Jump to content
Tuts 4 You


Popular Content

Showing content with the highest reputation since 10/15/2019 in all areas

  1. 4 points
    There is definitely room for a good modification of ConfuserEx to eventually happen and be posted here. ConfuserEx itself was the successor/fork of Confuser itself, which has greatly improved the original. ConfuserEx has completely changed how the .NET protection field has worked as well, with it completely influencing every other obfuscator on the market. Especially the ones made from people in the RE scene all using ConfuserEx as a base to work from. (Whether they want to admit to it or not.) Since ConfuserEx and now KoiVM are open source, they tend to be the most used and modified. No other real protection system for .NET is open source let alone offers the kind of features that they do. While it does mean a lot of terrible rebrands and mods will happen, it doesn't mean every single one is going to be trash in the future. Given that KoiVM is open source, it leaves a lot of room for others to take that concept and run with it to make their own VMs with much more in depth features, better C# language support for newer features, and so on. I don't think out-right banning it from existing on the site is a good idea either. There shouldn't be a reason to further divide what little of the RE scene is left. Some thoughts of mine on how to approach this going forward: 1. Make a new section/sub-forum specifically for ConfuserEx mods. This way the general .NET unpack section can focus on other non-ConfuserEx related challenges and not be drowned out with the various customizations/mods people want to post. 2. In the new section, have some type of guidelines/rules on what is considered a valid challenge. Mods to ConfuserEx that do nothing to the actual core and just add 1-2 new things should be rejected because the base/core has not been touched, therefore all the existing tools will work against said mod. Simply renaming the ConfuserEx attribute is not a valid means to try and deter tools from working etc. Focus on making sure people have actually put time/effort into their mods vs. just renaming the project and adding 1 thing to it. 3. Avoid belittling people that are coming here to learn and making an effort to work on modifications. Rather than people just shitting on someone or leaving a few word replies telling the person they suck, their mod is shit, etc. encourage people responding to the threads to actually give feedback in a friendly manner. Everyone started somewhere, knowing nothing, so putting egos aside and encouraging new comers to go back and learn certain things, showing them why a certain protection/mod doesn't work/help, etc. goes a long way. (Simply put, if your objective is just to be a dick when responding, just don't respond.) 4. If moderators are added, would really suggest making sure that there is some rules/guidelines on how they should moderate the new section/topics. Basically to avoid power-tripping, egos, and other nonsense that doesn't need to exist here. Another thing is to understand everyone has different skill levels when it comes to unpacking/cracking things, and while person A may think a given mod is weak/easy/crap, person B who is just learning may see the given challenge as a great learning experience and a way to enhance their skills. So avoiding skill sets being the end-all judgement of how something is moderated. Of course there are situations where things like this will have trolls or people posting challenges that have their own issues with pride/ego as well. Which is something seen already with a few people posting ConfuserEx mods that do not really understand the base project, how .NET operates, etc. For example, there is someone on a specific Discord community that keeps making 1-2 line edits to ConfuserEx and deeming it uncrackable. Every time, someone will use the existing tools, unpack his app and prove him wrong, but he refuses to be wrong and keeps spamming the Discord with modifications constantly. In a case like this I would say preventing them from posting new challenges for a given period of time may be warranted to avoid them from posting 100 different mods in a day. All in all though, I wouldn't recommend banning it altogether. The RE scene is so small anymore as it is, banning discussions on given topics at all is just going to further divide things than they already are. As it is, there are people on this site that land up driving new comers away already which most land up joining one of the various Discord communities instead that are focused on RE/.NET RE etc.
  2. 3 points
    Regardless of the borderline-spam that we have been observing in the challenges sections, I think .NET is still a valid platform to write reverse engineering challenges for. Look how obfuscators like DNGuard still seem to be a challenge for a lot of people. Also, even though KoiVM is more or less defeated nowadays, it used to be a very difficult task as well for the majority of people around here. There are many tricks one could pull off to make a challenge interesting, and this includes the ones written in .NET. I think the difficulty of a challenge does not always rely on the platform it is running on. For example, some rely on interesting or flawed cryptographic algorithm implementations that the reverse engineer needs to exploit in some way or another. Others might use an uncommon model of a virtualization that people haven't seen before all too often. Furthermore, writing these kinds of challenges in .NET could make the challenge actually more fun, as the reverser doesn't have to worry too much about the imperfect decompiled code of IDA or Ghidra or whatever tool people use. Rather, they can focus more on the actual problem that the challenge is about. Granted, I might be talking a bit more about KeygenMes now rather than "simple" unpackme's, but I think you get my point. Creativity is the key to success in my opinion, but you are right this is hard to benchmark. Banning challenges that are protected by a specific (potentially modded) obfuscator sounds like a bad idea as well in my opinion, and could hurt the forum more than it would do good. It might be a good idea however to limit the number of challenges per obfuscator, although I am not entirely sure how to limit this or when to decide when this limit is reached. Perhaps one or two per version/update or maybe per feature that an obfuscator might offer?
  3. 2 points
    Simple Polymorphic Engine (SPE32) is a simple polymorphic engine for encrypting code and data. It is an amateur project that can be used to demonstrate what polymorphic engines are. SPE32 allows you to encrypt any data and generate a unique decryption code for this data. The encryption algorithm uses randomly selected instructions and encryption keys. https://github.com/PELock/Simple-Polymorphic-Engine-SPE32 Sample polymorphic code in x86dbg window: Another polymorphic code mutation, this time with code junks
  4. 2 points
    Hey guys, After a long time I started writing on my blog again. https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-1 Best regards
  5. 2 points
    I used this in my MyAppSecured exe protector project. This code emulates the winAPI CreateThread using ZwCreateThread, in pure MASM, compiled in WinASM studio. Feel free to use it for your own projects. ZwCreateThread example.rar
  6. 2 points
    Many years ago I wrote a software protector called MyAppSecured. Somewhere in the middle of porting it from Delphi to C++ I lost my interest in this project. Just found it on my HDD so I thought it might be helpful for someone. In short, the GUI of this protector is written in C++ and the protection stub in written in MASM. The C++ code loads a target in memory and adds 2 PE sections to it. One for the TLS callback code and one for the main code. The MASM stub will be written to those 2 sections. This protector has just 2 protection features: Analyze Immunity (anti-debug) and Memory Shield (anti debug-tools, OEP relocation). Note this is not a download-and-use-right-away protector. The code is written years ago so it's not very well written and also for some unknown reason the MASM stub could not be written into the 2 created sections. It did work very well years ago but I don't have the time to investigate why it doesn't work now. To be clear, the compiled exe file you will find in the package should run nicely but once you try to secure a exe file, that exe file is gonna be corrupted. This project is free for personal and commercial purposes. If you have any questions please ask, but keep in mind I abandoned this project and removed it from my HDD right after posting it here. Even if you are not gonna use this project it might be interesting to check the code. Some interesting stuff you might find there for your own project, such as emulating the CreateThreadW function in pure MASM, adding PE sections & relocation of OEP. MyAppSecured v1.00 Beta source.zip
  7. 1 point
    +1 to what @Washi and @atom0s said. To keep the .NET unpackme section in a decent shape we would need a moderator who, well, moderates.. Posting a crackme is not a basic human right - it must be earned. I believe it's a moderators right and duty to say "Sorry, but this thing you made is not a good crackme. May I suggest you to learn a bit more and come back later?" That moderator action would stop floods of ConfuserEx shit-mods once and for all. Another duty of moderator is to intervene and to keep discussion civilized and to the point. Mamo's responses in his topics fell short of that (for example, the part where users reported broken/nonworking crackme). While I understand that some of members don't speak good english or even use a machine translator, it doesn't give them rights to behave like a dick. As for newcomers going away from the forum and joining some Discord channel - there's nothing we can or should do about that. Those Discord channels are full with blinds leading the blind. But that's what modern skids want - feeling important, feeling smart and being able to shout "omg lol i brokz t3h unpacker!!!111", "how i can make this rat fud??", "duuude, I compiled confuserex!" or, better yet, posting an excruciating 30minute video showing that process.. We don't need that here.
  8. 1 point
    https://github.com/lurumdare/Lycosidae Bypass ScyllaHide Features - Import no leak - Strings no leak
  9. 1 point
    Report post Posted just now FILES ARE IN VIDEO DESCRIPTION Regards Anees Khan
  10. 1 point
  11. 1 point
    I would take this job but ! Mental and Dental included ? Kidding
  12. 1 point
    Alan Wake American Nightmare Observer Crusader Kings II Ted.
  13. 1 point
    I'm afraid we need to reopen this topic again. In last 2 months moderators have approved 8 (yes, eight!) unpackmes from the user mamo434376. They are all simple modifications of ConfuserEx and KoiVM with very little original work. What exactly is the point of having them here?
  14. 1 point
    Analyzing Keyboard Firmware Part 2 Ted.
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
  • Create New...