Jump to content
Tuts 4 You

Leaderboard

  1. kao

    kao

    Full Member+


    • Points

      28

    • Content Count

      2,322


  2. TobitoFatito

    TobitoFatito

    Full Member


    • Points

      20

    • Content Count

      34


  3. CodeExplorer

    CodeExplorer

    Moderator


    • Points

      17

    • Content Count

      3,106


  4. whoknows

    whoknows

    Full Member


    • Points

      14

    • Content Count

      519



Popular Content

Showing content with the highest reputation since 06/08/2020 in all areas

  1. 13 points
    awesome_msil_Out.exe Approach: 1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker , and it shall be ran on NetBox 2. Code virtualization is a relatively new feature of .net reactor, added in version 6.2.0.0. Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)
  2. 6 points
    I am referring to threads and posts like these: If a solution is selectively provided only to the OP by PM then it defeats the whole purpose of the Crackme/Unpackme section. In such cases, the solution provider should not even be acknowledged unless they provide working steps for everyone to learn from. This forum is a learning platform and if solution providers are expected to share the methodologies that they used for the solution. Here is yet another thread where the posts from the solution providers who gave vague steps was approved: Basically another thread containing "show-off" posts by the solution poster. Nothing practical provided and no proper steps were shown. I mean, take this for example (from this post): EXAMPLE 2 Basically useless. It's like saying that to climb the Himalayas one needs will-power, good training, a lof of good mountaineering tools, food packs etc and that one has to read up a lot of good manuals and practice on smaller mountains first... Only posts in the Challenges section which detail proper steps which are actually reproducible should be approved by the mods. OR... ALL POSTS there should be approved from anyone. Why just approve the "show-off" posts? Are we expected to "beg" the solution poster via PM for the steps? I am quite sure that my post may get deleted, since any posts which speak the truth seem to get selective get deleted these days, but nevertheless I wanted to bring up this point! Another example of an approved post where NO STEPS were provided:
  3. 4 points
    In my opinion that solution will be acceptable only if the tool used is public.
  4. 4 points
    This is really the key point that probably should be the requirement for a post to be accepted. A solution should be reproducible, not a list of private tools that are used. Private tools are, as their name implies, private, and by definition that means it is everything but reproducible (unless this tool is shared with the reader of the solution). The only person benefiting from such a reply is the respondent themselves in the form of an ego boost. Not very productive if you'd ask me.
  5. 4 points
    It's a really good question. The answer really depends. Let me give you few recent examples. Example #1: Extreme Coders names the tools and explains HOW to solve the crackme. A lot of effort is required but all the tools can be found via Google. So I have zero issues with the solution. Example #2: Prab names the tools but no explanation is given. "x86 retranslater" definitely cannot be found not on Google. "Clean control flow" tells the obvious thing but it doesn't explain HOW to do that. What's the point of such solution? The only thing reader will learn from this is that he needs a magic wand that he can't have.
  6. 4 points
    View File Reactor v6.3 Try to unpack or alternatively provide a serial. Protections used: Necrobit Antitampering Antidebug Obfuscation Code Virtualization + Shield with SNK Submitter whoknows Submitted 06/10/2020 Category UnPackMe (.NET)  
  7. 2 points
    https://www.bleepingcomputer.com/news/security/net-core-vulnerability-lets-attackers-evade-malware-detection/ bonus medium.com/pcmag-access/former-intel-engineer-explains-why-apple-switched-to-arm-deba86e560b1 Hard Disk Hacking (2013) - spritesmods.com/?art=hddhack&page=1
  8. 2 points
    you shouldn't be using WD in first place.
  9. 2 points
    Pawning 40 CTFs simultaneously
  10. 2 points
    My work machine has normally running MS Teams (2GB right there..), Outlook (250MB), Chrome with 40+ tabs (6+GB), Visual Studio, 1-2 VMware Guests and IDA. Would I expect it to magically work with 8GB of RAM? F*ck no! Sure, you can find a tool that hacks around and maybe reduces the symptoms. But it doesn't fix the problem. The actual problem is that your machine is severely under-powered for that sort of a workload. Another 8GB of RAM would be a proper way to solve those issues. And it costs ~40EUR - which is less than 1-2 hours of your time you probably spent googling for such "tool".
  11. 2 points
    https://docs.microsoft.com/en-us/dotnet/api/system.string.concat Get the next 50 elements and concat them, then repeat. If you want to add a delimiter for every text use Join instead. https://docs.microsoft.com/en-us/dotnet/api/system.string.join?view=netcore-3.1#System_String_Join_System_String_System_String___ You should consider taking a programming course.
  12. 2 points
    I was facing the Same thing from long time. Here I've raised my Voice - that It makes no sense to upload Cleaned file or saying that I used de4dot modded Private bla bla bla. Some People are like, Read the Assembly language or see de4dot or VM and you will know. Oh Ghosh does it make any sense? No there's a no sense of saying this. Consider, Someone ask me How to Decrypt the encrypted Password? So Should I answer him Remember the Table of 2 to 30 or learn Counting and Alphabet. It's make no sense. Mostly Comments are like "I use My Private Tools" "I used modded de4dot" I used "Lamp of Aladdin" I used "Poseidon Trident 🔱" OH God, If You can't share or can't atleast explain little bit manual stuff, Then the Solution is utter nonsense and useless. I also think, We should allow solutions which actually are descriptive.
  13. 2 points
    Thanks to "Extreme Coders", I've never programmed in python before, but after reading all your public material and following the recommended steps in this thread I've been able to desofuscate the code. If they tell you how to do it you will understand it, but if they guide you and you have to discover how to do it you will learn martisor_unpacked.py
  14. 2 points
    Not necessary to unpack to get the key. Key: Steps :
  15. 1 point
    Also Windows Defender might have options to do live cloud verification or other levels of threat verification like generic heuristics. Is the web connection enabled in the VM and all Windows Defender settings the same? Virustotal style hash checking and stuff are becoming more common in antivirus apps lately for having access to a more up to date and broader database that allows vendors to find viruses earlier as well. Could even be some random spyware setting in your Windows account profile usually under the title of "help Microsoft improve our products and user experience" type of option. Or Windows Defender is so smart that it knows when you are in a VM or sandbox probably you are studying the viruses and do not want to block them. But doubt it
  16. 1 point
    Updates between Windows 10 machines are not always equal regardless of what date/version things say. They roll things out in batches and based on each devices hardware and other qualifying identifiers. Windows Defender symbols and definitions work in a similar manner. So both of your setups may show the same version of WD, but the definitions could be different as one of the machines probably hasn't gotten "permission" to obtain the latest stuff yet. That said, the detection difference could just be an updated difference in the definitions they pushed or that the way WD detected things was done in a different order. (Pretty sure their scanner does multi-threaded scans for performance purposes so one of the threads may have hit the other detection before another thread completed etc. and it just shows what was found first.)
  17. 1 point
    the fourth parameter is holding your results that you see in protocol family etc the third parameter is the type of connection you want to send MSDN: ZeroMemory( &hints, sizeof(hints) ); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; clears the memory holding ADDRINFO of sending type... then fills it with the type of connection of TCP socket unspecified family (auto detect IPv4 IPv6) in this case once that gets sent out we want our servers reply: that’s the info stored in parameter 4 results You then read the “results” starting at 01C99670 Before you call getaddrinfo breakpoint it on curl and see what the params’ point to
  18. 1 point
    Hi guys, thanks for the feedback again.So this really sounds like hell to build any own client code without to build a browser engine to find out what kind of validation any xy site does request.So why is this validation so dynamic?Sound like that any server could also use any own request method XY instread GET / POST etc like GET_IT or whatever you know.All in all its just bad for me now so there are too much diffrent variables to handle and to know before.This just sucks. greetz
  19. 1 point
    Apologies, I deviated the topic on the thought of an affordable 400TB SSD in my lifetime. We may need these capacities if heading to 8K and 16K video sources at some point in the future... Ted.
  20. 1 point
    Worlds largest SSD recorded so far is sitting at 100TB currently. From Nimbus Data, was a 3.5" bay drive running under SATA or SAS. Granted they reveled it back in 2018, and SSD tech has GREATLY improved since then, so I'm sure the other companies have larger stuff behind the scenes now and just haven't shown it yet. Most of the work being done on the drive market that we are seeing publicly right now is optimizations to the caching and storing of data on the chips and not so much in regards to chasing the larger sizes for the consumer market.
  21. 1 point
    Every site especially nowadays can be quite different. Not only the form fields which can change need to be identified but persistent login options, one or more redirects can occur, cookies are dropped and must be forwarded, browser headers are checked and per browser details involved. Sometimes custom headers are added, there is CSRF, sometimes client side Javascript is doing some key changes to headers or the request maybe encrypting or encoding, sometimes a captcha will come about some just monitoring mouse movements others requiring specific valid input, sometimes the site loads important cookies from other sites, SSL considerations with client or server side certificates, the original HTML spec even had authentication options like basic and digest, even NTLM Windows auth is possible through digest as I recall. So best to create your generic template which deals with all of these things and have per site settings which guide the template. It's a real project for sure but not impossible. But yea a pain indeed.
  22. 1 point
    CSRF tokens https://stackoverflow.com/a/33829607 https://www.hhutzler.de/blog/using-curl/ https://www.google.com/search?q=curl+login+with+CSRF -- On all modern login system there are 'validation' like this... What I have done in the past, is to use CefSharp library (or even the plain WebBrowser of .NET frm), load the page @ browser set the values to inputboxes and submit the form to the server by clicking the submit button by JS code. ex document.querySelector('.ovm-ClassificationBarButton-18'); restoreTAB.click();
  23. 1 point
    _PyEval_EvalFrameDefault executes a code object on the Python frame. To dump the code object to a file you need to use PyMarshal_WriteObjectToFile / PyMarshal_WriteObjectToString at an appropriate place within the function. DnSpy has nothing to do with Python. It's just a piece of string inserted there on purpose.
  24. 1 point
    This site (in Chinese) explains a bit about that last parameter structure “The fourth parameter ppResult is a pointer of type PADDRINFOA, that is, a double pointer of type addrinfo” https://www.cnblogs.com/Ishore/p/4009205.html
  25. 1 point
    Bed_ControlFlow_Remover.rar x86_Retranslater.rar I can't give you the rest of em ( i don't have permission to share them, hope you understand me).
  26. 1 point
    This is just a follow up as all too often someone makes a post about something then that is it nothing else. I was fortunate enough to chat with someone on another forum and i was able to make a dump of the bios, and he was able to give me the original password in a couple of minutes, and this has got me interested in the bios dump itself and what it contains. Yes i could have attempted to use CmosPwd 5 or try to reset it with pulling Cmos out for 20 mins, but I'm not sure that would work anymore. The old trick of mistyping the password 3 times to get the code followed by using bios-pw does not work on these newer bios, you still have 3 attempts but no longer do you get a code just a freeze/lock which then means you have to restart the device and start over
  27. 1 point
    Used it quite a lot - the speed will depend largely on your GPU though I suggest you take the time to read through the different attack types. Some of the custom permutations and things are super powerful - I usually have more success with those on a small, well thought out dict (<5MB) than just using a massive dictionary file.
  28. 1 point
    etc etc https://torrentfreak.com/removing-annoying-windows-10-features-is-a-dmca-violation-microsoft-says-200611/ cheers B
  29. 1 point
    Bro i agree with your each word my full vote for you and also @BlackHat words also... I need to tell one thing for all if past reverse they don't let some revering learning sufft then new reverse will never born..
  30. 1 point
    https://www.bleepingcomputer.com/news/security/expiring-ssl-certs-expected-to-break-smart-tvs-fridges-and-iots/ bonus On Systemic Debt - hxxps://thedailywtf.com/articles/on-systemic-debt linux xrdp – an open source RDP server - hxxps://github.com/neutrinolabs/xrdp
  31. 1 point
    As I mentioned in the same topic the solution that was posted was light in detail and never approved. Had it been approved it would have been considered a show off post. I can't force people to post acceptable solutions and I can't stop them sharing them via PM. Your other points are valid and I agree. I would like to get your opinion, if someone posted a solution that they used tool a then tool b is that solution still acceptable? Ted.
  32. 1 point
  33. 1 point
    By seeing the number of imports on your screenshot and the ollydbg.exe in upper case i would guess you tried this on ollydbg v1.10, not on ollyv2 The description don't mention it here but that thing is for v2, if you look inside the readme of the archive, it says (in french) that the code has been rewrote for olly 2. So try with v2, or recompile the dll for v1. Also i'm checking the src and this can really be improved more. Especially for the v2 as if you rename ollydbg.exe to blabla.exe, then it will look for blabla.ini, but OllyPath2 will create only 'ollydbg.ini' as this string is in hard inside.
  34. 1 point
    without debugger detection awesome.vmp_nodbg.rar
  35. 1 point
    How these Unpacking Posts are getting approved ? It is clearly written in the Rules that the solution of challenge will not be accepted if you don't describe the steps. Here everyone showing that they have cleaned it but no one is telling how ? so literally this is not a valid contribution to the forum if you don't descibe how it has been done. Just uploading files of cleaned is not all about unpacking. I think everyone must need to describe the steps or approach he has done to clean it. If I sound rude, I am sorry but this is what i feel.
  36. 1 point
    This is a notification of intent to cease and close the Blogs section of the site in a months time. The reasons for the change are; lack of use, activity and popularity, and for the most part the forum categories have been and are more than capable to host similar blog like content in the future. This notification gives you the opportunity to copy any information from Blogs that you wish to retain and/ or repost in the appropriate forum... Ted. Backups - Blogs.rar
  37. 1 point
    I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies. If you can not understand it, you can reply me. Best wish.
  38. 1 point

    65 downloads

    Today I release - finally - the series of unpacking tutorials about manually unpacking The Enigma Protector. I will discuss all protections of Enigma which are fully detailed as possible. I have to say thanks to LCF-AT, she helped me a lot with this. Introduction ~ 9:28 Unpacking with patterns ~ 33:03 Finding patch-places without patterns ~ 19:56 Dealing with SDK API's & Custom Emulated API's ~ 28:23 Internal & External VM's (Using Plugin) ~ 5:40 Enigma's Registration Scheme ~ 15:37 EN-DE-Cryption ~ 33:21 Inline patching + Final Words ~ 11:56
  39. 1 point
    You're writing to the wrong address. It should be something like: WriteProcessMemory(debugee,pointer(dword(ProcessBasicInfo.PebBaseAddress) + 2),@buffer,sizeof(buffer),length); Since Delphi doesn't have a pretty way to get field offset, I had to hardcode the "2" instead of writing something prettier like "offsetof(PEB, BeingDebugged)". You could do some of the ugly tricks mentioned here: https://stackoverflow.com/questions/14462103/delphi-offset-of-record-field but to me it's not worth the effort.
  40. 1 point
    What makes you question either of these? Private: There are occasionally some techniques, practices (and tools) kept private to stay ahead of the game. Nothing has changed much over the years in this regard as far as I can tell. Knowledge: As @kao already mentioned most of the core techniques and information is out there to be discovered (in these forums for example). It only needs a willing and proactive individual to expand and develop on this information. As everyone seems to have their own blog (or YouTube channel) these days these generally seem to be the new format for tutorials. One day... when all my children have grown up and left home I can get my life back and get back to RCE and making traditional tutorials. Hopefully the RCE world will be an entirely new and interesting place to explore... 👍 Ted.
  41. 1 point
    This forum is overrun by lazy-ass noobs who don't really want to learn. They want to have a youtube video and automagic tool for everything. Ready-made tools are private for this exact reason. People who want to learn will find the necessary information to learn the basics. And once you show you've done your homework, knowledge and techniques are being shared freely. Maybe not 100% public but via PMs and chat.
  42. 1 point
    hello, I apologize if it has nothing to do with this post, I'm decompressing with ManagedJiterFr4.exe but I get the following errors why? how can i solve? this if i try with unpackme
  43. 1 point
    You don't need to know correct key to get the flag: Is that what you're looking for? How-to: 1) Run and dump from memory; 2) (optional) Fix imports with Scylla; 3) Load dump in IDA; 4) Find WndProc and see how WM_COMMAND is handled; 5) The key check is very convoluted but it all ends up here: ... lots of horrible operations with entered key .. strncpy(buffer, encryptedFlag, 25); for ( n = 0; n < 25; ++n ) { v3 = buffer[n]; v4 = HIDWORD(v3) ^ HIDWORD(v20) ^ HIDWORD(v21) ^ HIDWORD(v22) ^ HIDWORD(v23) ^ HIDWORD(v11); v8[2 * n] = v3 ^ v20 ^ v21 ^ v22 ^ v23 ^ v11; v8[2 * n + 1] = v4; decryptedFlag[n] = v8[2 * n]; } // check last 2 bytes of decrypted flag result = 24; if ( decryptedFlag[24] == 'Z' ) { result = 23; if ( decryptedFlag[23] == 'C' ) ... Xor key for all bytes is the same. You know encrypted flag. You know last 2 bytes of decrypted flag. So, you can deduce XOR key and decrypt the flag.
  44. 1 point
    I Released a way of patching these vm's, here https://github.com/TobitoFatitoNulled/Venturi77CallHijacker but you'll need to manually inject agile for now (will try to fix the issue asap tho.
  45. 1 point
    Small modification of ragdog's idea: 1) breakpoint on LoadBitmapA; 2) look at parameters to the call: 0012F740 00AC119D /CALL to LoadBitmapA from 00AC1198 0012F744 00AC0000 |hInst = 00AC0000 0012F748 00AC3000 \RsrcName = "MyBitmap" So, the DLL is loaded at address AC0000. 3) Dump memory at address AC0000. I used PETools, so it calculated size of dump automatically (EC000 bytes). But you can always use other tool and dump more memory, it won't hurt. 4) Open dump with CFF and use its resource editor function to extract BMP.
  46. 1 point
    return from LoadBitmapA have you the pointer of this picture ;-) Now must you dump it and write the Bitamp header Here is a example for safe the bitmap (dumper) from rohitab //if you want to save the bitmap to a file now that you have it on your computer,here (i dont take credit for this function) void SaveBitmap(char *szFilename,HBITMAP hBitmap) { HDC hdc=NULL; FILE* fp=NULL; LPVOID pBuf=NULL; BITMAPINFO bmpInfo; BITMAPFILEHEADER bmpFileHeader; do{ hdc=GetDC(NULL); ZeroMemory(&bmpInfo,sizeof(BITMAPINFO)); bmpInfo.bmiHeader.biSize=sizeof(BITMAPINFOHEADER); GetDIBits(hdc,hBitmap,0,0,NULL,&bmpInfo,DIB_RGB_COLORS); if(bmpInfo.bmiHeader.biSizeImage<=0) bmpInfo.bmiHeader.biSizeImage=bmpInfo.bmiHeader.biWidth*abs(bmpInfo.bmiHeader.biHeight)*(bmpInfo.bmiHeader.biBitCount+7)/8; if((pBuf = malloc(bmpInfo.bmiHeader.biSizeImage))==NULL) { MessageBox( NULL, "Unable to Allocate Bitmap Memory", "Error", MB_OK|MB_IConerror); break; } bmpInfo.bmiHeader.biCompression=BI_RGB; GetDIBits(hdc,hBitmap,0,bmpInfo.bmiHeader.biHeight,pBuf, &bmpInfo, DIB_RGB_COLORS); if((fp = fopen(szFilename,"wb"))==NULL) { MessageBox( NULL, "Unable to Create Bitmap File", "Error", MB_OK|MB_IConerror); break; } bmpFileHeader.bfReserved1=0; bmpFileHeader.bfReserved2=0; bmpFileHeader.bfSize=sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+bmpInfo.bmiHeader.biSizeImage; bmpFileHeader.bfType='MB'; bmpFileHeader.bfOffBits=sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER); fwrite(&bmpFileHeader,sizeof(BITMAPFILEHEADER),1,fp); fwrite(&bmpInfo.bmiHeader,sizeof(BITMAPINFOHEADER),1,fp); fwrite(pBuf,bmpInfo.bmiHeader.biSizeImage,1,fp); }while(false); if(hdc) ReleaseDC(NULL,hdc); if(pBuf) free(pBuf); if(fp) fclose(fp); }
  47. 1 point
    Hi They Mostly focus on their VM engine, and they upgraded a lot. Unpacking method is same as old version.
  48. 1 point
    Hi Here is the Unpacked File:) KinD Regards Unpacked.rar
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...