Jump to content
Tuts 4 You


Popular Content

Showing content with the highest reputation since 07/20/2009 in all areas

  1. 60 points
    Unpackers tools - source code C# My source code: https://gitlab.com/CodeCracker https://github.com/CodeCrackerSND https://bitbucket.org/CodeCrackerSND/ I will NOT share (anymore) the rest of my tools!
  2. 34 points
    Hi everyone, Maybe some of you heard it already, but Sigma and I are working on an x32/x64 debugger for Windows for a few months now... The debugger currently has the following features: variables, currently command-based only basic calculations, can be used in the goto window and in the register edit window. Example: var*@401000+(.45^4A) software breakpoints (INT3, LONG INT3, UD2), currently command-only (just type 'bp addr') hardware breakpoints (access, write, execute), also command-only stepping (over, into, out, n instructions), can be done with buttons/shortcuts memory allocation/deallocation inside the debuggee quickly access API adresses (bp GetProcAddress) syntax highlighting, currently not customizable simple memory map (just addr+size+module+protection basically) The debugger has an easy GUI, for which we looked a lot at Olly Debug engine is TitanEngine, disassembler BeaEngine, icons are from various sources (see About dialog). We use QT for the GUI part. If you have a suggestion, a bug report, need more info, want to contribute, just post here or send me a private message. The latest public build + source can always be found on http://x64dbg.com (click 'Source'->'bin_public') to download the latest build. For now, you can also download the first 'alpha' here We would love to hear from you! Greetings, Mr. eXoDia & Sigma
  3. 29 points
    hi, this mainly is a bug fix release, as I currently don't have enough time pushing stuff... v0.8 -new: 'pack and execute' button in after-patch-created-dialog -fix: exceptions while creating patch into 'visible' folder (desktop or any other folder opended in explorer.exe) -fix: crashes after applying file drop -fix: offset patch dialog file comparison with huge amount of diffs slow/deadlocks -fix: slow comparison of original and patched files in 'offset patch' dialog -fix: packer console output not shown Here we go => uPPP.v0.8.7z ps: keep on posting suggestions and bug reports! greets
  4. 23 points
    Hello everyone, Lately I thought it would be good to share some of the stuff I did with Armadillo to the general public, this time it will be about Armadillo’s Stolen Keys feature. When I have some time available, I will update this blog, but in general I don’t like typing long essays so don’t expect too much from that promise. What are stolen keys? Quite obvious, stolen keys are stolen (or otherwise illegally obtained) serials for an Armadillo project. The project developer can maintain a list of these stolen keys and when one of them is entered in the registration dialog it will not be accepted. Very briefly, in Armadillo you have various types of keys and also various key levels. Except unsigned keys (level 0), all keys consist of two parts: [KEYBYTES][sIGNATURE] The signature is the digital signature of the keybytes, this is just to verify the integrity of a key. For this post, only it’s size is of importance. The keybytes also have a variable length. Every serial in Armadillo can store 5 so-called ‘otherinfo’ WORD, 1 date WORD, 1 DWORD (symmetric key) and optionally a keystring. The symmetric key is the key we are looking for when dealing with Armadillo. It is (together with some other constant values) used to decrypt certificate descriptors. These are used to decrypt the program code an optionally the secured sections. Here is a the outline of a key: [ [OTHERINFO][DATE][sYM][KEYSTRING] ][sIGNATURE] As you can see, our target is somewhere near the middle of a key that is fully filled. Luckily, with the correct info, we can strip out the signature, leaving us 1-6 WORDS (otherinfo+encoded date value) and possible a keystring. Before I continue I would like to point out that the stolenkeys are not stored unencrypted in the target file. Every key is encrypted using a simple XOR-encryption with the name bound to the key as seed. Encryption/Decryption goes as follows: char tmp[2048]="";CookText(tmp, name); //UPPERCASE and strip bad charactersunsigned int seed=crc32(tmp, strlen(tmp), NewCRC32); //CRC32 of nameInitRandomGenerator(seed); //Initialize random number generatorfor(int i=0; i<keylength; i++) keybytes[i]^= NextRandomRange(256); NextRandomRange gets a pseudo-random byte in the provided range, in this case a byte. Here is the source code from the random number generator: /* source start */#define m 100000000L#define m1 10000L#define b 31415821L unsigned long a; unsigned long mult(long p, long q){ unsigned long p1=p/m1, p0=p%m1, q1=q/m1, q0=q%m1; return (((p0*q1+p1*q0) % m1) * m1+p0*q0) % m;} void InitRandomGenerator(unsigned long seed){ a=seed;} void NextRandomSeed(){ a=(mult( a, b )+1) % m;} unsigned long NextRandomRange(long range){ NextRandomSeed(); return (((a/m1)*range)/m1);}/* source end */ Attacking Our goal is to find the decryption key of the stolen key. Let’s take a close look at the random number generator. Actually, when we look at NextRandomSeed, we can see one very easily: the final seed is divided by m (100000000) and the remainder becomes the actual new seed. This means that every seed is limited to 99999999 and that is a fairly small amount of brute force attempts! Our goal for today is to write a function, that returns a possible symmetric key from a seed and a piece of data collected from any stolen key (specifically the encrypted symmetric key). Before I start with that I would like to point out that the first two bytes of a stolen key can always be considered junk. This is because either the date, or various otherinfo parameters are always before the symmetric key. In reality, only a maximum of 4 otherinfo parameters is possible (the SoftwarePassport GUI does not have a use for the 5th otherinfo parameter). This means that we would only have to try a maximum of 5 times before we actually find the symmetric key. /* source start */unsigned long NextRandomRangeMod(unsigned int seed){ return (((a/m1)*256)/m1);} unsigned int NextRandomSeed(unsigned int seed){ return (mult( seed, b )+1) % m;} unsigned int decrypt_data(unsigned int seed, unsigned int data){ int next=seed; int res=NextRandomRangeMod(next)<<24; //no little edian next=NextRandomSeed(next); res|=NextRandomRangeMod(next)<<16; next=NextRandomSeed(next); res|=NextRandomRangeMod(next)<<8; next=NextRandomSeed(next); res|=NextRandomRangeMod(next); return res^data;} int main(){ stolen_data=0x????????; for(int i=0; i<m; i++) { unsigned int sym=decrypt_data(i, stolen_data); if(VerifySym(sym)) //imaginary function that checks the sym { printf(“found: %.8X”, sym); break; } }}/* end of code */ Conclusion When implemented in CUDA, brute forcing Armadillo v3-v7.2 goes from ~20 to less than a second. Armadillo v7.4 and higher goes from 2.5-3 hours to 4 minutes! Little tool I created for testing my theories, it actually works! In the attachment I included a DLL that implements the algorithm (and various other Armadillo-related algorithms) with multi-threaded support. I decided not to include the tool because this post is about how it works, not all the tools I created in my life. Last but not least, a hint to the guys at SiliconRealms: do not store (encrypted) keys in a protected file, just store a list of hashes I hope you learned something from this! Greetings, Mr. eXoDia PS If you have any remarks or found a mistake (not related to grammar please), feel free to PM me.
  5. 22 points
    Not going to create a new thread for this, here's present for everyone: Modded de4dot, which supports latest .NET Reactor de4dot-mod-reactor_4.9.zip
  6. 17 points
    Overview:TitanHide is a driver intended to hide debuggers from certain processes.The driver hooks various Nt* kernel functions (using inline hooks at themoment) and modifies the return values of the original functions.To hide a process, you must pass a simple structure with a ProcessID andthe hiding option(s) to enable to the driver. The internal API isdesigned to add hooks with little effort, which means adding featuresis really easy.Features:- ProcessDebugFlags (NtQueryInformationProcess)- ProcessDebugPort (NtQueryInformationProcess)- ProcessDebugObjectHandle (NtQueryInformationProcess)- DebugObject (NtQueryObject)- SystemKernelDebuggerInformation (NtQuerySystemInformation)- NtClose (STATUS_INVALID_HANDLE exception)- ThreadHideFromDebugger (NtSetInformationThread)Test environments:- Windows 7 x64 (SP1)- Windows XP x86 (SP3)- Windows XP x64 (SP1)Installation:1) Copy TitanHide.sys to %systemroot%\system32\drivers2) Start 'loader.exe' (available on the download page)3) Delete the old service (when present)4) Install a new service5) Start driver6) Use 'TitanHideGUI.exe' to set hide optionsNOTE: When on x64, you have to disable PatchGuard and driver signature enforcement yourself. Google is your friend Repository:https://bitbucket.org/mrexodia/titanhide/ Downloads: https://bitbucket.org/mrexodia/titanhide/downloads Feel free to report bugs and/or request features. Greetings, Mr. eXoDia TitanHide_0001.rar loader.rar
  7. 15 points
    ILSpy mod by Medsft: NET assembly browser and decompiler, debugger, High and Low level Editor Project renamed. ILSpy NEXT. NET assembly browser and decompiler, debugger, High and Low level Editor Description: ILSpy (latest ILSpy public version -add debugger from the SharpDeveloper studio -add CopyFullyQualifiedTypeName.Plugin -add OpCodeTableForm -add to treeview contextmenu: - strong name utility - rename class utility - Jump to EntryPoint - string viewer utility (search enable) - extension exeecute utility (reservation work enable) - hexeditor methodbody utility (runtime compilation enable, - search any text in decompileTextView - find method call - Analyze. Reference calls positioning and highlight ("IL Code" view) two technologies save the result(High Level:recompile assembly and Low Level:Binary Patch(See results and work in Patch_table))) add to decompiletextview contextmenu: - replace instruction (High Level,need recompile to save assembly) - nop instruction (High Level,need recompile to save assembly) - reverse branch (High Level,need recompile to save assembly) - nop instruction (Low Level, no need recompile binary patch see Patch Table) - reverse branch (Low Level, no need recompile binary patch see Patch Table) - class or method injector (High level) - "Undo" operation Mono.Cecil -ignore null type (Read TypeDefinition) -ignore invalid parameter(Read MethodDefinition) -ignore invalid generic argument() -ignore invalid attribute (if (attribute.Constructor == null) continue;) -ignore invalid signature(GetSecurityDeclarationSignature) -fix handle null value in obfuscated assembly -add ToString for CustomAttributeArgument -add ToString for CustomAttributeNamedArgument -ignore null element(MemberDefinition) -avoid recursive declaringtype of some obfuscated assemblies,currently only one level checking -add AllMemberReferences(IEnumerable<MemberReference> GetMemberReferences) -add ElementTypeIntValue(ElementTypeIntValue) -add support to read/write directly from bytes(FromBytes) -Read reloc section, Contributed by Khiem Nguyen -add alternative "Save" technology modified assembly (support obfuscated assembly) Pack "ALL in One" The latest releases of ILSpy.NEXT on http://il4re.ml// [t]We are opened! Welcome, guys.[/t] Last build: 12_08_2016 Sorry for my bad English and WPF
  8. 14 points
    Hello community, I know you all do expect the paper that I announced about Enigma 2.x unpacking but I don't know when or if I will ever finish it. Because I don't want this project I spent so much time on to die, I decided to publish the source code of it now and seperate from the paper so that everyone can prepare it for future Enigma versions. Also LCF-AT found a bug that I couldn't fix so quickly so I hope someone who is more advanced in c++ than me can fix it. See http://forum.tuts4you.com/topic/26896-the-enigma-protector-2xx-unpacking-devirtualizer-by-dizzy-d/page__st__20#entry135147 for details. Just compile the source with MSVC++2010 and everything should work. Enigma DeVirtualizer.rar
  9. 14 points
    First of all, there's no easy way to devirtualize Eazfuscator VMed methods. So keygenning this is pretty hard task. But you can guess methods that are executing by breaking on System.Reflection.RuntimeMethodInfo.Invoke. Another way is to decrypt resource in which Eazfuscator store all VM logic. There will be visible names of methods that are executing. But in this way we will not know the order of execution. So the best way is just to use WinDbg and break on invoke. We need to dump main assembly. Just use MegaDumper to do that. Assembly will not start if there are no giv.txt and Ionic.Zip.dll in the same folder as keygenme. But you can launch original keygenme without that files because they are virtualized using Enigma Protector container. So let's create those two files. In dumped assembly you can also find a timer which checks if some forbidden processes are running, such as IDA, LordPE etc. The token of the method is 0x0600001a. It is recommended to "nop" it using CFF Explorer or WinHEX. Then we place breakpoint on method token 0x0600001b. This method is button1.Click. We also place a breakpoint on System.Reflection.RuntimeMethodInfo.Invoke. We are not going to devirtualize Eazfuscator VM so let's think what method executes firstly after you click an OK button. The first thought that comes to mind - it must be reading text from that Edit1. bBut firstly it again checks that two files (giv.txt and Ionic.Zip.dll). But if on Form.Load it checked just a presence of that files, now it also checks the contents of giv.txt. It must be base64 string of "reversing.ro" (without the quotes). In Ionic.Zip.dll can be anything. It can even not be an assembly. So just breaking on invoke call can reveal methods that are executing. And the most important part - we can see all values in stack and registers! So finally after long "F5-button-clicking-and-checking-method-info" we break on string compare method. And now we can see correct key for our username. My valid pair of name and key: SHADOW 98999697102103 Also I'm attaching dumped assembly and two needed files. Dump_.rar
  10. 14 points
    Something interesting is going on with this exe, seems to be a bug in themida. But before I will talk about that, I will talk about the new dolphin vm. After this post I finally finished adding support for this vm. So dolphin is basically (not surprisingly) more of the same, with a little new concept that is different from fish and tiger (splitting basic operations handlers to more handlers) Eagle is just fish virtualized by dolphin (in the same way that puma is tiger virtualized by fish, and shark is fish virtualized by tiger). Now about the wierd bug. In nested vms, usually all the handlers are virtualized by the same vm engine. But this time things were different. Eagle used two engines vritualize the fish handlers - one of them is dolphin that was generated for that, and the other one was the regular dolphin that was generated for the dolphin only (with the corresponding color) Puma used three engines - the fish engine generated for puma, the regular fish handler, and a fish engine virtualized by dolphin (= eagle, it used the same eagle engine instance). So puma in your exe was tiger virtualized by fish/eagle. Shark was even weirder. Shark should be fish virtualized by tiger engine, but again, in addition to the tiger engine, it used the puma engine too (tiger virtualized by fish) And it was the same broken puma engine! Which mean that some of the handlers were fish virtualized by tiger virtualized by fish virtualized by dolphin! This is why the eagle vms in your exe are fast (as expected from about ~20 virtualized opcodes), but puma is slower (3 levels of vms instead 2), and shark is extremely slow - about few minutes for shark black (~20 opcodes virtualized by 4 levels of vms!) I don't know why it happened. Themida generated the right amount of engine, but it seems that it got confused when choosing the engines for the nested vms. Anyway, the fixed exe is attached with all the unneeded sections removed (took my script half an hour to devirtualize all those 18 engines ><) (EDIT: After running it with pypy instead python it took less than 8 minutes)unpackme.unpacked.fixed.exe.zip
  11. 13 points
    This document is a small write up demonstrating tools and techniques that can be used while reversing java code. The malware used for this purpose is the AlienSpy RAT (Remote Access Trojan) which has also been attached to this post. The password of the file malware sample.rar is infected. This is live malware. Secure your system before tinkering with it. Additionally, the decompiled source code of the malware has also been provided for study. Reversing an obfuscated java malware.pdf malware sample.rar decompiled malware source.rar
  12. 13 points
    Easy method to unpack .NET Reactor last version: Step 1. Check the file. If not native, go to step 3. Step 2. Dump with Megadumper. After dump if file crashes, just add a resource type of RC_DATA named "__" with CFF Explorer Step 3. Check <Module>.cctor. If it not exists go to step 6. Step 4. Dump methods with ManagedJitter Step 5. Go to <Module>.cctor. Double click on method call (there's only one) Point on your mouse cursor on method list to get method token: Convert it to decimal. In this case 06000033 --> 33 in decimal is 51. Open CFF Explorer, go to methods table and find method with your number. In this case, it is 51. Copy RVA address of this method and go to Address Converter. Type in your RVA and click Enter. Edit bytes 1B 30 to 06 2A (return). Save file. Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options).
  13. 13 points
    Some steps to get the real file, deobfuscating it will be up to you though: Finding The Embedded Resource Name Open the crackme in your favorite PE browser.View the file resources.Locate RCDATA and find the main resource. In this case it is "__"Dumping The "Real" ExecutableOpen the crackme in OllyDbg.Find all string references and look for the resource name we just found. In this case: Cra'ckMe.0041B280 ; UNICODE "___"Follow the reference into the code.Scroll down and locate the calls to 'SafeArrayCreate' and 'SafeArrayAccessData'. These are the important calls we want to find.We want to set a breakpoint on the call after SafeArrayAccessData. (See code below)Once the break is hit, step over the call.Follow EAX in the dump window. This is the executable decrypted from the "__" resource.Save the memory region, do any fixes needed based on how you save the region etc.You should now have the real executable.004022D9 |. 8D8C24 8800000>LEA ECX,DWORD PTR SS:[ESP+0x88]004022E0 |. 51 PUSH ECX004022E1 |. 6A 01 PUSH 0x1004022E3 |. 83C5 F2 ADD EBP,-0xE004022E6 |. 6A 11 PUSH 0x11004022E8 |. 89AC24 9400000>MOV DWORD PTR SS:[ESP+0x94],EBP004022EF |. 899C24 9800000>MOV DWORD PTR SS:[ESP+0x98],EBX004022F6 |. FF15 54B14100 CALL DWORD PTR DS:[<&OLEAUT32.#15>] ; OLEAUT32.SafeArrayCreate004022FC |. 8D5424 48 LEA EDX,DWORD PTR SS:[ESP+0x48]00402300 |. 8BF0 MOV ESI,EAX00402302 |. 52 PUSH EDX00402303 |. 56 PUSH ESI00402304 |. 895C24 50 MOV DWORD PTR SS:[ESP+0x50],EBX00402308 |. FF15 58B14100 CALL DWORD PTR DS:[<&OLEAUT32.#23>] ; OLEAUT32.SafeArrayAccessData0040230E |. 8B4424 48 MOV EAX,DWORD PTR SS:[ESP+0x48]00402312 |. 55 PUSH EBP00402313 |. 57 PUSH EDI00402314 |. 50 PUSH EAX00402315 |. E8 36900000 CALL Cra'ckMe.0040B350 <=========== SET BREAKPOINT HERE0040231A |. 83C4 0C ADD ESP,0xC0040231D |. 56 PUSH ESI0040231E |. FF15 5CB14100 CALL DWORD PTR DS:[<&OLEAUT32.#24>] ; OLEAUT32.SafeArrayUnaccessDataDumping The "Real" Real ExecutableOpen the new file you dumped in a .NET disassembler such as ILSpy.View the files managed resources and save the resource '_' in this case, to disk as a new executable.This new file is the real obfuscated crackme file fully removed from the loaders.After this point I stopped, the file does a lot of suspicious things so I didn't bother continuing.
  14. 13 points
    I'm not really used to the whole 'blog' thing so bear with me while i simply spill some thoughts, Anybody who has seen the Keymaker.c source code for Armadillo keygenerating can see how the keys are built and put together, i'm not going to be explaining how i came to any conclusions aside from referring back to that document. The single most important thing to make genuine Level 10 Short V3 keys is the Encryption Template, from it the symmetric key is made as well as the private key being generated from it for ECDSA signing. People have already successfully attacked the signature verification as well as symmetric key verification, so this post isn't revealing anything new. The string is uppercased in a function called 'CookText' before it is hashed with the MD5 algorithm. Looking at the source code, we can see that the BasePointInit value for the elliptic curve used is also taken from the Encryption Template, the first unsigned long of the MD5 hash to be precise. So, what do we have at the moment? // Hypothetical variables unsigned long MD5Hash[4]; char temp[256]; unsigned long BasePointInit; unsigned long Symmetric; // Get the hash of the uppercased string CookText(temp, EncryptionTemplate); md5(MD5Hash, temp, strlen(temp)); // Set BasePointInit and Symmetric values BasePointInit = MD5Hash[0]; Symmetric = MD5Hash[0] ^ MD5Hash[1]; // Remembering the ECDSAPrivateKey is derived from EncryptionTemplate. Okay, not a lot to look at to begin with but with the BasePointInit, we have the first dword of the MD5 hash and we can perform a bruteforce lookup for any hashes that begin with that value. On its own, this would be totally useless because it returns a lot of false positives so incorporating a check to see whether or not the generated symmetric key will yield a matching checksum when passed through the symmetric checksum function was necessary. Now, using CUDA and the symmetric check plus a large charset, it finds a 6 character encryption template in 80 seconds. Nothing to jump up and down about but the main thing is it works at all! There would most likely be a way to speed it up more but i'm not sure where to start, it is only a PoC and i'm sharing the theory only so please don't ask me for a copy. I also had the brainwave idea of bruteforcing the 128 bit value which is the private key for ECDSA signing but couldn't find a way that was fast enough using my limited math experience, hehe. My conclusion from this little experiment is that although it is possible to recover the encryption template, the character set and probable length of the strings used by Armadillo's users will prevent it from becoming an attack vector for keygenning, especially when the ECDSA_Verify and symmetrickey can both be defeated with faster means. HR, Ghandi
  15. 12 points
    After 27 hours of reversing, I've done it again! https://twitter.com/nickharbour/status/626765867519508480 Now I need to get some sleep.
  16. 12 points
    Tutorial: 1. MegaDumper, get ResourceAssembly.dll (assembly than contains resources) 2. Use ConfuserDelegateKiller to remove delegates from UnpackMe.exe (google it) 3. de4dot with parameters (-p un --strtyp delegate --strtok 06000043) 4. CryptoObfuscator constant fixer by me (pm if you need) 4. Remove all instructions from <Module>.cctor 5. Attach resources with ResourceManager (use file from step 1) 6. Clean from junk classes and delegates
  17. 12 points
    lo folks, here's a new version. I've added and changed too much these days, so that there might be new bugs.I'm too lazy to sort it out what has changed since the last beta version.. please checkout the whole changelog again: v0.6 -new: 'Win64' option for all patch types (disables Wow64 redirections on 64 bit systems) to allow proper patching of x64 targets -new: grouping of patch entries via try-next-on-failure functionality.. some examples: a) multiple (future) versions of a target: add multiple search and replace patterns. as soon as 1 pattern hits, the rest of the group gets skipped. multiple bit versions of a target: one registry patch for the x64 version of a target, and one for the x86 version. the correct one gets automatically applied -new: randomized encryption of patch data (in resources) -new: support reg file version 5.00 -new: 'vista-awareness' via manifest (requestedExecutionLevel: level="requireAdministrator") -new: chiptune players bassmod, titchysid, V2M (v1.5!): .xm, .mod, .it, .s3m, .mtm, .umx, .sid, .v2m, .fc NOTE: as the v2m player comes as v1.5, use "conv2m.exe" from farbrausch to convert old tunes into the new format -new: change scroller behavior at runtime via control chars (speedup, pause, resume,...) -new: additional scroller text editor (load/save text, open in SkinHelper) -new: variables %APP% and %DATE% in scroller text get replaced with application name and release date -new: 3 custom skins for uPPP GUI (choose in options dialog) -new: SkinHelper updated with new chiptune players and from now on shipped together with main package -new: included some out-of-the-box-****: 1 neutral patcher skin (Blue Skull) and 1 packer (Upack) -new: open current template in SkinHelper via double click with right mouse button on preview window -new: whole package is more portable now (sub paths of settings are kept relative in INI file) -new: Messagebox "The target is running ! Close it, then hit OK." -new: button for faster checking of s+r pattern occurrencies -new: Cut/Copy/Paste/Delete contextmenu in pattern boxes -new: Context>Paste in pattern boxes allows multiline patterns (like given from Olly) -fix: filedrop only changed fileattributes of existing files when using confirmation dialog -fix: dropped and executed files returning bad exit code means patch failure -fix: after creating patch.exe and pressing "Execute", execute it with directory of last used target as working directory -fix: don't overwrite already existing backup files (when patching) -fix: reloading project with reg patch followed by other patches caused exceptions -fix: loosing custom drop path when reopening file drop entry -fix: patching failed, when s+r/userinput patch was followed by other s+r patches -fix: exceptions when changing template -fix: keep space chars in front of scroll text on shutdown/restart (for delayed scrollers)Here we go => uPPP.v0.6.Retail.7z And just for the completeness a package with example patches again. Mostly the top-of-the-art ones by Ecliptic: Skin_Examples.7z greets
  18. 11 points
    View File Scylla Imports Reconstruction Source Scylla - x64/x86 Imports Reconstruction ImpREC, CHimpREC, Imports Fixer... this are all great tools to rebuild an import table, but they all have some major disadvantages, so I decided to create my own tool for this job. Scylla's key benefits are: x64 and x86 support full unicode support written in C/C++ plugin support works great with Windows 7 This tool was designed to be used with Windows 7 x64, so it is recommend to use this operating system. But it may work with XP and Vista, too. Source code is licensed under GNU GENERAL PUBLIC LICENSE v3.0 https://github.com/NtQuery/Scylla https://github.com/x64dbg/Scylla Submitter Aguila Submitted 09/05/2011 Category Tools & Utilities  
  19. 11 points
    Getting Started with MASM and Visual Studio 2010 Link: http://www.kipirvine.com/asm/gettingStartedVS2010/index.htm May be usefull for somebody. How to write x64 assembly functions in Visual C++: http://www.sciencezero.org/index.php?title=How_to_write_x64_assembly_functions_in_Visual_C%2B%2B
  20. 11 points
    I just published a definitive tutorial for x64_dbg. It documents its settings and features and shows you how to use the tool to effectively debug a 64-bit application. This tutorial is aimed at beginners, but has some information that may be useful to more advanced reverse engineers. I hope you enjoy and feel free to ask any questions you may have. http://reverseengineeringtips.blogspot.com/2015/01/an-introduction-to-x64dbg.html
  21. 11 points
    flag{Y0u_s0lved_that_r1ght!!!} EDIT: I enjoyed it so much that I think it deserves a small writeup. Coming up in few hours..
  22. 11 points
    Hello my friends Here my new version of our malware detector you can make your owns signatures! only 2 Cliks +Fast Scan engine +Include Heuristic Detection Signature Generator Scanner Engine Donwload: http://rdgsoft.net/Malware.Detector.php Thanks
  23. 11 points
  24. 10 points
    Hi im new to de4dot midding so when i finaly made this to work i wanted to share with ewryone Open De4Dot source (be shure that you can compile it Video //Credit to @li0nsar3c00l) Then go to de4dot.code/deobfuscators and create New Folder (Phoneix_Protector) and create 2 classes Deobfuscator.cs and StringDecrypter.csand paste this codeDeobfuscator.cs using System.Collections.Generic;using dnlib.DotNet;using de4dot.blocks;namespace de4dot.code.deobfuscators.Phoneix_Protector{ public class DeobfuscatorInfo:DeobfuscatorInfoBase { public const string THE_NAME = "Phoneix Protector"; public const string THE_TYPE = "pp"; const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX; public DeobfuscatorInfo() : base(DEFAULT_REGEX) { } public override string Name { get { return THE_NAME; } } public override string Type { get { return THE_TYPE; } } public override IDeobfuscator CreateDeobfuscator() { return new Deobfuscator(new Deobfuscator.Options { RenameResourcesInCode = false, ValidNameRegex = validNameRegex.Get(), }); } } class Deobfuscator : DeobfuscatorBase { Options options; string obfuscatorName = "Phoneix Protector"; StringDecrypter stringDecrypter; bool foundPhoneixAttribute = false; internal class Options : OptionsBase { } public override string Type { get { return DeobfuscatorInfo.THE_TYPE; } } public override string TypeLong { get { return DeobfuscatorInfo.THE_NAME; } } public override string Name { get { return obfuscatorName; } } public Deobfuscator(Options options) : base(options) { this.options = options; } protected override int DetectInternal() //Main Detect Function { int val = 0; if (stringDecrypter.Detected) val += 100; if (foundPhoneixAttribute) val += 10; return val; } protected override void ScanForObfuscator() //Main Scann Function { stringDecrypter = new StringDecrypter(module); stringDecrypter.Find(DeobfuscatedFile); FindPhoneixAttribute(); } void FindPhoneixAttribute() { foreach (var type in module.Types) { if (type.Namespace.StartsWith("?") && type.Namespace.EndsWith("?")) { foundPhoneixAttribute = true; return; } } } public override void DeobfuscateBegin() { base.DeobfuscateBegin(); foreach (var info in stringDecrypter.StringDecrypterInfos) staticStringInliner.Add(info.method, (method, gim, args) => stringDecrypter.Decrypt( (string)args[0])); //Decrypting all Strings DeobfuscatedFile.StringDecryptersAdded(); } public override void DeobfuscateEnd() { if (CanRemoveStringDecrypterType) { AddMethodsToBeRemoved(stringDecrypter.StringDecrypters, "String Decrypter Method"); //Removing All Calls for String Decrypt example: class1.decriptstring() AddTypeToBeRemoved(stringDecrypter.Type, "String Derypter Type"); //Removing Phoneix Class } base.DeobfuscateEnd(); } public override IEnumerable<int> GetStringDecrypterMethods() { var list = new List<int>(); foreach (var method in stringDecrypter.StringDecrypters) list.Add(method.MDToken.ToInt32()); return list; } } } StringDecrypt.cs using System.Collections.Generic;using dnlib.DotNet;using dnlib.DotNet.Emit;using de4dot.blocks;namespace de4dot.code.deobfuscators.Phoneix_Protector{ class StringDecrypter { ModuleDefMD module; MethodDefAndDeclaringTypeDict<StringDecrypterInfo> stringDecrypterMethods = new MethodDefAndDeclaringTypeDict<StringDecrypterInfo>(); TypeDef stringDecrypterType; public TypeDef Type //Returning Class Of String Decryptor Function { get { return stringDecrypterType; } } public class StringDecrypterInfo { public MethodDef method; public StringDecrypterInfo(MethodDef method) { this.method = method; } } public bool Detected { get { return stringDecrypterMethods.Count > 0; } } public IEnumerable<MethodDef> StringDecrypters { get { var list = new List<MethodDef>(stringDecrypterMethods.Count); foreach (var info in stringDecrypterMethods.GetValues()) list.Add(info.method); //adding all calls for string decryptor return list; } } public IEnumerable<StringDecrypterInfo> StringDecrypterInfos { get { return stringDecrypterMethods.GetValues(); } } public void Find(ISimpleDeobfuscator simpleDeobfuscator) { foreach (var type in module.GetTypes()) { FindStringDecrypterMethods(type, simpleDeobfuscator); } } void FindStringDecrypterMethods(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator) //Seartching for Decrypt Function { foreach (var method in DotNetUtils.FindMethods(type.Methods, "System.String", new string[] { "System.String"})) { if (method.Body.HasExceptionHandlers) continue; if (DotNetUtils.GetMethodCalls(method, "System.String System.String::Intern(System.String)") != 1) continue; simpleDeobfuscator.Deobfuscate(method); var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 3; i++) //Seartching For String Decrypt Function (that is MsIl code of function (not all)) { if (!instrs[i].IsLdarg() || instrs[i].GetParameterIndex() != 0) continue; if (instrs[i + 1].OpCode.Code != Code.Callvirt) continue; if (!instrs[i + 2].IsStloc()) continue; if (!instrs[i + 3].IsLdloc()) continue; if (instrs[i + 4].OpCode.Code != Code.Newarr) continue; if (!instrs[i + 5].IsStloc()) continue; if (!instrs[i + 6].IsLdcI4()) continue; if (!instrs[i + 7].IsStloc()) continue; if (instrs[i + 8].OpCode.Code != Code.Br_S) continue; if (!instrs[i + 9].IsLdarg()) continue; if (!instrs[i + 10].IsLdloc()) continue; if (instrs[i + 11].OpCode.Code != Code.Callvirt) continue; //if you want you can continue with Il code but i think its enough var info = new StringDecrypterInfo(method); stringDecrypterMethods.Add(info.method, info); stringDecrypterType = method.DeclaringType; // Class Of String Decrypt function Logger.v("Found string decrypter method", Utils.RemoveNewlines(info.method)); break; } } } public StringDecrypter(ModuleDefMD module) { this.module = module; } public string Decrypt(string str) { var chrArr = new char[str.Length]; var i = 0; foreach (char c in str) chrArr[i] = char.ConvertFromUtf32((((byte)((c >> 8) ^ i) << 8) | (byte)(c ^ (chrArr.Length - i++))))[0]; return string.Intern(new string(chrArr)); } }}and in the end dont forget to add new de4dot.code.deobfuscators.Phoneix_Protector.DeobfuscatorInfo() in de4dot.cui/program.cs i also added comments for better understanding hope it was usefoul Credit goes to 0xd4d //His XenoCode decrypt because its mostly copy of itHappy De4Dot Modding TheProxy
  25. 10 points
    Identifying Malicious Code Through Reverse Engineering Link: http://download.adamas.ai/dlbase/ebooks/VX_related/Identifying%20Malicious%20Code%20Through%20Reverse%20Engineering.pdf
  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up