Jump to content
Tuts 4 You

Leaderboard

  1. CodeExplorer

    CodeExplorer

    Moderator


    • Points

      3,262

    • Content Count

      3,115


  2. LCF-AT

    LCF-AT

    Full Member+


    • Points

      2,257

    • Content Count

      4,965


  3. kao

    kao

    Full Member+


    • Points

      2,029

    • Content Count

      2,359


  4. mrexodia

    mrexodia

    Full Member+


    • Points

      1,399

    • Content Count

      1,769


Popular Content

Showing content with the highest reputation since 07/20/2009 in all areas

  1. Unpackers tools - source code C# My source code: https://gitlab.com/CodeCracker https://github.com/CodeCrackerSND https://bitbucket.org/CodeCrackerSND/ I will NOT share (anymore) the rest of my tools!
    59 points
  2. Hi everyone, Maybe some of you heard it already, but Sigma and I are working on an x32/x64 debugger for Windows for a few months now... The debugger currently has the following features: variables, currently command-based only basic calculations, can be used in the goto window and in the register edit window. Example: var*@401000+(.45^4A) software breakpoints (INT3, LONG INT3, UD2), currently command-only (just type 'bp addr') hardware breakpoints (access, write, execute), also command-only stepping (over, into, out, n instructions), can be done with button
    35 points
  3. hi, this mainly is a bug fix release, as I currently don't have enough time pushing stuff... v0.8 -new: 'pack and execute' button in after-patch-created-dialog -fix: exceptions while creating patch into 'visible' folder (desktop or any other folder opended in explorer.exe) -fix: crashes after applying file drop -fix: offset patch dialog file comparison with huge amount of diffs slow/deadlocks -fix: slow comparison of original and patched files in 'offset patch' dialog -fix: packer console output not shown Here we go => uPPP.v0.8.7z ps: keep on posting suggestions and bug reports!
    29 points
  4. Hi! This is my first post on tuts4 you I hope that this is the right section, if not, please delete this post! Ok so... Few months ago I have made public my internal project called REDasm on GitHub. Basically it's a cross platform disassembler with an interactive listing (but it's still far, if compared to IDA's one) and it can be extended with its API in order to support new formats, assemblers and analyzers. Currently it supports: Portable Executable VB5/6 decompilation . It can detect Delphi executables, a decompiler is WIP. .
    26 points
  5. Not going to create a new thread for this, here's present for everyone: Modded de4dot, which supports latest .NET Reactor 4.9.7.0. de4dot-mod-reactor_4.9.zip
    23 points
  6. A small blog post I wrote. Hope it's interesting! http://x64dbg.com/blog/2017/06/08/kernel-driver-unpacking.html
    18 points
  7. Overview:TitanHide is a driver intended to hide debuggers from certain processes.The driver hooks various Nt* kernel functions (using inline hooks at themoment) and modifies the return values of the original functions.To hide a process, you must pass a simple structure with a ProcessID andthe hiding option(s) to enable to the driver. The internal API isdesigned to add hooks with little effort, which means adding featuresis really easy.Features:- ProcessDebugFlags (NtQueryInformationProcess)- ProcessDebugPort (NtQueryInformationProcess)- ProcessDebugObjectHandle (NtQueryInformationProcess)- Deb
    17 points
  8. Hi guys, I am a fan of FFmpeg CLI tool but its always hard to remember all commandline arguments if I didnt used it for a longer while and I can't find my notes about it (as always).Now I thought it would be a good idea to code a GUI tool where I can use FFmpeg with and store all commandline argument combinations I want into it to call and execute them quickly.I know there are already a few GUI tools out there for FFmpeg but they have some limitations and or are not my taste.So you know I have always a special taste and wanna combine all together in the best case.Now after few months I am
    16 points
  9. Hello, I'm new here I guess. I was originally planning on just posting a keygenme solution, but for some reason I'm not allowed/able to reply to threads in that section. Maybe if I make a few posts elsewhere it will let me post? If so, I guess I'll start by sharing a few of my projects (related to reverse engineering, of course): eazdevirt - a devirtualizer for Eazfuscator.NET. Not guaranteed to work on recent releases unfortunately (at least not yet). pyinst_tools - a toolkit for working with and modifying executables generated with PyInstaller. Pretty much ExtremeCoder's pyinstxtra
    16 points
  10. ILSpy mod by Medsft: NET assembly browser and decompiler, debugger, High and Low level Editor Project renamed. ILSpy NEXT. NET assembly browser and decompiler, debugger, High and Low level Editor Description: ILSpy (latest ILSpy public version 2.2.0.1737) -add debugger from the SharpDeveloper studio -add CopyFullyQualifiedTypeName.Plugin -add OpCodeTableForm -add to treeview contextmenu: - strong name utility - rename class utility - Jump to EntryPoint - string viewer utility (search enable) - extension exeecute utility (reservatio
    15 points
  11. awesome_msil_Out.exe Approach: 1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker , and it shall be ran on NetBox 2. Code virtualization is a relatively new feature of .net reactor, added in version 6.2.0.0. Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)
    15 points
  12. Hi guys, after a longer time of coding I would like to share my new app.So with this app you can grab / store / edit / play / record / watch / debug and test play your RTMP streams and much more.In the app I use latest librtmp and it works similar as the rtmpdump commandline tool and you can use also almost all original rtmpdump commands (see synopsis).My main goal was it to build a tool to handle all streams at once in a GUI with a simple and quickly handling.I also added much extra features which should be helpfully to get more needed informations about streams if they don't play (speci
    15 points
  13. Some reasons I'd say that have helped slowly kill the scene, albeit not fully dead but definitely not where it was before: Money - Given that it's much easier to obtain money online via ePayments such as Paypal, Stripe, etc. people are more inclined to stop sharing things for free and instead expect money for their time/work. Nothing wrong with this expect for when it ties into another issue, copy-pasting. Copy-Pasting - Something that has definitely become a huge issue with anything released related to hacking/reversing etc. is that things turn into a copy/paste fest these days. Bef
    15 points
  14. Hi, I made a tool that interprets a vmp rsi-stream, it records the handlers (or vm instructions) and connects them via their data dependencies. This is how a JCC looks like The edges in this graph represent data dependencies. Sequences of nodes with one input and one output are collapsed into blocks. Green nodes are constant nodes. They do not depend on external values (such as CPU registers), unlike red nodes. The hex number left of a node is a step number, the right number is its result. Only const nodes (green) can have a result. The graph contains all nodes that dire
    14 points
  15. I wish to all the community an happy Christmas. Enjoy your time with your loved ones, hope the new year will bring happiness to everybody.
    14 points
  16. Hi SnD, This is a small tool I wrote while reversing some malwares. It performs a bunch of nowadays malwares tricks and the goal is to see if you stay under the radar. That could be useful if: You are making an anti-debug plugin and you want to check its effectiveness. You want to ensure that your sandbox solution is hidden enough.. You want to write behavior rules to detect any attempt to use these tricks. Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute. List of features supported: Ant
    14 points
  17. Ok guys my new job for us, hope like it. tsrh space rip.7z
    14 points
  18. Hello community, I know you all do expect the paper that I announced about Enigma 2.x unpacking but I don't know when or if I will ever finish it. Because I don't want this project I spent so much time on to die, I decided to publish the source code of it now and seperate from the paper so that everyone can prepare it for future Enigma versions. Also LCF-AT found a bug that I couldn't fix so quickly so I hope someone who is more advanced in c++ than me can fix it. See http://forum.tuts4you.com/topic/26896-the-enigma-protector-2xx-unpacking-devirtualizer-by-dizzy-d/page__st__20#entry135147 for
    14 points
  19. Something interesting is going on with this exe, seems to be a bug in themida. But before I will talk about that, I will talk about the new dolphin vm. After this post I finally finished adding support for this vm. So dolphin is basically (not surprisingly) more of the same, with a little new concept that is different from fish and tiger (splitting basic operations handlers to more handlers) Eagle is just fish virtualized by dolphin (in the same way that puma is tiger virtualized by fish, and shark is fish virtualized by tiger). Now about the wierd bug. In nested vms, usually all the ha
    14 points
  20. Easy method to unpack .NET Reactor last version: Step 1. Check the file. If not native, go to step 3. Step 2. Dump with Megadumper. After dump if file crashes, just add a resource type of RC_DATA named "__" with CFF Explorer Step 3. Check <Module>.cctor. If it not exists go to step 6. Step 4. Dump methods with ManagedJitter Step 5. Go to <Module>.cctor. Double click on method call (there's only one) Point on your mouse cursor on method list to get method token: Convert it to decimal. In this case 06000033 --> 33 in decimal is 51
    14 points
  21. Hello, so I keep getting asked what’s the best obfuscators around so I am posting this so I don’t keep repeating it. I have decided to give my opinion on all obfuscators if I am missing any let me know If you are a developer of any of these obfuscators don’t take what I say as an insult use it to improve DNGuard - an obfuscator I used to say was Chinese crap however I’ve recently spent some time analysing this and can say that the HVM technology is very strong and makes unpacking a lot harder. However when not using the HVM setting it makes unpacking extremely simple with jit dumping a
    13 points
  22. Hi Guys and here is my solution for 32bit one. devirtualizeme32_vmp_3.0.9_v1_deVM_Raham.zip PS: my decompiler is in progress state, so tell me if you found mistake in X86 instructions. Kind Regards
    13 points
  23. Not much to say. Questions are welcome. Requests will be ignored. The software created to solve this challenge won't be released. I am posting the final file, but it's actually correct to say that @fvrmatteo did the bulk of the work and I helped with the smaller bits. Oh, and by suggesting some music to listen to while working Time taken: circa 7 days. We still don't handle the code flow, but I guess the file speaks for itself as far as "seeing some results" goes as of now. devirtualizeme64_vmp_3.0.9.DeVed.7z
    13 points
  24. Every once in a while someone is asking about working in RE-related field - what it's like, how to start, what to study, etc. I personally think this is a good summary: https://medium.com/@laparisa/so-you-want-to-work-in-security-bc6c10157d23
    13 points
  25. X86 Shellcode Obfuscation https://breakdev.org/x86-shellcode-obfuscation-part-1/ https://breakdev.org/x86-shellcode-obfuscation-part-2/ Ted.
    13 points
  26. This forum and many others got overrun by lazy n00bs who think running de4dot makes them reversers. Consequently, skilled guys moved to semi-private places (or got hired by security-related companies) and stopped sharing their knowledge with general public. Sad but true.
    13 points
  27. First of all, there's no easy way to devirtualize Eazfuscator VMed methods. So keygenning this is pretty hard task. But you can guess methods that are executing by breaking on System.Reflection.RuntimeMethodInfo.Invoke. Another way is to decrypt resource in which Eazfuscator store all VM logic. There will be visible names of methods that are executing. But in this way we will not know the order of execution. So the best way is just to use WinDbg and break on invoke. We need to dump main assembly. Just use MegaDumper to do that. Assembly will not start if there are no giv.txt and Ioni
    13 points
  28. Tutorial: 1. MegaDumper, get ResourceAssembly.dll (assembly than contains resources) 2. Use ConfuserDelegateKiller to remove delegates from UnpackMe.exe (google it) 3. de4dot with parameters (-p un --strtyp delegate --strtok 06000043) 4. CryptoObfuscator constant fixer by me (pm if you need) 4. Remove all instructions from <Module>.cctor 5. Attach resources with ResourceManager (use file from step 1) 6. Clean from junk classes and delegates
    13 points
  29. Some steps to get the real file, deobfuscating it will be up to you though: Finding The Embedded Resource Name Open the crackme in your favorite PE browser.View the file resources.Locate RCDATA and find the main resource. In this case it is "__"Dumping The "Real" ExecutableOpen the crackme in OllyDbg.Find all string references and look for the resource name we just found. In this case: Cra'ckMe.0041B280 ; UNICODE "___"Follow the reference into the code.Scroll down and locate the calls to 'SafeArrayCreate' and 'SafeArrayAccessData'. These are the important calls we want to find.We want to se
    13 points
  30. Piracy is environmental friendly:
    12 points
  31. This document is a small write up demonstrating tools and techniques that can be used while reversing java code. The malware used for this purpose is the AlienSpy RAT (Remote Access Trojan) which has also been attached to this post. The password of the file malware sample.rar is infected. This is live malware. Secure your system before tinkering with it. Additionally, the decompiled source code of the malware has also been provided for study. Reversing an obfuscated java malware.pdf malware sample.rar decompiled malware source.rar
    12 points
  32. After 27 hours of reversing, I've done it again! https://twitter.com/nickharbour/status/626765867519508480 Now I need to get some sleep.
    12 points
  33. lo folks, here's a new version. I've added and changed too much these days, so that there might be new bugs.I'm too lazy to sort it out what has changed since the last beta version.. please checkout the whole changelog again: v0.6 -new: 'Win64' option for all patch types (disables Wow64 redirections on 64 bit systems) to allow proper patching of x64 targets -new: grouping of patch entries via try-next-on-failure functionality.. some examples: a) multiple (future) versions of a target: add multiple search and repla
    12 points
  34. .NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, s
    11 points
  35. Many years ago I wrote a software protector called MyAppSecured. Somewhere in the middle of porting it from Delphi to C++ I lost my interest in this project. Just found it on my HDD so I thought it might be helpful for someone. In short, the GUI of this protector is written in C++ and the protection stub in written in MASM. The C++ code loads a target in memory and adds 2 PE sections to it. One for the TLS callback code and one for the main code. The MASM stub will be written to those 2 sections. This protector has just 2 protection features: Analyze Immunity (anti-debug) and Me
    11 points
  36. View File Scylla Imports Reconstruction Source Scylla - x64/x86 Imports Reconstruction ImpREC, CHimpREC, Imports Fixer... this are all great tools to rebuild an import table, but they all have some major disadvantages, so I decided to create my own tool for this job. Scylla's key benefits are: x64 and x86 support full unicode support written in C/C++ plugin support works great with Windows 7 This tool was designed to be used with Windows 7 x64, so it is recommend to use this operating system. But it may work with
    11 points
  37. Haven't touched this project for a long time. So I worked this weekend on updating the script and catching up with all the changes that they did in the last 1-2 years. Everything works right now except for TIGER. They added a new weird "push" handler, which is very different from any other TIGER handler. (the offset for the push isn't from a parameter, but from a call to another function that return an internal state value, usually that internal state value is used with a parameter to get the wanted real value, but this time it is used just with a constant number... in your binary for exa
    11 points
  38. Ransomware is very common these days. Once it installs on a user machine it begins encrypting files. When the user comes to know about the ransomware attack it is already too late. Unless the user has a backup, he/she must must pay the ransom to recover the files. Luckily there has been cases where due to a faulty implementation of cryptography breaking such malware becomes feasible. The recently discovered petya ransomware is an example. This blog post is a short walk through on breaking the petya ransomware with a constraint solvers. Hope you like it & find useful. http:/
    11 points
  39. @ramjane I'm sharing my private script to reach OEP on all 5.xx (and maybe 4.xx). First it tries to find static OEP address in Enigma VM section. If failed, it tries to dynamically reach OEP. lc log "Enigma 5.xx OEP Finder by PC-RET v 1.1 started" bc dbh bphwc gmi eip, MODULEBASE MOV IMAGEBASE, $RESULT //gmi eip, CODEBASE //MOV CODEBASE, $RESULT //gmi eip, CODESIZE //MOV CODESIZE, $RESULT pusha mov eax, IMAGEBASE mov edi, eax add eax, 3C mov eax, edi+[eax] mov SECTIONS, [eax+06], 02 mov esi, eax+0F8 mov edi, 28 mov ebp, SECTIONS mov ecx, edi mul edi, 1 // second section add edi, esi
    11 points
  40. LoaderCSharp: Loader C# source code, It will search in memory for hex string and will replace with another hex string. Maybe somebody will find it usefull. LoaderCSharp.zip
    11 points
  41. Hello, I decided to share this code capable Deobuscation various techniques of obfuscation typical of modern systems of protection based Virtual Machine (Themida, vmProtect etc ..). This tools is intended for analyzing and readable code. I share this tool (the result of hours and hours of my free time) so that someone can improve the code and help me in the very complex that is Control Flow Optimization. https://github.com/Pigrecos/CodeDeobfuscator I am attaching a video to show its use Deobuscator.exe
    11 points
  42. Today I wrote a small class that assists with patching .NET binaries. using System; using System.IO; using dnlib.DotNet; using dnlib.DotNet.Emit; namespace MyNamespace { class Patcher { public delegate bool PatchStrategy(AssemblyDef asm); private static bool patchMethodReturnBool(AssemblyDef asm, string classPath, string methodName, bool returnValue, int numArguments = 0) { var method = findMethod(asm, classPath, methodName); if (method != null && method.Parameters.Count == numArguments) { //patch
    11 points
  43. Because they're open source? One advantage of an open source obfuscator is that you can modify the algorithms and add other stuff to prevent tools from working. Did you know that there are more deobfuscators for commercial obfuscators than for open source obfuscators? There's no obfuscator that offers any real protection, they just slow down the inevitable: your competitor will copy your code or someone will crack your app.
    11 points
  44. Getting Started with MASM and Visual Studio 2010 Link: http://www.kipirvine.com/asm/gettingStartedVS2010/index.htm May be usefull for somebody. How to write x64 assembly functions in Visual C++: http://www.sciencezero.org/index.php?title=How_to_write_x64_assembly_functions_in_Visual_C%2B%2B
    11 points
  45. Figured I drop this here. Its the packer and decompressor I use for my private build of my exe packer. Feel free to do what you want with it. lzma_decenc.rar
    11 points
  46. I just published a definitive tutorial for x64_dbg. It documents its settings and features and shows you how to use the tool to effectively debug a 64-bit application. This tutorial is aimed at beginners, but has some information that may be useful to more advanced reverse engineers. I hope you enjoy and feel free to ask any questions you may have. http://reverseengineeringtips.blogspot.com/2015/01/an-introduction-to-x64dbg.html
    11 points
  47. flag{Y0u_s0lved_that_r1ght!!!} EDIT: I enjoyed it so much that I think it deserves a small writeup. Coming up in few hours..
    11 points
  48. Hello my friends Here my new version of our malware detector you can make your owns signatures! only 2 Cliks +Fast Scan engine +Include Heuristic Detection Signature Generator Scanner Engine Donwload: http://rdgsoft.net/Malware.Detector.php Thanks
    11 points
  49. @whoknows: why would I lie? And my answer was there 1 hour before CodeCracker's answer.. Short tutorial: 1. Olly + ScyllaHide takes care of all anti-debug. So I didn't have to worry about that; 2. Load ggggg.exe in DNSpy and look around. You'll see what methods are there, their arguments and so on. Interesting parts are: internal static extern bool StrongNameSignatureVerificationEx([MarshalAs(UnmanagedType.LPWStr)] string wszFilePath, bool fForceVerification, ref bool pfWasVerified); This is obviously anti-debug measure. It's good that we have a method that's c
    10 points
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...