Private tools are, as their name implies, private, and by definition that means it is everything but reproducible (unless this tool is shared with the reader of the solution). The only person benefiting from such a reply is the respondent themselves in the form of an ego boost. Not very productive if you'd ask me.
  5. 4 points
    It's a really good question. The answer really depends. Let me give you few recent examples. Example #1: Extreme Coders names the tools and explains HOW to solve the crackme. A lot of effort is required but all the tools can be found via Google. So I have zero issues with the solution. Example #2: Prab names the tools but no explanation is given. "x86 retranslater" definitely cannot be found not on Google. "Clean control flow" tells the obvious thing but it doesn't explain HOW to do that. What's the point of such solution? The only thing reader will learn from this is that he needs a magic wand that he can't have.
  6. 4 points
    View File Reactor v6.3 Try to unpack or alternatively provide a serial. Protections used: Necrobit Antitampering Antidebug Obfuscation Code Virtualization + Shield with SNK Submitter whoknows Submitted 06/10/2020 Category UnPackMe (.NET)  
  7. 2 points
    https://www.bleepingcomputer.com/news/security/net-core-vulnerability-lets-attackers-evade-malware-detection/ bonus medium.com/pcmag-access/former-intel-engineer-explains-why-apple-switched-to-arm-deba86e560b1 Hard Disk Hacking (2013) - spritesmods.com/?art=hddhack&page=1
  8. 2 points
    you shouldn't be using WD in first place.
  9. 2 points
    Pawning 40 CTFs simultaneously
  10. 2 points
    My work machine has normally running MS Teams (2GB right there..), Outlook (250MB), Chrome with 40+ tabs (6+GB), Visual Studio, 1-2 VMware Guests and IDA. Would I expect it to magically work with 8GB of RAM? F*ck no! Sure, you can find a tool that hacks around and maybe reduces the symptoms. But it doesn't fix the problem. The actual problem is that your machine is severely under-powered for that sort of a workload. Another 8GB of RAM would be a proper way to solve those issues. And it costs ~40EUR - which is less than 1-2 hours of your time you probably spent googling for such "tool".
  11. 2 points
    https://docs.microsoft.com/en-us/dotnet/api/system.string.concat Get the next 50 elements and concat them, then repeat. If you want to add a delimiter for every text use Join instead. https://docs.microsoft.com/en-us/dotnet/api/system.string.join?view=netcore-3.1#System_String_Join_System_String_System_String___ You should consider taking a programming course.
  12. 2 points
    I was facing the Same thing from long time. Here I've raised my Voice - that It makes no sense to upload Cleaned file or saying that I used de4dot modded Private bla bla bla. Some People are like, Read the Assembly language or see de4dot or VM and you will know. Oh Ghosh does it make any sense? No there's a no sense of saying this. Consider, Someone ask me How to Decrypt the encrypted Password? So Should I answer him Remember the Table of 2 to 30 or learn Counting and Alphabet. It's make no sense. Mostly Comments are like "I use My Private Tools" "I used modded de4dot" I used "Lamp of Aladdin" I used "Poseidon Trident 🔱" OH God, If You can't share or can't atleast explain little bit manual stuff, Then the Solution is utter nonsense and useless. I also think, We should allow solutions which actually are descriptive.
  13. 2 points
    Thanks to "Extreme Coders", I've never programmed in python before, but after reading all your public material and following the recommended steps in this thread I've been able to desofuscate the code. If they tell you how to do it you will understand it, but if they guide you and you have to discover how to do it you will learn martisor_unpacked.py
  14. 2 points
    Not necessary to unpack to get the key. Key: Steps :
  15. 1 point
    Hello guys. Your forum is great and very helpful! Thanks for your work! I am a beginner in reverse engineering with some basic knowledge of C++. I wanted to create a small offset patch in c++. I found a simple template on how to do that. I tried it first with a simple NOP patching and it worked. After I edited it to patch 8 offsets I ended up with a not working-Send report to Microsoft application. I uploaded the edited source code. I don't know much about it, and why that happened. . . Is this the proper way to do it? Is there another better template? I know that there exist some cool patch engines but I would like to experiment and building my own. Thanks in advance! #include <windows.h> #include <stdio.h> #include <stdlib.h> int applyPatch(); const int SIZE = 8; int main(){ applyPatch(); return 0; } int applyPatch() { int offset[SIZE]={0x5758F,0x57590,0x57591,0x57592,0x57594,0x5792D,0x5792F,0x5F963}; byte patch[SIZE]={0xE9,0x97,0x03,0x90,0x90,0xE4,0x01,0xEB}; int i=0; int patch_counter = 0; FILE *f; f=fopen("target.exe","r+"); if(f==0) { MessageBox(0,"File not found!","Error",MB_ICONERROR); return 0; } for(patch_counter = 0; patch_counter < SIZE ; patch_counter++) { for(i=0;i<2;i++) { fseek(f,offset[patch_counter],SEEK_SET); fprintf(f,"%c",patch[patch_counter]); // Write patch offset[patch_counter]++; } } fclose(f); MessageBox(0,"Successfully patched! ","Patched",MB_OK); return 0; }
  16. 1 point
    WD is fine. Modern AV arent exactly very deterministic things. If you have a problem with a false positive, just disable it.
  17. 1 point
    Updates between Windows 10 machines are not always equal regardless of what date/version things say. They roll things out in batches and based on each devices hardware and other qualifying identifiers. Windows Defender symbols and definitions work in a similar manner. So both of your setups may show the same version of WD, but the definitions could be different as one of the machines probably hasn't gotten "permission" to obtain the latest stuff yet. That said, the detection difference could just be an updated difference in the definitions they pushed or that the way WD detected things was done in a different order. (Pretty sure their scanner does multi-threaded scans for performance purposes so one of the threads may have hit the other detection before another thread completed etc. and it just shows what was found first.)
  18. 1 point
    the fourth parameter is holding your results that you see in protocol family etc the third parameter is the type of connection you want to send MSDN: ZeroMemory( &hints, sizeof(hints) ); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; clears the memory holding ADDRINFO of sending type... then fills it with the type of connection of TCP socket unspecified family (auto detect IPv4 IPv6) in this case once that gets sent out we want our servers reply: that’s the info stored in parameter 4 results You then read the “results” starting at 01C99670 Before you call getaddrinfo breakpoint it on curl and see what the params’ point to
  19. 1 point
    Probably it's like this because the HTML standard is too loose and flexible in a way that makes uniformity on security issues something unlikely to ever happen at this point. Dynamic aspects even more so are to increase security or even business model. As much as many of us want to see this be easily scrptable, businesses are working hard to ensure in fact just the opposite. So many bots doing phony stuff nowadays for one, and sometimes data leaching is desired to be prevented because the data and bandwidth have value. Some businesses want you to have to manually go through login and clicking to simply make it cumbersome to both waste your time and energy and keep things complicated enough that you might make a mistake. I would really like a script which logs in and downloads, renames appropriately and saves all bill or bank statements every month for example. But its cumbersome and tedious at best to script and if a captcha comes likely you need to interrupt the automation for a short user browser interaction before proceeding. Unless you want to automate that with special built neural nets. I've yet to see one that makes human like mouse movement but the bot networks out there probably have it albeit it's not public.
  20. 1 point
    Apologies, I deviated the topic on the thought of an affordable 400TB SSD in my lifetime. We may need these capacities if heading to 8K and 16K video sources at some point in the future... Ted.
  21. 1 point
    10-12TB spinning drives only this year started to get to a reasonable $/GB ratio. So, 100TB+ SSD is way, way out of reach for the ordinary consumer. And it will be out of reach for next 5-10years. BTW, the f*ing original article was talking about tape drives, not HDDs or SSDs. Personally, I wouldn't call that a drive - but English is not my native language..
  22. 1 point
    Worlds largest SSD recorded so far is sitting at 100TB currently. From Nimbus Data, was a 3.5" bay drive running under SATA or SAS. Granted they reveled it back in 2018, and SSD tech has GREATLY improved since then, so I'm sure the other companies have larger stuff behind the scenes now and just haven't shown it yet. Most of the work being done on the drive market that we are seeing publicly right now is optimizations to the caching and storing of data on the chips and not so much in regards to chasing the larger sizes for the consumer market.
  23. 1 point
    Every site especially nowadays can be quite different. Not only the form fields which can change need to be identified but persistent login options, one or more redirects can occur, cookies are dropped and must be forwarded, browser headers are checked and per browser details involved. Sometimes custom headers are added, there is CSRF, sometimes client side Javascript is doing some key changes to headers or the request maybe encrypting or encoding, sometimes a captcha will come about some just monitoring mouse movements others requiring specific valid input, sometimes the site loads important cookies from other sites, SSL considerations with client or server side certificates, the original HTML spec even had authentication options like basic and digest, even NTLM Windows auth is possible through digest as I recall. So best to create your generic template which deals with all of these things and have per site settings which guide the template. It's a real project for sure but not impossible. But yea a pain indeed.
  24. 1 point
    CSRF tokens https://stackoverflow.com/a/33829607 https://www.hhutzler.de/blog/using-curl/ https://www.google.com/search?q=curl+login+with+CSRF -- On all modern login system there are 'validation' like this... What I have done in the past, is to use CefSharp library (or even the plain WebBrowser of .NET frm), load the page @ browser set the values to inputboxes and submit the form to the server by clicking the submit button by JS code. ex document.querySelector('.ovm-ClassificationBarButton-18'); restoreTAB.click();
  25. 1 point
    truly, lost you... pasting some functions for GET/POST, maybe is helpful function make_post_request($url, $params, $json) { $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_POST, true); if (!$json) { curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params)); } else { $params = json_encode($params); curl_setopt($curl, CURLOPT_POSTFIELDS, $params); curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json; charset=UTF-8', 'X-Accept: application/json')); } // display header // curl_setopt( $curl , CURLOPT_HEADER, 1 ) ; curl_setopt( $curl , CURLOPT_CUSTOMREQUEST , 'POST'); curl_setopt( $curl , CURLOPT_SSL_VERIFYPEER , false ) ; // <-- u searching for this ? curl_setopt( $curl , CURLOPT_RETURNTRANSFER , true ) ; curl_setopt( $curl , CURLOPT_TIMEOUT , 5 ) ; $response = curl_exec($curl); // http status code // $status = curl_getinfo($c, CURLINFO_HTTP_CODE); // var_dump($status); curl_close($curl); return json_decode($response); } function make_get_request($url, $params) { $c = curl_init(); $url .= '?' . http_build_query($params); curl_setopt($c, CURLOPT_URL, $url); curl_setopt($c, CURLOPT_RETURNTRANSFER, true); // curl_setopt($c, CURLOPT_HEADER, true); /* curl_setopt($c, CURLOPT_FOLLOWLOCATION, true); curl_setopt($c, CURLINFO_HEADER_OUT, true);*/ curl_setopt($c, CURLOPT_HTTPHEADER, array('Content-Type: application/json')); $response = curl_exec($c); /* $status = curl_getinfo($c, CURLINFO_HTTP_CODE); var_dump($status);*/ curl_close($c); return json_decode($response); } once user login, store info to session variable at any page you can get any info stored. ex. ata login page $r is a recordset $_SESSION['mail'] = $_POST['email']; $_SESSION['u'] = $r['fullname']; $_SESSION['id'] = $r['user_id']; $_SESSION['level'] = $r['user_level_id']; then on any page, u can read the variable $_SESSION[??] //always u have to use @ the top @session_start(); what is the need? you are on HTTP and what ? ref curl w/o https : serverfault.com/a/469825
  26. 1 point
    We say this with every iteration of Windows. Recalling XP being bloated... 🤔 Ted.
  27. 1 point
    @akkaldama: I use browser tabs as bookmarks for commonly used staff. Browser tab is one click away, bookmark is "..."->"Bookmarks->Find the folder and click->Scroll down and click. Way too slow. If you want details, most of it is Kibana, Apache Impala queries and company internal system dashboards/interfaces. And I didn't say it's "normal", I said that it's unreasonable to expect that to work without a proper amount of RAM. EDIT: oh I see.. It should be "has usually/commonly running". Sorry for my Engrish.
  28. 1 point
    Used it quite a lot - the speed will depend largely on your GPU though I suggest you take the time to read through the different attack types. Some of the custom permutations and things are super powerful - I usually have more success with those on a small, well thought out dict (<5MB) than just using a massive dictionary file.
  29. 1 point
    Is everything going PRIVATE or knowledge stopped being shared ? Unpacking => Private ... Tutorials(Patching , keygens) ==> Private ... New techniques ==> Private ... knowledge ==> Private .. So what we left for the others for this Scene ?? The only thing that left is nothing some old books and old school techniques and nothing else... Why ?
  30. 1 point
    https://www.bleepingcomputer.com/news/security/expiring-ssl-certs-expected-to-break-smart-tvs-fridges-and-iots/ bonus On Systemic Debt - hxxps://thedailywtf.com/articles/on-systemic-debt linux xrdp – an open source RDP server - hxxps://github.com/neutrinolabs/xrdp
  31. 1 point
    Thanks @Teddy Rogers I agree with you but posts saying things like "He shared the solution with me via PM" and such should not be approved. That way, anyone would not be able to show-off that they solved it. If they want their post(s) to be featured on the Challenge threads as having solved something, then the requirement should strictly be that they should post a solution that anyone would be able to replicate. If any special tools are required, then unless they are willing to share the tools, their post should not be accepted. That way, one would either have to post a proper solution along with the tools used or, if they do not want to share their tools, remain silent. I am sure that some would not want to share their tools but in that case they should not get the opportunity to make posts that just serve to boost their ego. If they are not willing to share their "private tools" that they used to arrive at the solution, then their solution (or even their post which just shows the final answer without the steps or tools) should not be approved at all. Otherwise, one could just say that they used a "private tool" for every crackme/unpackme (when in reality, they just used public tools), in order to avoid detailing the steps. So, unless they are willing to share the "private tools", it does make their answer any more useful to the rest of us. While we do not expect an essay or a full video tut of very detailed steps, a person with a reasonable knowledge of RE should be able to replicate the solution with the "steps" that they provide. For example, just saying that they used DnSpy and IL Spy to solve it would be rather useless... I would say that this is more like solving a trigonometry or an algebra problem back in high school where one is expected to provide the "steps" that they performed to arrive at the solution. One would be expected to provide just enough detail so that anyone reading it would be able to (reasonably) understand how to solve similar problem.
  32. 1 point
    As I mentioned in the same topic the solution that was posted was light in detail and never approved. Had it been approved it would have been considered a show off post. I can't force people to post acceptable solutions and I can't stop them sharing them via PM. Your other points are valid and I agree. I would like to get your opinion, if someone posted a solution that they used tool a then tool b is that solution still acceptable? Ted.
  33. 1 point
    @Prab Do you write some tools yourself? I think you can't clean this file just with these tools, such as: Does `Constants Decryptor` support `sizeof` instruction? Do you write tools yourself to convert `sizeof` to `ldc`?
  34. 1 point
    Is this a hidden feature of the protection or does the app just not work?
  35. 1 point
    By seeing the number of imports on your screenshot and the ollydbg.exe in upper case i would guess you tried this on ollydbg v1.10, not on ollyv2 The description don't mention it here but that thing is for v2, if you look inside the readme of the archive, it says (in french) that the code has been rewrote for olly 2. So try with v2, or recompile the dll for v1. Also i'm checking the src and this can really be improved more. Especially for the v2 as if you rename ollydbg.exe to blabla.exe, then it will look for blabla.ini, but OllyPath2 will create only 'ollydbg.ini' as this string is in hard inside.
  36. 1 point
    without debugger detection awesome.vmp_nodbg.rar
  37. 1 point
    I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies. If you can not understand it, you can reply me. Best wish.
  38. 1 point

    65 downloads

    Today I release - finally - the series of unpacking tutorials about manually unpacking The Enigma Protector. I will discuss all protections of Enigma which are fully detailed as possible. I have to say thanks to LCF-AT, she helped me a lot with this. Introduction ~ 9:28 Unpacking with patterns ~ 33:03 Finding patch-places without patterns ~ 19:56 Dealing with SDK API's & Custom Emulated API's ~ 28:23 Internal & External VM's (Using Plugin) ~ 5:40 Enigma's Registration Scheme ~ 15:37 EN-DE-Cryption ~ 33:21 Inline patching + Final Words ~ 11:56
  39. 1 point
    Hello everyone , I hope you're doing good , I've been searching for a while about how to write a plugin for OllyDbg , with the help of the (plugin api unit) I was able to make a simple plugin that retreives the value of the flag (BeingDebugged) which is used by the function (IsDebuggerPresent) . now the problem is that i still can't change that byte . The function WriteProcessMemory isn't working , can you give me some help please , here's the full code : thanks in advance library AADebug; uses SysUtils, plugin, windows, Classes; {$R *.res} type PEB = record Reserved1: array [0 .. 1] of Byte; BeingDebugged: Byte; Reserved2: Byte; Reserved3: array [0 .. 1] of Pointer; Ldr: Pointer; Reserved4: array [0 .. 102] of Byte; Reserved5: array [0 .. 51] of Pointer; PostProcessInitRoutine: Pointer; Reserved6: array [0 .. 127] of Byte; Reserved7: Pointer; SessionId: ULONG; end; PROCESS_BASIC_INFORMATION = record Reserved1: Pointer; PebBaseAddress: Pointer; Reserved2: array [0 .. 1] of Pointer; UniqueProcessId: cardinal; Reserved3: Pointer; end; resourcestring PLUGIN_NAME = 'Anti IsDebuggerPresent'; var g_hwndOlly: HWND; // OllyDbg Window Handle ProcessBasicInfo : PROCESS_BASIC_INFORMATION; Length:cardinal; EB : PEB; function ODBG_Plugininit(ollydbgversion:Integer;hWndOlly:HWND;features:PULONG):Integer;cdecl; begin g_hwndOlly := hWndOlly; Addtolist(0, 0, pchar(PLUGIN_NAME)); Result := 0; end; function ODBG_Plugindata(name: PChar): integer; cdecl; begin StrLCopy(name, PChar(PLUGIN_NAME), 32); Result := PLUGIN_VERSION; end; function NtQueryInformationProcess(ProcessHandle: THANDLE; ProcessInformationClass: DWORD; ProcessInformation: Pointer; ProcessInformationLength:ULONG; ReturnLength: PULONG): LongInt; stdcall; external 'ntdll.dll'; procedure Getinfo; var debugee,PID : THandle; buffer : byte; begin buffer := $00; PID := PluginGetValue(VAL_PROCESSID); debugee := OpenProcess(PROCESS_ALL_ACCESS,False,PID); NtQueryInformationProcess(debugee,0,@ProcessBasicInfo,sizeof(ProcessBasicInfo),@length); readprocessmemory(debugee,ProcessBasicInfo.PebBaseAddress,@EB,sizeof(EB),length); writeprocessmemory(debugee,@EB.beingDebugged,@buffer,sizeof(buffer),length); messagebox(g_hwndOlly,pchar('BeingDebuggedFlag : '+ inttostr(EB.beingDebugged)),pchar('info'),MB_ICONINFORMATION); end; procedure ODBG_Pluginaction(origin:Integer; action:Integer; pItem:Pointer);cdecl; begin if (origin = PM_MAIN) then begin Getinfo; end; end; exports ODBG_Plugininit name '_ODBG_Plugininit', ODBG_Plugindata name '_ODBG_Plugindata', ODBG_Pluginaction name '_ODBG_Pluginaction'; begin end.
  40. 1 point
    You're writing to the wrong address. It should be something like: WriteProcessMemory(debugee,pointer(dword(ProcessBasicInfo.PebBaseAddress) + 2),@buffer,sizeof(buffer),length); Since Delphi doesn't have a pretty way to get field offset, I had to hardcode the "2" instead of writing something prettier like "offsetof(PEB, BeingDebugged)". You could do some of the ugly tricks mentioned here: https://stackoverflow.com/questions/14462103/delphi-offset-of-record-field but to me it's not worth the effort.
  41. 1 point
    Hi everyone, Maybe some of you heard it already, but Sigma and I are working on an x32/x64 debugger for Windows for a few months now... The debugger currently has the following features: variables, currently command-based only basic calculations, can be used in the goto window and in the register edit window. Example: var*@401000+(.45^4A) software breakpoints (INT3, LONG INT3, UD2), currently command-only (just type 'bp addr') hardware breakpoints (access, write, execute), also command-only stepping (over, into, out, n instructions), can be done with buttons/shortcuts memory allocation/deallocation inside the debuggee quickly access API adresses (bp GetProcAddress) syntax highlighting, currently not customizable simple memory map (just addr+size+module+protection basically) The debugger has an easy GUI, for which we looked a lot at Olly Debug engine is TitanEngine, disassembler BeaEngine, icons are from various sources (see About dialog). We use QT for the GUI part. If you have a suggestion, a bug report, need more info, want to contribute, just post here or send me a private message. The latest public build + source can always be found on http://x64dbg.com (click 'Source'->'bin_public') to download the latest build. For now, you can also download the first 'alpha' here We would love to hear from you! Greetings, Mr. eXoDia & Sigma
  42. 1 point
    Beds Protector ? I found is Babel Protector .
  43. 1 point
    Run the program, put any fake password, click on "Check password" wrong msg will be prompted, open up process hacker, right click on the file process -> properties -> net module -> strings -> scan/dump and then you have a .txt file with all strings extracted from memory. Seek for the wrong msg prompt text and nearby is the password.
  44. 1 point
    my confuserex unpacker works for this with one slight modification in the anti tamper find method it fails just make it find anti tamper (easiest way just change the if (sections.Count == 3) from a 3 to a 2 this will then fix it and static route work 100%
  45. 1 point
    Yep. That is one of the sections. It may be more on larger files. BTW. Here is my script for recover VM'ed Enigma OEP. Is written back in 2015 and i don't know if is fail proof because i did not use/test for more than a year ago. // giv@reversing.ro // Script for restore VM OEP on Enigma 5.xx VM'ed OEP // Delphi files + VB6 bc lc bphwc bpmc dbh GMI eip, CODEBASE mov bazacod, $RESULT GMI eip, CODESIZE mov marimecod, $RESULT VAR INTRARE ask "Enter the EIP of the stolen OEP" mov INTRARE, $RESULT //mov INTRARE, 0041F372 BPHWS INTRARE erun bphwc INTRARE ask "Enter compiler type: 1 for Delphi 2 for Visual Basic 3 for C++" mov tipcompilator, $RESULT cmp $RESULT,1 ifeq jmp Delphi endif cmp $RESULT,2 ifeq jmp vb6 endif cmp $RESULT,3 ifeq jmp C_plus endif //Target compiler select mov delphi, 1 mov vb6, 0 mov cpp, 0 ///////////////// cmp delphi, 1 ifeq jmp Delphi endif cmp vb6, 1 ifeq jmp vb6 endif cmp cpp, 1 ifeq jmp C_plus endif Delphi: log "PUSH EBP" log "MOV EBP, ESP" log "ADD ESP, -10" BREAK: bc bphwc bpmc BPRM bazacod, marimecod erun cmp eip, INTRARE ifeq jmp BREAK endif cmp eip, bazacod+marimecod ifa jmp BREAK endif cmp eax, 01000000 ifa jmp DWORD endif cmp [eip], #FF25#, 2 ifeq jmp BREAK endif mov valoareeax, eax eval "MOV EAX, 00{valoareeax}" LOG $RESULT, "" eval "MOV ECX, 00{ecx}" log $RESULT, "" eval "MOV EDX, 00{edx}" log $RESULT, "" mov pozitie, eip eval "CALL 0{pozitie}" log $RESULT, "" GASIRE_RET: bpmc cmp [eip], #FF25#, 2 ifeq jmp BREAK endif find eip, #C3#, 5 mov adresagasitaret, $RESULT cmp adresagasitaret, 0 ifa bp adresagasitaret erun bc adresagasitaret esti gci eip, COMMAND mov stringoep, $RESULT scmpi stringoep, "PUSH 0x0", 4 cmp $RESULT, 0 ifa jmp Comanda_gci endif esti jmp Comanda_gci endif find eip, #5?C?#, 1500 mov adresagasitaret, $RESULT cmp adresagasitaret, 0 ifa mov diferenta, adresagasitaret-eip cmp diferenta, 35 ifb cmp [adresagasitaret], #5BC3#, 2 ifeq bpmc bp adresagasitaret erun esti esti jmp Comanda_gci endif cmp [adresagasitaret], #5DC2#, 2 ifeq bpmc bp adresagasitaret erun esti esti jmp Comanda_gci endif msg "Diferenta prea mica" endif mov adresacomparare, adresagasitaret add adresacomparare, 1 cmp [adresacomparare], #C3#,1 ifneq mov start, eip add start, 35 find start,#E8????????C3# bp $RESULT erun bc find eip, #5?C?# bp $RESULT erun bc esti esti jmp Comanda_gci //msg "Pauza C3" endif bp adresagasitaret erun bc adresagasitaret esti esti jmp Comanda_gci endif find eip, #5?5?5?5?C3#,500 bpmc mov adresagasitaret, $RESULT cmp adresagasitaret, 0 ifa bp adresagasitaret erun bc adresagasitaret esti esti jmp Comanda_gci endif cmp adresagasitaret, 0 Continuare_ret: bpmc ifa bp adresagasitaret bpmc erun endif bc adresagasitaret esti esti Comanda_gci: GCI eip, COMMAND mov comanda, $RESULT scmpi comanda, "PUSH 0x0", 4 ifneq jmp GASIRE_RET endif jmp BREAK DWORD: ///////// bc bphwc ///////// mov gasire, eax rev gasire mov gasire, $RESULT /////////////////// eval "{gasire}" mov gasire, $RESULT ////////////////// len gasire cmp $RESULT, 7 ifeq eval "0{gasire}" mov gasire, $RESULT jmp ansamblare_gasire endif len gasire cmp $RESULT, 6 ifeq eval "00{gasire}" mov gasire, $RESULT endif //log gasire, "" ansamblare_gasire: eval "#{gasire}#" mov gasire, $RESULT findmem gasire, bazacod mov adresa_p, $RESULT cmp adresa_p, 0 ifeq msg "Pointer negasit" pause endif ifa eval "MOV EAX, DWORD PTR[{adresa_p}]" log $RESULT, "" cmp ecx, 401000 ifa eval "MOV ECX, 00{ecx}" log $RESULT, "" endif cmp edx, 401000 ifa eval "MOV EDX, 00{edx}" log $RESULT, "" endif mov pozitie, eip eval "CALL 0{pozitie}" log $RESULT, "" jmp GASIRE_RET vb6: findmem #5642??21#, bazacod mov variabilapush, $RESULT cmp variabilapush,0 ifeq msg "Pattern not found for push value - VB6" jmp Sfarsit endif eval "PUSH 00{variabilapush}" LOG $RESULT, "" asm eip, $RESULT mov variabilacall, eip-6 eval "CALL 00{variabilacall}" LOG $RESULT, "" asm eip+5, $RESULT jmp Sfarsit C_plus: bc bphwc bpmc BPRM bazacod, marimecod erun MOV intrarecallc, eip EVAL "CALL {intrarecallc}" log $RESULT, "" ASM INTRARE, $RESULT bc bphwc bpmc rtr esti BPRM bazacod, marimecod erun MOV jmpc, eip EVAL "JMP {jmpc}" log $RESULT, "" ASM INTRARE+5, $RESULT jmp Sfarsit Sfarsit: msg "Script is finished"
  46. 1 point
    Hacking Android Apps Using Backup Techniques http://resources.infosecinstitute.com/android-hacking-security-part-15-hacking-android-apps-using-backup-techniques/ Cracking Android App Binaries http://resources.infosecinstitute.com/android-hacking-security-part-17-cracking-android-app-binaries/ Android Application hacking with Insecure Bank Part 4 http://resources.infosecinstitute.com/android-application-hacking-with-insecure-bank-part-4/ Android Application hacking with Insecure Bank – Part 3 http://resources.infosecinstitute.com/android-application-hacking-with-insecure-bank-part-3/ Android Application hacking with Insecure Bank Part 2 http://resources.infosecinstitute.com/android-application-hacking-insecure-bank-part-2/ Android Application hacking with Insecure Bank Part 1 http://resources.infosecinstitute.com/android-application-hacking-insecure-bank-part-1/ Understanding Disk Encryption on Android and iOS http://resources.infosecinstitute.com/understanding-disk-encryption-android-ios/ Getting Started with Android Forensics http://resources.infosecinstitute.com/getting-started-android-forensics/ Penetration Testing Apps for Android Devices http://resources.infosecinstitute.com/pen-test-apps-android-devices/ Android Hacking and Security, Part 3: Exploiting Broadcast Receivers http://resources.infosecinstitute.com/android-hacking-security-part-3-exploiting-broadcast-receivers/ Android Hacking and Security, Part 2: Content Provider Leakage http://resources.infosecinstitute.com/android-hacking-security-part-2-content-provider-leakage/ Android Hacking and Security, Part 1: Exploiting and Securing Application Components http://resources.infosecinstitute.com/android-hacking-security-part-1-exploiting-securing-application-components/ Android Application Security Testing Guide: Part 2 http://resources.infosecinstitute.com/android-app-sec-test-guide-part-2/ Android Application Security Testing Guide: Part 1 http://resources.infosecinstitute.com/android-application-security-testing-guide-part-1/ Exploiting Debuggable Android Applications http://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/ Android App Permissions and Security: What You Need to Know http://resources.infosecinstitute.com/android-app-permissions-security-need-know/ Security and Hacking apps for Android devices http://resources.infosecinstitute.com/security-hacking-apps-android/ Android Forensics: Cracking the Pattern Lock Protection http://resources.infosecinstitute.com/android-forensics-cracking-the-pattern-lock-protection/ Sniffing Network Traffic on Android http://resources.infosecinstitute.com/sniffing-network-traffic-android/ Creating a kewl and simple Cheating Platform on Android https://deepsec.net/docs/Slides/2014/Creating_a_kewl_and_simple_Cheating_Platform_on_Android_-_Milan_Gabor-Danijel_Grah.pdf Racing with DROIDS http://2014.zeronights.org/assets/files/slides/racingwithdroids.pdf Steroids for your App Security Assessment http://2014.zeronights.org/assets/files/slides/grassi.pdf Hey, we catch you - dynamic analysis of Android applications https://pacsec.jp/psj14/PSJ2014_Wenjun_Hey- We Catch You - Dynamic Analysis of Android Applications.pdf An Infestation of Dragons: Exploring Vulnerabilities in the ARM TrustZone Architecture https://pacsec.jp/psj14/PSJ2014_Josh_PacSec2014-v1.pdf Making Android's Bootable Recovery Work For You http://matasano.com/research/eko2014_recovery.pdf Mobile Hacking – Reverse Engineering the Android OS http://www.slideshare.net/EC-Council/hacker-halted-2014-reverse-engineering-the-android-os MAN IN THE BINDER: HE WHO CONTROLS IPC, CONTROLS THE DROID https://www.blackhat.com/docs/eu-14/materials/eu-14-Artenstein-Man-In-The-Binder-He-Who-Controls-IPC-Controls-The-Droid.pdf Hide Android Applications in Images https://www.blackhat.com/docs/eu-14/materials/eu-14-Apvrille-Hide-Android-Applications-In-Images.pdf BREAKING “SECURE” MOBILE APPLICATIONS http://conference.hitb.org/hitbsecconf2014kul/materials/D2T1 - Dominic Chell - Breaking Secure Mobile Applications.pdf TACKYDROID: Pentesting Android Applications in Style http://conference.hitb.org/hitbsecconf2014kul/materials/D2T2 - Chris Liu and Matthew Lionetti - TackyDroid.pdf Android Forensics: The Joys of JTAG https://ruxcon.org.au/assets/2014/slides/tty0x80-Ruxcon Presentation-12th-October-2014-for-release.pdf Enter The Snapdragon! https://www.hacktivity.com/en/downloads/archives/319/ A distributed approach to malware analysis https://speakerdeck.com/nviso/a-distributed-approach-to-malware-analysis-brucon-0x06-daan-raman Bypassing wifi pay-walls with Android http://www.slideshare.net/rootedcon/pau-olivafora-rootedcon2014 Play Flappy Bird while you pentest Android in style http://hitcon.org/2014/downloads/P1_10_Chris Liu - Matthew Lionetti - TackyDroid Slides.pptx On the Feasibility of Automa3cally Generating Android Component Hijacking Exploits http://hitcon.org/2014/downloads/P1_09_Daoyuan Wu - On the Feasibility of Automatically Generating Android Component Hijacking Exploits.pdf Peeking into Your App without Actually Seeing it: UI State Inference and Novel Android Attacks https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-chen.pdf ASM: A Programmable Interface for Extending Android Security https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-heuser.pdf Android Packers:Separating from the pack http://www.fortiguard.com/paper/Android-Packers--Hacktivity2014/ Sprobes: Enforcing Kernel Code Integrity on the TrustZone Architecture http://mostconf.org/2014/slides/s2p3-slides.pdf A Systematic Security Evaluation of Android's Multi-User Framework http://mostconf.org/2014/slides/s3p3-slides.pptx Enter Sandbox: Android Sandbox Comparison http://mostconf.org/2014/slides/s3p1-slides.pdf Exploiting the Bells and Whistles: Uncovering OEM Vulnerabilities in Android http://thecobraden.com/uploads/Valletta - CarolinaCon X - Exploiting the Bells and Whistles.pdf Execute this! Looking into code-loading techniques on Android http://warsaw2014.honeynet.org/slides/honeynet2014-day1-Sebastian.pdf Post-Mortem Memory Analysis of Cold-Booted Android Devices http://www.homac.de/publications/Post-Mortem-Memory-Analysis-of-Cold-Booted-Android-Devices-slides.pdf Tricks for image handling in Android http://www.slideshare.net/tyronenicholas/devoxx-images-android Pentesting Android Applications http://www.slideshare.net/clviper/pentesting-android-applications Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware http://www.syssec-project.eu/m/documents/eurosec14/RATVM.pdf Pre-installed Android application poisoning https://speakerdeck.com/owaspjapan/pre-installed-android-application-poisoning-number-appsecapac2014 AirBag: Boosting Smartphone Resistance to Malware Infection http://yajin.org/papers/ndss14_airbag.pdf SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps https://www.utdallas.edu/~zxl111930/file/NDSS14b.pdf AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications http://sycurelab.ecs.syr.edu/~mu/AppSealer-ndss14.pdf Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications https://anonymous-proxy-servers.net/paper/android-remote-code-execution.pdf DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket http://filepool.informatik.uni-goettingen.de/publication/sec//2014-ndss.pdf Reverse Engineering, Pentesting and Hardening of Android Apps https://speakerd.s3.amazonaws.com/presentations/25bc54e0728001318b20063debaef239/DroidconIT2014.pdf Predatory Hacking of Mobile: Real Demos http://www.rsaconference.com/writable/presentations/file_upload/mbs-w03-predatory-hacking-of-mobile-real-demos-v2.pdf Touchlogger on iOS and Android http://www.rsaconference.com/writable/presentations/file_upload/mbs-w01-touchlogger-on-ios-and-android-v2.pdf Beginners Guide to Reverse Engineering Android Apps http://www.rsaconference.com/writable/presentations/file_upload/stu-w02b-beginners-guide-to-reverse-engineering-android-apps.pdf Mobile Analysis Kung Fu, Santoku Style http://www.rsaconference.com/writable/presentations/file_upload/anf-w03-mobile-analysis-kung-fu-santoku-style_v2.pdf Android FakeId Vulnerability https://bluebox.com/technical/blackhat-fake-id-talk-material-and-follow-up/
  47. 1 point
    Hi, ok I have checked this file and bypassed also the password check. I also made a short script which does patch the ID & Pass check so that you get the file running as you can see on my picture below. ////////////////////////////////////////////////////////////// // // HWID Patch & Password Bypass Script // // Example Script for only this UnpackMe.... // // The Enigma Protector-4.3-X32 [patch HWID and unpackme] // // LCF-AT ////////////////////////////////////////////////////////////// bphwc bc alloc 1000 mov SECTION, $RESULT var ID_HOOK var PASS_HOOK var TEMP var AT exec push 0 call {GetModuleHandleA} ende add AT, 00FF2C05+eax add ID_HOOK, 000693D0+eax add PASS_HOOK, 00FE7FE6+eax bphws ID_HOOK esto bphwc mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500# mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3# gpa "lstrlenA", "kernel32.dll" mov TEMP, $RESULT eval "call {TEMP}" asm SECTION+2D, $RESULT mov [SECTION+41], SECTION gci ID_HOOK, DESTINATION mov TEMP, $RESULT eval "jmp {TEMP}" asm SECTION+48, $RESULT add SECTION, 29 eval "jmp {SECTION}" asm ID_HOOK, $RESULT sub SECTION, 29 bphws PASS_HOOK bpgoto PASS_HOOK, PASS_HOOK_STOP //////////////////////////////// RUN: esto pause pause //////////////////////////////// PASS_HOOK_STOP: cmp [esp+14], AT jne RUN mov eip, SECTION+4D bphwc esto pause ret greetz
  48. 1 point
    return from LoadBitmapA have you the pointer of this picture ;-) Now must you dump it and write the Bitamp header Here is a example for safe the bitmap (dumper) from rohitab //if you want to save the bitmap to a file now that you have it on your computer,here (i dont take credit for this function) void SaveBitmap(char *szFilename,HBITMAP hBitmap) { HDC hdc=NULL; FILE* fp=NULL; LPVOID pBuf=NULL; BITMAPINFO bmpInfo; BITMAPFILEHEADER bmpFileHeader; do{ hdc=GetDC(NULL); ZeroMemory(&bmpInfo,sizeof(BITMAPINFO)); bmpInfo.bmiHeader.biSize=sizeof(BITMAPINFOHEADER); GetDIBits(hdc,hBitmap,0,0,NULL,&bmpInfo,DIB_RGB_COLORS); if(bmpInfo.bmiHeader.biSizeImage<=0) bmpInfo.bmiHeader.biSizeImage=bmpInfo.bmiHeader.biWidth*abs(bmpInfo.bmiHeader.biHeight)*(bmpInfo.bmiHeader.biBitCount+7)/8; if((pBuf = malloc(bmpInfo.bmiHeader.biSizeImage))==NULL) { MessageBox( NULL, "Unable to Allocate Bitmap Memory", "Error", MB_OK|MB_IConerror); break; } bmpInfo.bmiHeader.biCompression=BI_RGB; GetDIBits(hdc,hBitmap,0,bmpInfo.bmiHeader.biHeight,pBuf, &bmpInfo, DIB_RGB_COLORS); if((fp = fopen(szFilename,"wb"))==NULL) { MessageBox( NULL, "Unable to Create Bitmap File", "Error", MB_OK|MB_IConerror); break; } bmpFileHeader.bfReserved1=0; bmpFileHeader.bfReserved2=0; bmpFileHeader.bfSize=sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+bmpInfo.bmiHeader.biSizeImage; bmpFileHeader.bfType='MB'; bmpFileHeader.bfOffBits=sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER); fwrite(&bmpFileHeader,sizeof(BITMAPFILEHEADER),1,fp); fwrite(&bmpInfo.bmiHeader,sizeof(BITMAPINFOHEADER),1,fp); fwrite(pBuf,bmpInfo.bmiHeader.biSizeImage,1,fp); }while(false); if(hdc) ReleaseDC(NULL,hdc); if(pBuf) free(pBuf); if(fp) fclose(fp); }
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...