Jump to content
Tuts 4 You

Leaderboard

Popular Content

Showing content with the highest reputation since 10/15/2021 in all areas

  1. Adobe Uses DMCA to Nuke Project That Keeps Flash Alive torrentfreak.com/adobe-uses-dmca-to-nuke-project-that-keeps-flash-alive-secure-adware-free-211012/ Facebook Secret Blacklist of 'Dangerous Individuals and Organizations' theintercept.com/2021/10/12/facebook-secret-blacklist-dangerous/ MS - Russian cyberattacks pose greater risk to governments (annual report) blogs.microsoft.com/on-the-issues/2021/10/07/digital-defense-report-2021/ Google's VirusTotal analysed 80 million ransomware samples www.zdnet.com/article/google-analysed-80-million-ransomware-samples-heres-what-it-found/ www.theregister.com/2021/10/14/googles_virustotal_malware/ YJIT: Building a New JIT Compiler for CRuby shopify.engineering/yjit-just-in-time-compiler-cruby NET updates include C and C++ code in Blazor WebAssembly www.theregister.com/2021/10/13/microsoft_dotnet_updates/ Bypass Paywall by Magnolia 1234x Installation Tutorial by author gitlab.com/magnolia1234/bypass-paywalls-chrome-clean/-/issues/45 www.youtube.com/channel/UCeDuSy0mmE-3bEDJVINA3-g/videos They’re putting guns on robot dogs now www.theverge.com/2021/10/14/22726111/robot-dogs-with-guns-sword-international-ghost-robotics WhatsApp Encryption – Techinal White Paper scontent.whatsapp.net/v/t39.8562-34/122249142_469857720642275_2152527586907531259_n.pdf/WA_Security_WhitePaper.pdf?ccb=1-5&_nc_sid=2fbf2a&_nc_ohc=IcdmaficR1AAX-BVcJ_&_nc_ht=scontent.whatsapp.net&oh=03d0d01b7db34335ed0f9670ce38db0a&oe=616D3559 blog.whatsapp.com/end-to-end-encrypted-backups-on-whatsapp/ ODTTF (Obfuscated OpenType) en.wikipedia.org/wiki/ODTTF Xkcd: Steal This Comic (DRM and DMCA) xkcd.com/488/ Brick Block (sample of Unity Web) http://oskarstalberg.com/game/house/index.html Steve Jobs G4 Cube Introduction (2000) www.youtube.com/watch?v=AwDOJ7HztXM Psst! Now you can securely share 1Password items with anyone blog.1password.com/psst-item-sharing/ Poland is a problem for the EU precisely because it will not leave www.economist.com/europe/2021/10/14/poland-is-a-problem-for-the-eu-precisely-because-it-will-not-leave Win32k Elevation of Privilege Vulnerability CVE-2021-40449 msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40449 Multihash multiformats.io/multihash/ Debugging assembly in Visual Studio Code github.com/newtonsart/vscode-assembly How PHP Opcache Works www.npopov.com/2021/10/13/How-opcache-works.html Polish Doctor Claims He Found a LIFE FORM in the Pfizer Comirnaty Shot humansarefree.com/2021/10/polish-doctor-claims-he-found-a-life-form-in-the-pfizer-comirnaty-shot.html Brave browser cuts off another avenue for tracking your web activity www.techradar.com/news/brave-browser-cuts-off-another-avenue-for-tracking-your-web-activity PinePhone Pro Announced www.pine64.org/pinephonepro/ Reversing Golang used in SolarWinds youtu.be/_cL-OwU9pFQ add to hosts : #Google 127.0.0.1 www.google-analytics.com 127.0.0.1 google-analytics.com 127.0.0.1 ssl.google-analytics.com yt3.ggpht.com 127.0.0.1 gvt1.com redirector.gvt1.com gvt2.com redirector.gvt2.com safebrowsing.googleapis.com
    2 points
  2. DuckDuckGo as a TTY duckduckgo.com/tty/ Bioelektryczność – Polish Robotics (1968) www.youtube.com/watch?v=NjrYk546uBA Playstation 3 Architecture www.copetti.org/writings/consoles/playstation-3/ We analyzed 425k favicons iconmap.io/blog Moderna won't share vaccine recipe. WHO has hired African startup to crack it www.npr.org/sections/goatsandsoda/2021/10/19/1047411856/the-great-vaccine-bake-off-has-begun Bringing VS Code to the browser vscode.dev/ Review - All Atari Games voxodyssey.com/atari-2600 Facebook fined £50.5m for breaching order in Giphy investigation www.theguardian.com/technology/2021/oct/20/facebook-fined-for-breaching-order-in-giphy-takeover-investigation Implementing Hash Tables in C www.andreinc.net/2021/10/02/implementing-hash-tables-in-c-part-1 Gotify/server: A simple server for sending and receiving messages in real-time github.com/gotify/server AT&T is white-labeling Google Stadia to give you free Batman game streaming www.theverge.com/2021/10/21/22738550/arkham-knight-google-stadia-att 9to5google.com/2021/10/21/att-confirms-stadia-arkham-knight-teases-cloud-gaming-ambitions/ YouTube will be removed from Roku 9to5google.com/2021/10/21/youtube-will-be-removed-from-roku-as-of-december-9-existing-users-unaffected/ Ask HN: Can Firefox Be Revived? news.ycombinator.com/item?id=28954390
    1 point
  3. Brave Search replaces Google as default search engine in the Brave browser brave.com/search-and-web-discovery/ search.brave.com/ Outdated, vulnerable open source component(s) shipped with Windows 10&11 seclists.org/fulldisclosure/2021/Oct/17 Android 12 Released www.android.com/android-12/ Obsidian – A knowledge base from a local folder of plain text Markdown files obsidian.md/ help.obsidian.md/How+to/Internal+link Firecracker MicroVMs firecracker-microvm.github.io/ Canon sued for disabling scanner when printers run out of ink www.bleepingcomputer.com/news/legal/canon-sued-for-disabling-scanner-when-printers-run-out-of-ink/ Minias – A mini x86-64 assembler for fun and learning github.com/andrewchambers/minias N64 in WebAssembly www.neilb.net/n64wasm/
    1 point
  4. Hi do something like this : call next instruction (E8 00000000) pop eax (getting current address) add eax, 0x12345678 (distance from here to destination address) BR, h4sh3m
    1 point
  5. Base64? Are you sure that's #2?
    1 point
  6. So you want to download some releases from snd? alright let's see at snd.webscene.ir, the distribution section menu contain a link pointing at hxtps://keygens.pro/ Super, looks like there a lot of cracks over here! and the site is virus free, right? So let's pick something, i don't know, maybe 7-Data.Card.Recovery.1.1.keygen-SND hxtps://keygens.pro/crack/729775/ lol @ description on the page, didn't know reagan was from snd and born in russia Anyway we got redirected on a download page after clicking 'Download only Keygen' button, we have to fill a captcha and agree to the conditions The archive is password protected and contain only one file "setup_pass-123.exe" If we try to download some other random files from the keygens.pro collection, sometime we have variations. e.g: Any.video.converter.Ultimate.keygen-URET hxtps://keygens.pro/crack/733508/ who contain a 'readme.txt' but we still have our suspicious setup_pass-123.exe inside. antiviruses aren't really happy about the file when sent to virustotal, but hey, it's kind of normal it's a crack afterall. The file in question is identified massively as 'remcos' (avira, kaspersky, f-secure,..) remcos is a know trojan, and this time they have right. I've sent the file to my capev2 (like cuckoo sandbox but with python3) who also identified it as remcos, and even exactly version 2.7.0 Pro. The process tree: path-pass-123.exe 1204 powershell.exe 764 powershell -w 1 -e cwB0AGEAcgB0AC0A [REDACTED] mc.exe 588 mc.exe 2816 trading_bot.exe 2776 services.exe 484 C:\Windows\system32\services.exe lsass.exe 2992 C:\Windows\system32\lsass.exe mc.exe do a NtOpenMutant with mutex name 'Remcos_Mutex_Inj' fews deletefile() DeletedFile: C:\Users\PC\AppData\Local\Temp\g23cbt11.tv1.ps1 DeletedFile: C:\Users\PC\AppData\Local\Temp\rgmxlij1.zlj.psm1 DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a5a4f0c9-7658-465a-89b7-50210e17552a DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aa1cabc1-b688-4c89-bf51-d9e59fc195d8 DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_33715418-423c-4ee6-9bfb-e19632c208c1 DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d9fccf31-e642-45c3-b729-86cbf5ec234c DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_99c3bc19-136a-483f-a231-8276ab84ee13 DeletedFile: C:\Users\PC\AppData\Roaming\Microsoft\mc.exe DeletedFile: C:\Users\PC\AppData\Local\Temp\webcam.png DeletedFile: C:\Users\PC\AppData\Local\Temp\screenshot.jpg DeletedFile: C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\fuv0sisu.default-release\cookies.sqlite24628718 DeletedFile: C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\fuv0sisu.default-release\formhistory.sqlite24628875 About the dropped files, it write a file 'logs.dat' into \AppData\Roaming\temp\, in my case: [2020/10/15 05:31:33 Offline Keylogger Started] [ Program Manager ] [Following text has been copied to clipboard:] h [End of clipboard text] { User has been idle for 400 minutes } And what's was the 'screenshot.png' he created and then deleted? this: one of my capev2 vm, the malware have a bit oversized the screenshot tought. The file sniff keystrokes, harvest/steal private information from browsers and messenger clients, take screenshots from pc and webcam if connected, and installs itself for autorun at startup, yep that not really what we where looking for. Alright... let's search for another site then.. We type "download crack" on google and we are now on keygenninja.com (former KeygenGuru) according to them. site is in second result in google main page, the authors of the sites play on search engine rankings, .. and are extremely well positioned (they pay Google for that) Let's try to download something, idk, maybe 'Panopticum IcePattern v1.2 for Adobe Photoshop' hxtps://keygenninja.com/serial/panopticum_icepattern_v1_2_for_adobe_photoshop.html We click the 'Download Keygen' button and get redirected on another site hxtps://cracknet.net/d/a95b2bff8a272ss9p.html Now we are on a page with 2 big 'download' buttons, the text indicate also that the archive password is 12345 When you click on the button the download is launched, but from another external site: hxtps://get.ziplink.xyz/ I've found also another site: serialms.com, this is just another 'showcase site'. All the cracks point to the same address (cracknet.net). they also have the same db as keygenninja.com Well, we have 3 files in the archive, one executable, and unless keygens.pro, this time we have the info files (nfo and diz file), apparently a release from team inferno (a cracking group who disbanded in 2006) The nfo says it was released in may 2020 and the files timestamp seem from 2020, is inferno back ? When extracting the executable from the archive, we got a suspicious 'rar sfx archive' icon, if we look for executable properties, windows will confirm it's a self-extracting archive. Meaning we can also rename the file to .rar and open it with winrar to see what's going on. btw that archive inside the archive [insert xzibit yo dawg meme here] is also password protected with '12345' According to virustotal only 10 on 70 engines detect it as hostile. Suspicious again huh? let's send this file to capev2 too. When sending a password protected sfx archive, you need to fill the option field with: 'arguments=-p 12345' in capev2, so it will be able to run it with the password. And.. here is the process tree.. yep a big one too, the sfx archive contain a sfx archive, who contain severals other sfx archives [insert again xzibit meme here] and execute everything, resulting a lot of new processes. Panopticum.IcePatter.exe 172 -p12345 cmd.exe 2696 C:\Windows\system32\cmd.exe /c ""C:\Users\PC\AppData\Local\Temp\RarSFX0\keygen.bat" " intro.exe 816 intro.exe 1O5ZF keygen-step-1.exe 3916 keygen-step-1.exe keygen-pr.exe 3892 keygen-pr.exe -p83fsase3Ge key.exe 1280 keygen-step-3.exe 3524 keygen-step-3.exe cmd.exe 3804 cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\PC\AppData\Local\Temp\RarSFX0\keygen-step-3.exe" PING.EXE 2572 ping 1.1.1.1 -n 1 -w 3000 keygen-step-4.exe 2624 keygen-step-4.exe file.exe 3896 002.exe 4548 Setup.exe 4152 slic.exe 4148 1 984D0A19445AA8C5.exe 1552 0011 installp1 984D0A19445AA8C5.exe 1144 200 installp1 cmd.exe 3280 cmd.exe /c taskkill /f /im chrome.exe msiexec.exe 2880 msiexec.exe /i "C:\Users\PC\AppData\Local\Temp\gdiview.msi" services.exe 472 C:\Windows\system32\services.exe svchost.exe 592 C:\Windows\system32\svchost.exe -k DcomLaunch dllhost.exe 3832 C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} dllhost.exe 2064 C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} svchost.exe 3224 C:\Windows\system32\svchost.exe -k netsvcs VSSVC.exe 3648 C:\Windows\system32\vssvc.exe One file lead to many files So what's going on? well, a lot of things. This isn't remcos RAT like in keygens.pro, i don't know what exactly is all of this, my capev2 seem to detect it as Azorult (a know password stealer) I thinks it's a false positive for 'azorult' malware familly but this one is also harvesting credentials from browsers, bitcoin wallets clients, FTP clients, email clients... BTRSetp.exe seem packed with 'Eshelon revolution protector', it have also a mention to lenin. // Module  [module: SuppressIldasm] [module: Glory_to_the_Great_Lenin_and_the_October_Revolution!!!("Eshelon Revolution Protector ")] [module: EF58C16E8C("Discord Link : v1.0.0-custom")] The batch file keygen.bat unpack keygen-step-4.exe with password 83fsase3Ge This archive contain key.exe and JOzWR.dat, when key.exe is executed it will look in the same folder for the file JOzWR.dat, who is later decoded by key.exe and loaded in memory a 'lzma decoder' screenshot here in memory 1060×847 png 60,4 kB dumped JOzWR.dat is detected by 13 engines. ASCII "-txt -scanlocal -file:potato.dat" potato.dat is a file that will be later created in %TEMP% and who contain harvested serial numbers from your applications, including windows license key. exemple of what contain the file in my capev2: Computer: PC-PC - Main scan Microsoft Office Professional Plus 2010 - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED Microsoft Office Professional Plus 2010 - Product ID - REDACTED-REDACTED-REDACTED-REDACTED Microsoft Office Professional Plus 2010 - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED Windows 7 Ultimate - Extra info - Full product name: Windows 7 Ultimate Service Pack 1 Product ID match to CD Key data Product Part No.: REDACTED Installed from 'Full Packaged Product' media. Is OEM: No Windows 7 Ultimate - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED Windows 7 Ultimate - Product ID - REDACTED-REDACTED-REDACTED-REDACTED Windows 7 Ultimate - User - PC Computer: PC-PC - Deep scan The guy who want free serials get his serials harvested, isn't that a paradox? In conclusion: never open or visit crack sites if you don't have the knowledge to avoid infections, use common sense as some will even try to trick you with fake nfo/fake releases. Maybe buy your softwares (or crack them yourself) to avoid that, and don't trust crack sites at all, even if they was 'legitimate' like keygens.pro, they can go rogue anytime.
    1 point
  7. Used protector (I've forget to specify): https://www.52pojie.cn/thread-652274-1-1.html http://distro.crack.vc/index.php?dir=RceTools/Packers/ Finally made scripts and a tutorial on how to restore stolen bytes: https://forum.tuts4you.com/topic/41211-obsidium-olly-scripts/ BR.
    1 point
  8. With the growing popularity of CTF (capture the flag) competitions, and the excellent performance of Polish teams like Dragon Sector in this area, I thought it would be interesting to demonstrate the construction of a simple CrackMe, using some creative techniques which make it difficult to crack and analyse. If you have ever been curious about reverse engineering, entered a CTF competition, or wanted to create your own CrackMe and drive other contestants crazy, this article is for you. https://www.pelock.com/articles/how-to-write-a-crackme-for-a-ctf-competition Sources at GitHub with english comments https://github.com/PELock/CrackMeZ3S-CTF-CrackMe-Tutorial
    1 point
×
×
  • Create New...