Jump to content
Tuts 4 You

Leaderboard

  1. Washi

    Washi

    Full Member


    • Points

      21

    • Posts

      45


  2. whoknows

    whoknows

    Full Member+


    • Points

      17

    • Posts

      1,013


  3. BataBo

    BataBo

    Junior+


    • Points

      14

    • Posts

      17


  4. BlackHat

    BlackHat

    Full Member


    • Points

      13

    • Posts

      240


Popular Content

Showing content with the highest reputation since 06/30/2021 in all areas

  1. Went for a keygen instead of a full devirtualization. I don't fancy devirtualizing VMProtect stacked on top of KoiVM, so I went with a fully dynamic analysis approach. Code is clear enough though if you are able to set the right breakpoints at the right places. Personally am not a fan of including anti-VM in challenges, it only makes it annoying rather than interesting, but maybe that's just me. Sample key: Approach: Keygen.cs
    10 points
  2. I am of the opinion that any solution posted here should be reproducible (hence the name tuts4you). Anyone reading my solution should be able to follow the steps and get to the same conclusion. For the case of a VM, since they are complicated beasts, it means it gives me only two options: I would have to release the source code of any type of devirtualizer that I would've made, or I would have to spend an entire blog post talking about how VMP's VM works and how to reverse it. While I genuinely enjoy doing both, both options take a lot of time, something I have very little of these days. But even if I had the time, it's arguably not really worth it. If I were to make a devirtualizer for VMP and release it, it will not take long for the VMP developers to catch on and update their software. Unless the devirtualizer was made in such a way that it would be resistant towards the kinds of changes (which again, takes more time), it means it is probably only going to be useful for a short period. Just doing this for a single unpackme posted on a forum does not really make it worth it for me. Also, while I generally don't have any problem with publishing articles or source code (unlike other people that post solutions here it seems), I do have a problem with potentially harming other people's businesses. I am not a fan of releasing devirtualizers or unpackers for protectors that are still in business and have customers. From a legal and ethical perspective, that's just not something I would do easily. Generally speaking though, with reverse engineering it is often not required to fully unpack anyways. You extract what you need and leave out the unimportant business. In a lot of cases that does not require a full deobfuscation. Especially not with keygenme's like these. Maybe someone else thinks differently about that, and does pick this up as a challenge though
    9 points
  3. Target uses homomorphic encryption of two pieces of code, which are the crucial part of verifying the serial. Not sure if it's keygennable, maybe someone else will make it. If the string that we enter to the input box is passed to these following two methods and both of them return expected result then we get goodboy ("Hooollaaaaa :)") message. Result of this method internal static int check1(string input) { int num = 0; for (int i = 0; i < input.Length; i++) { num += (int)(input[i] + 'P'); } return num; } must be 5214 Result of this method internal static int check2(string input) { int num = 0; for (int i = 0; i < input.Length; i++) { num += i * (int)input[i] % 0x7FFFFFFF; } return num; } must be 40106
    7 points
  4. This is update to my last post, I've decided to continue working on my unpacker and was able to figure out how to decrypt operands, when it comes to callinternal it's operand, when decrypted, tells you which method to execute, the next problem I've gotten was homomorphic encryption, but it wasn't a hard nut to crack all you have to do is bruteforce the key and use it to decrypt method body. With all this I've finally made the devirtualiser and was able to unpack the assembly.Then I ran it through de4dot to clean it up a bit. And then I have manually taken care of debug code(I haven't removed it I've just put if(true)return; at the beginning of each debug method). Here is a video of me unpacking it : https://streamable.com/gynmi9 The file password is superfrog. For some reason I couldn't upload the raw exe so I zipped it ggggg-unpacked-cleaned.zip
    6 points
  5. I was unable to unpack this executable but have made some progress in creating a devirtualiser.First thing I've done it debug the program to understand how the vm works.There I've realised that class \u0008\u2008 is the VM class, in which most of the VM code is located.Then I dumped \u0008\u2008.\u0006\u2002 this is a field of type Dictionary<int, \u0008\u2008.\u0002\u2000> where int is vm op code id and \u0008\u2008.\u0002\u2000 is a method associated with that VM opcode.After I had that dumped I ran it through my program and was able to link some of those methods to CIL opcodes.You'll be able to download the map from the file below.Then I linked those CIL opcodes to instruction ids.This allows me to devirualise virtualized code. Now I needed method bodies. Those were pretty easy to obtain.You'll be able to see both virtualised and devirtualised bodies in the file below.Ok so I knew what op code corresponds to what VM op code and had all the virtualised bodies so I should be able to unpack it, but that wasn't the case because of 2 factors.First one is that the operands for certain instruction(call,ldtoken,callvirt,ldfld,stfld...) are encrypted.All eaz assemblies have an encrypted resource from which they get these values.I tried to decrypt these values but failed, but fortunately I was able to semi-circumvent this. Eaz caches all the decrypted operands so I ran the program gave a wrong input and dumped the assembly and obtained these value, unfortunately the values that were not decrypted didn't get cached so I was unable to obtain them.List of decrypted operands are in the file below.Second issue is the eaz opcode callinernal(my nickname).This opcode takes an encrypted operand as the argument and uses it to pretty much create a dynamic method, I wasn't able to get bodies for these methods(I was able to get 3 including anti-dbg code), and from the looks of it they are important.I tried to fix these to issue but couldn't so I gave up.I decided to just devirtualise bodies I had with limited information I had and you can get those unpacked bodies from the file below.I hope this info proves useful to someone so they can make an unpacker.I just wanna be clear on this one <Decrypted></Decrypted> field refers to wheter the operand was decrypted and <BranchTo></BranchTo> refers to command that branch instruction is referencing. Forgot to mention, might be important the method that runs the vm code looks like this: private void \u0008\u2000(bool \u0002) { uint u0005_u = this.\u0005\u2001; for (;;) { try { while (!this.\u000E) { if (this.\u0008\u2003 != null) { this.\u0003\u2001 = this.\u0008\u2003.Value; this.\u0002((long)((ulong)this.\u0003\u2001)); this.\u0008\u2003 = null; } else if (this.\u0003\u2001 >= u0005_u) { break; } this.\u0006(); } } catch (object u) { this.\u0002(u, 0U); if (\u0002) { continue; } this.\u0008\u2000(true); } break; } } the part that executed the vm op code is this.\u0006(); and it looks like this private void \u0006() { this.\u0002\u2002 = this.\u0003\u2001; int key = this.\u000E\u2003.\u0006(); this.\u0003\u2001 += 4U; \u0008\u2008.\u0002\u2000 u0002_u; global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u); u0002_u.\u0003(this, this.\u0002(this.\u000E\u2003, u0002_u.\u0002)); } This like generated vm opcode id int key = this.\u000E\u2003.\u0006(); And this line gets the method associated with that key global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u); and the last line executes it Data.xml
    4 points
  6. In your assembly there is a field Interpreter.zC which contains virtualized version of il code.This is a field of type Dictionary<int,byte[]> and the int in there is an md token of the method so I knew which body corresponds to which method. Then I copy some code from your assembly to my devirtualizer. So then I convert body from byte[] to o(class name) then we have property L2 which contains a list of instructions.Instruction is of type x(also class name).One of the properties of x is p4 which indicates what op command that x is.With that info I can easily convert o to a list of cil instructions and in field xV there is additional info about the instruction if neccessery so if the instruction is ldstr filed xV will contain the string... ,then reconstruct the bodies, remove vm code and fix issues and that's it. There is unpacked assembly below. UnPackMe-ILV -Unpacked-Cleaned.exe
    4 points
  7. x0man's version of starfield with bmp aboutbox effect - ripped from Casino PokeR Analyzer v4.17 by tPORt.zip , with IDA pro. (yep, this aboutbox wasn't really open-source - like Funny Word, Crazy Word and New year theme - back then) Also available on Xylitol's collection of masm32 graphical effects repository on github . starfield_with_bmp[tPORt].zip
    3 points
  8. Methodology - Since It is a CrackMe I won't bother myself to generate/find a Valid Serial by understanding the Algo. So I simply gonna patch it to accept any Key or show Valid Message from any of that. Thanks to RCE Community Members from all those diff Forums who shared their Knowledge with Public. Valid Key - Steps - Image - Method 2 - Since it is a Crack Me so these method makes sense but in Real World App, these are not so useful. We must need to Devirt the App to fully Read the Code. So You can follow my 1st Comment regarding Complete Unpacking of Your Code.
    3 points
  9. Google parent Alphabet launches Intrinsic www.theverge.com/2021/7/23/22590109/google-intrinsic-industrial-robotics-company-software Mark Zuckerberg says Facebook will turn into a ‘metaverse’ www.independent.co.uk/life-style/gadgets-and-tech/facebook-mark-zuckerberg-metaverse-augmented-vitual-mixed-reality-b1889284.html Biden administration sounds the alarm on the semiconductor crisis fortune.com/2021/07/16/biden-administration-sounds-the-alarm-on-the-semiconductor-crisis/ Meet the Microsoft Game Developer Kit (GDK) developer.microsoft.com/en-us/games/blog/meet-the-microsoft-game-developer-kit-gdk/ Scientists Finish the Human Genome at Last www.nytimes.com/2021/07/23/science/human-genome-complete.html Insight.js – Never Console.log Again getinsight.dev/ Anybody can read the registry in Windows 10 doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5 Amiga 2000 EATX PCB github.com/jasonsbeer/Amiga-2000-ATX Rivian announces $2.5 bln funding round led by Amazon, Ford www.reuters.com/business/autos-transportation/ev-startup-rivian-announces-25-bln-funding-round-led-by-amazon-ford-2021-07-23/ Schools opened, suicide attempts in girls skyrocketed insidemedicine.bulletin.com/2977384169199489/ K-9 Mail new release v5.8 (finally!) k9mail.app/2021/07/24/K-9-Mail-is-back Hacking the DLink DIR-615 noob3xploiter.medium.com/hacking-the-dlink-dir-615-for-fun-and-no-profit-part-2-cve-2020-10215-586204d42bba Chimpanzees have been spotted attacking and killing gorillas edition.cnn.com/2021/07/22/africa/chimpanzee-gorilla-attacks-scn-scli-intl/index.html
    2 points
  10. Migrating Facebook to MySQL v8.0 engineering.fb.com/2021/07/22/data-infrastructure/mysql/ Akamai Edge DNS Down edgedns.status.akamai.com/ www.bbc.com/news/technology-57929544 AlphaFold Protein Structure Database alphafold.ebi.ac.uk/ Even if you’re paying, you’re still the product odysee.com/@CyberLounge:a/even-if-youre-paying-youre-still-the-product:7 Wiser – minimal hypervisor boots Linux VM. Written in C github.com/flouthoc/wiser open-source-alternatives www.btw.so/open-source-alternatives Reflections as the Internet Archive turns 25 blog.archive.org/2021/07/21/reflections-as-the-internet-archive-turns-25/ Man Arrested in Connection with Alleged Role in Twitter Hack www.justice.gov/opa/pr/man-arrested-connection-alleged-role-twitter-hack NSO group say enough is enough www.nsogroup.com/Newses/enough-is-enough/ Colorado River is shrinking www.sciencemag.org/news/2021/07/colorado-river-shrinking-hard-choices-lie-ahead-scientist-warns sudo - music for developers sudo.fm Bezos donates $100 million each to CNN contributors www.cnn.com/2021/07/20/media/van-jones-bezos-100-million/index.html Telegram founder listed in leaked Pegasus project data www.theguardian.com/news/2021/jul/21/telegram-founder-pavel-durov-listed-spyware-targets-nso-leak-pegasus Epic Games acquires Sketchfab techcrunch.com/2021/07/21/epic-games-acquires-sketchfab-a-3d-model-sharing-platform/ How do Chrome extensions impact browser performance? www.debugbear.com/blog/chrome-extension-performance-2021 Neverinstall – A platform to bring desktop applications to the browser neverinstall.com/ Intel Distribution for Python software.intel.com/content/www/us/en/develop/tools/oneapi/components/distribution-for-python.html Google pushed a one-character typo to production, bricking Chrome OS devices arstechnica.com/gadgets/2021/07/google-pushed-a-one-character-typo-to-production-bricking-chrome-os-devices/ G - Introducing the Data Validation Tool for EDW migrations cloud.google.com/blog/products/databases/automate-data-validation-with-dvt Kaseya obtained a decryptor for victims of the REvil ransomware apnews.com/article/lifestyle-technology-joe-biden-europe-business-bb7298b31b7157640fbd5f90fc19c224 helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-21st-2021 California Sues Gaming Giant Activision Blizzard Over Unequal Pay, Sexual Harassment www.npr.org/2021/07/22/1019293032/activision-blizzard-lawsuit-unequal-pay-sexual-harassment-video-games Our genes shape our gut bacteria www.sciencedaily.com/releases/2021/07/210708170331.htm Zip - How not to design a file format games.greggman.com/game/zip-rant How TikTok's Algorithm Figures Out Your Deepest Desires www.wsj.com/video/series/inside-tiktoks-highly-secretive-algorithm/investigation-how-tiktok-algorithm-figures-out-your-deepest-desires
    2 points
  11. Be mindful of what types functions return. The intrinsic function '_rotr' returns an unsigned value, which goes against the signed types you are trying to use. Because of that, you need to cast its return back to a signed type or store it in a signed variable first. int32_t eax = 0; int32_t ebx = 0x288d6c47; //_rotr(ebx ^ 0x9714, 0x2) = 0xca237ed4 eax = (int32_t)_rotr(ebx ^ 0x9714, 0x2) >> 0x3; Should get what you want.
    2 points
  12. 2 points
  13. Version 0.05 [+] Minor bugs fixed https://github.com/horsicq/x64dbg-Plugin-Manager/releases/tag/0.05
    2 points
  14. Cookies are a basic web mechanic. They are not all evil and are not all for DMP type tracking. Deleting all cookies is like permanently using Chrome's incognito mode. That mode is separate for a reason..... it breaks the basic mechanic of remembering sessions where you want to be remembered. You're not being tracked across sites and deleting those cookies just gives you a personal headache logging in each time. Your choice, clearly, but deleting 'every' cookie is like tidying a cupboard by throwing everything away, rather than sorting out the junk. Given how much people share passwords, 2FA should be standard across all sites these days so I struggle to see how T4U is the only site causing issues.
    2 points
  15. You do not have to stay logged in, and you only need to keep the cookie containing the device key. You must be crazy if you do not have or utilise some form of 2FA for home banking. There are good reasons why I have chosen to enabled it. For the majority of users they are likely not to even notice the change until (they login from another device or) their device key expires which, I think is set around ~1.5 years... Ted.
    2 points
  16. i hope u have SnD PERMISSION TO POST IT , AT FIRST BEFORE POST U SHOULD HAVE YCK1509 TAKE PERMISSION FROM YCK1509 . THIS SOFTWARE SRC I HAVE . YCKPERMITTED ME TO SHARE THIS APP binary only not src, UNTIL POST U SHOULD SEARCH WITH MY USER ID I ALREADY POSTED JITDUMPER DNLIB EDTION CREATE BY YCK1509 . SEARCH BY FOLLOWING MY USER ID U GET LATEST FIXED BINARY JITDUMPER LAST EDITION WHICH HE LAST MODIFIED FOR ME
    2 points
  17. As It is a Crack Me and the Goal is to get the key of obfuscated file So I am going to find the Key without actually Unpacking It. Methodology - Valid Key - Image -
    2 points
  18. View File ILVirtualization (Custom Scratch VM) PLEASE NOTE THIS NOT MODDED PUBLIC VM, THANKS Difficulty : 4/10 Language : C# / .NET Windows OS Version : All Protection : ILVirtualization v1.0 Goals: Silver Medal: Clean Mutations. Gold Medal: Devirtualize The Code. WInners: Golden Medal : @BataBo
    2 points
  19. Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00
    2 points
  20. I do not release the decoder but the code optimizer (not immediately), this is not specific to the oream vm, it is only far more effective than others. What do you say about angr or miasm or optimice or codedoctor ?? do we eliminate them all the tools for binary code analysis ?? I do not issue the decoder code because my hobby is a hobby and I do not want to give anybody a damn but reversing is sharing (I unfortunately belong to the old old reverser school). If I spoke good English I would probably share a lot more info and would not like others who just write for self-celebration. Do you know Scherzo or Softworm ?? I'm an old man who now deals with reversing and my only good luck is that the day they will all program in python or javascript I will not be there anymore..hahahahaha
    2 points
  21. I went to the office for the first time. I fornicationing hated it (lol) www.reddit.com/r/cscareerquestions/comments/oosru6/i_went_to_the_office_for_the_first_time_i_fornicationing/ Windows 96 windows96.net Developers at Activision Blizzard say they'll walk out Wednesday www.axios.com/activision-blizzard-walkout-harassment-lawsuit-fefa807b-107e-41e2-a6e2-78a086119e04.html Curated list of personal blogs refined.blog/ Docker in Production: A History of Failure (2016) thehftguy.com/2016/11/01/docker-in-production-an-history-of-failure/ WeChat suspends new user registration for security compliance www.reuters.com/technology/tencents-wechat-suspends-new-user-registration-cites-technical-upgrade-2021-07-27/ Analysis of large binaries and games in Ghidra-SRE kiwidog.me/2021/07/analysis-of-large-binaries-and-games-in-ghidra-sre/
    1 point
  22. Shadow is in hole other level he unpacked exe fully packed with pelock 2.x In half hour
    1 point
  23. cracked attached cracked password 1234567891011121314151617 from csv , original password <TuAurasPasLeMdpCroisPas> still has csv dynamic encryption crackme_1234567891011121314151617.7z
    1 point
  24. Unsigned types are zero extended and signed types are sign extended with shift instructions. C does not have efficient implementations of some hardware details. For example, shifting left or right by 1 gives the removed bit in the carry flag CF. Or addition/subtraction. But in C you must do some bit twiddling expressions to turn a native efficient operation into something taking a few instructions. I doubt the compiler actually optimizes it. So if you want to shift a big integer stored in an integer array, it will be an annoyance especially since rotate with carry or double precision shifts are strictly necessary. No idea if SIMD instructions can speed this up given it's a sequential memory op
    1 point
  25. If you not saving (and need to use) JavaScript and other client side assets than HTML you could use something like WinCHM. Numerous PDF editors can import and categories HTML. Even Word and open source variants can do a similar job... Ted.
    1 point
  26. Metal 3D printing company Fabric8Labs raises $19M techcrunch.com/2021/07/20/metal-3d-printing-company-fabric8labs-raises-19m DuckDuckGo launches new Email Protection service to remove trackers www.theverge.com/2021/7/20/22576352/duckduckgo-email-protection-privacy-trackers-apple-alternative Norway women's beach handball team fined for wearing shorts instead of bikini bottoms www.bbc.com/sport/handball/57890430 70% of EU’s charging stations are found in just 3 countries thenextweb.com/news/70-percent-eu-charging-stations-are-in-just-three-countries How to Make a Minecraft Server www.amongtech.com/how-to-make-a-minecraft-server Kyndryl is IBM’s wacky new name for its dry IT spinoff www.theverge.com/tldr/2021/4/12/22380114/kyndryl-ibm-it-spinoff-name-infrastructure-branding www.kyndryl.com/ Bloomberg: Apple decides to postpone return to office by at least a month 9to5mac.com/2021/07/19/bloomberg-apple-decides-to-postpone-return-to-office-by-at-least-a-month/ Tomato fruits send electrical warnings to the rest of the plant when attacked by insects www.eurekalert.org/pub_releases/2021-07/f-tfs071421.php Microsoft Quietly Released Its Own Linux Distro github.com/microsoft/CBL-Mariner Saudi Aramco (oil) data breach sees 1 TB stolen data for sale www.bleepingcomputer.com/news/security/saudi-aramco-data-breach-sees-1-tb-stolen-data-for-sale/ Rapid7 acquires threat intelligence platform IntSights for $335M venturebeat.com/2021/07/19/rapid7-acquires-threat-intelligence-platform-intsights-for-335m Should I Get a House? shouldigetahouse.com/ More than 160,000 people sign petition to stop Jeff Bezos from returning to Earth (#haha) www.indy100.com/science-tech/jeff-bezos-blue-origin-space-petition-b1887139 powered by upstract.com
    1 point
  27. View File Enigma Protector v6.9 I have protected a simple file with the Enigma Protector 6.9. Try to unpack. For a skilled reverser will not be as hard as it seems. HWID: A7707-65A71-43529-A59E1-41C2F-C5AA0-EB308-3F774 Name: tuts4you Key: BG8QC4UMZW3QMTH99U6ZTF8FJJNDAPKY5E2XNL3CMHRVUMLSB2QWRBSYBGF4RNHX7WC26W2GQMNBNPUU3YUTDXDS387A2UURMUVJ88P5PPC9ZCEQHFHW4J6ZQRAK7GW6DRK4QH4CGCEQM7F9K39J89S4CRARX3L3LPABBXU23M8QXP6A85L2CZFJZF66KF5NFTZ557872DA3 Submitter GIV Submitted 07/20/2021 Category UnPackMe  
    1 point
  28. For question 1, here's two ways to do it: // Using pointer casting.. DWORD eax = 0xF96A872D; *(WORD*)&eax = ~(WORD)eax; // Using bitwise operations.. DWORD eax = 0xF96A872D; eax = (eax & 0xFFFF0000) | (WORD)~(WORD)eax; For question 2, you are seeing the wrong result because of using an unsigned type. The math being performed is expecting the value to be a signed type instead. Instead of using 'DWORD' use a signed type instead. (ie. 'long', 'int32_t', etc.)
    1 point
  29. and in the end, what is the bad to open the windows explorer folder, where the htmls are save and double click the needed file!?
    1 point
  30. VeraCrypt "Automatic Repair" issue on Windows www.ghacks.net/2021/07/14/fix-the-veracrypt-automatic-repair-issue-on-windows/ Ex-Nissan boss Carlos Ghosn: How I escaped Japan in a box www.bbc.com/news/business-57760993 Nokia E63 phone converted into LoRa messenger for secure www.cnx-software.com/2021/07/09/nokia-e63-phone-converted-into-lora-messenger-for-secure-off-the-grid-communication/ github.com/TrevorAttema/OTGMessenger Microsoft names Chinese group as source of new attack on SolarWinds www.theregister.com/2021/07/14/dev_0322_solarwinds_serv_u_zero_day/ arstechnica.com/gadgets/2021/07/microsoft-says-hackers-in-china-exploited-critical-solarwinds-0-day/ Hackers Move to Extort Gaming Giant EA www.vice.com/en/article/m7e57n/hackers-extort-ea-fifa Microsoft acquires cybersecurity firm RiskIQ for $500M venturebeat.com/2021/07/13/microsoft-acquires-cybersecurity-firm-riskiq-for-500m/ Is π the same in every universe? www.askamathematician.com/2020/12/q-is-%CF%80-the-same-in-every-universe/ How to Install Windows 3.1 on an iPad www.howtogeek.com/739100/how-to-install-windows-31-on-an-ipad/ John McAfee's wife: he didn't commit suicide, claims massive cover up www.tweaktown.com/news/80440/john-mcafees-wife-he-didnt-commit-suicide-claims-massive-cover-up/index.html Amazon has acquired Facebook's satellite internet team www.engadget.com/amazon-has-acquired-facebooks-satellite-internet-group-115312282.html Germany Fines YouTube Six Figures for Removing Video of Anti-Lockdown Protest www.mediaite.com/news/germany-fines-youtube-six-figures-for-removing-video-of-anti-lockdown-protest/
    1 point
  31. Hi, I had also to change this setting.... ....to this above.Now my exception for T4Y keeps saved.The settings at all are a little confusing.Now you would think that you do allow to keep all Cookies but as I can see only T4Y cookie keeps alive and all others are gone on restart also with unchecked Cookie.So at the moment it works to keep login in T4Y & to re-login after logout without getting that VR NAG anymore. greetz
    1 point
  32. Nothing has changed here. It works exactly the same, over the same duration, providing you do not delete cookies. When you login a unique key is assigned to the browser and stored as a cookie. When you next login, and if the unique key matches, it is treated as a known and approved device. If you delete cookies you lose that unique information. Nothing wrong with Firefox. My suggestion would be in Firefox settings add "https://forum.tuts4you.com/" to your whitelist so that cookies are not deleted when you exit the browser... Ted.
    1 point
  33. Not all controls will use all of the window styles, or some of them might use them differently or ignore them. The edit control creates its own frame instead of using the WS_BORDER style, probably due to window theme and the ability to change the frame color to indicate the current focus or lost focus status.
    1 point
  34. 2 new templates ! just found out some modifications on the Crazy Word effect to make letters jump a little faster and hover all letters completely : looked over x0man's Recordpad sound recorder keygen through IDA pro and they look slightly different than what i've ripped , so i've modified it like this in the StartAddress subprogram : loc_4018CD: mov eax, [edx+5] cmp [edx+0Dh], eax jnz short loc_401939 mov eax, [edx+1] mov ecx, eax add ecx, 14h ; <-- hover intensity amount (20 in hex - original was 7) cmp dword_40C439, eax jb short loc_40193F cmp dword_40C439, ecx ja short loc_40193F mov eax, [edx+5] mov ecx, eax add ecx, 1Eh ; <-- jump sensitivity amount (30 in hex - original was 0F [ 15 ] ) cmp dword_40C43D, eax jb short loc_401937 cmp dword_40C43D, ecx ja short loc_401937 push edx push JumpHeight call sub_4017AD pop edx mov ecx, eax push edx push 2 call sub_4017AD pop edx cmp al, 1 jnz short loc_40192D mov dword ptr [edx+11h], 1 imul ecx, -1 jmp short loc_401934 ... then i've modified its jump speed to 0Ah (10 in hex) --- > invoke Sleep,0Ah -- right under the bitblt function. and the keygen template below is the first template that uses a SID library . initially i wanted to play the sid music through memory , but it didn't work so it will crash if you try to play it through memory, so you can only play the sid through resource. btw the aboutbox background is actually from the donkey kong video by Xploshi (timestamp : 1:00) , to match properly with the keygen form background . if you want you can check out her other cursed VHS shorts v2m by Scratchpad , and sid by Zardax ( used for a C64 invitation for the 2019 ZOO demoparty , created by Artline Designs) CrackTemp18.zip KeygenTemp32.zip
    1 point
  35. 150 downloads

    Language: C#(.Net) Goal: to get the key of obfuscated file Key on the screenshot is wrong, you have to crack this CrackMe and send key with tutorial on how did you do that.
    1 point
  36. Hello, tarequl.hassan! I think he used this https://processhacker.sourceforge.io/downloads.php To get straight to the Memory Strings you should do folowing: 1. Open obfuscated app 2. Open process hacker 3. Find your process in Process Hacker and right click on it 4. Select "Properties" and navigate to tab called "Memory" 5. You will see button in top-right called "Strings..." That's it, I hope it helped. Have a nice day!
    1 point
  37. lol lol why you even here !!! search in google !!!
    1 point
  38. There are a few slightly different methods to do this, one is like this... GetWindowInfo_(hWnd, @pwi) If pwi\dwStyle & #WS_VISIBLE ; Window has WS_VISIBLE EndIf You could do it something like this... ; Remove only WS_VISIBLE from the window whilst keeping its other styles. SetWindowLongPtr_(hWnd, #GWL_STYLE, GetWindowLongPtr_(hWnd, #GWL_STYLE) & ~#WS_VISIBLE) If you only want to change WS_VISIBLE use SetWindowPos. Also make sure you only use SetWindowLongPtr and GetWindowLongPtr as per the API notes explain... Ted.
    1 point
  39. Hello, so I have created & protected a new UnpackMe for you. I added also some detect stuff [medium level]. Just start the exe file and press the splash. Have fun again. ENIGMA 2.33 UnpackMe.rar
    1 point
  40. Hi, so you do see that this topic is more than 10 years old already right. The NetFrameWork infos should be wrong because the file is not NFW.Problem should be the Windows OS you are running and the arch.. (x64) where you can get diffrent results by using the script because the unpacking conditions are not same as you would try to unpack the target on XP x86 system.What you can try it running the script under VM & XP SP2 OS.Otherwise you need to debug the script itself and analyze the Error messages and trying to fix / bypass it manually. greetz
    1 point
  41. Passwords: 1. Remove Hide Methods, Remove Calli and Cflow 2. Remove Math 3. Decrypt Base64 That's about it. For new guys, figure it out yourself first. 😁
    1 point
  42. Hello, I unpacked the file completely (including VM). Here is how I did it (simplified a bit): 1. After a bit of analysis we can notice that Agile.NET hooks into the Just In Time compiler in order to restore the method code. This can be undone by hooking into the JIT before Agile.NET. 2. Update de4dot to be able to remove simple protections like string encryption, control flow, and reference proxy. This just requires you to update some detections. 3. Spend some time analyzing Agile.NET VM, we find out that it's VM is somewhat different to others as it creates "combined" handlers for multiple opcodes. In order to remove the VM we can utilize de4dot devirtualizer. In order to add support we have to track down the original runtime dll that's shipped with the protector to extract the non-merged handler information. After some manual cleanup the result is the following, unpacked file attached. UnpackMe-unpacked.exe
    1 point
  43. I was referring to lignesrecords[.]fr. There are no more malicious pages, so no new victims (until actors hack another web server, upload their tools and send another wave of spam...) 144.217.17[.]185 is still alive and apparently hoster is ignoring abuse reports. There's not much anyone can do about that.
    1 point
  44. This was the time I was active, did dongles and stuff, compare with now, that was easy, I did now the rocky4 and set on all the switches of the program flow. it is quite fun, attacking the dongle does not work well, emulating is fun. I had the first computer in 1989 a dos, 20 Mb harddisk, yes these costs mony that time, and much more the cd C:\ was not possible, are real tekst machine, not more. Hardisk was in that time 2160 gulden, for 20Mb.
    1 point
  45. 32 downloads

    Until recently, the x86 architecture has not permitted classical trap-and-emulate virtualization. Virtual Machine Monitors for x86, such as VMware Workstation and Virtual PC, have instead used binary translation of the guest kernel code. However, both Intel and AMD have now introduced architectural extensions to support classical virtualization. We compare an existing software VMM with a new VMM designed for the emerging hardware support. Surprisingly, the hardware VMM often suffers lower performance than the pure software VMM. To determine why, we study architecture-level events such as page table updates, context switches and I/O, and ?nd their costs vastly different among native, software VMM and hardware VMM execution. We find that the hardware support fails to provide an unambiguous performance advantage for two primary reasons: first, it offers no support for MMU virtualization; second, it fails to co-exist with existing software techniques for MMU virtualization. We look ahead to emerging techniques for addressing this MMU virtualization problem in the context of hardware-assisted virtualization.
    1 point
  46. 41 downloads

    The perefect way to play XM music is by using the MiniFmod. since it is free to use, we can producereally cool keygens. i'v choosed keygens as the perfect taregt to play music on, as we all know its cool in the end. The best way to find our XM music is the mod archive located at: http://www.modarchive.com/. It is a huge archive, and allot of cool music can be found there, so just before coding, select ur file (recomended size : 2k-30k) i especially like the "Hybrid Song.XM", (i first heard it in a installer of Worms ) or "trainer.XM", but i am sure there are millions of them out there. Once we choose our music, we need to dump its content!! now, sicne this article is for Visual C++ coders, our dump is apparently C++ style hex. For the dumping rutine we will use Thigo's exccelent Table Extractor, located at protools/anticrack..or just google for it.
    1 point
  47. Your topic has not been approved. You did not follow the correct posting format and/or provided enough information regarding the challenge. You have 48 hours to correct your topic before it will be moved to the Trashcan. For further details regarding the formatting of the topic please refer to the topic in the below link... [This is an automated reply]
    1 point
  48. Version 1.6

    768 downloads

    This is a complete collection of public and private builds of Imports Fixer (mainly a collection of private builds). I am uploading all of these for posterity reasons before they are deleted and for those people who like to look over this stuff. Most of these old builds will not work on modern Windows OS's and IF is no longer being developed so do not expect them to function correctly. If you need to use an imports fixer I suggest turning to a publically accessible imports builder such as Scylla. It is more feature complete, supports modern OS builds and is open source - so you can fix any bugs. In advance of questions regarding IFv1.7, this version was never completed and no private builds were released. Version 1.6 is where all the fun ended... Ted.
    1 point
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...