Jump to content
Tuts 4 You


Popular Content

Showing content with the highest reputation since 06/12/2019 in all areas

  1. 2 points
    - version 4.0: 1- add RegexSearch form. 2- New GUI after replace DataGridView with RichTextBox to easy deal and fast coding. 3- edit CustomBuildStep to Auto copy files (AdvSconfig.txt , HelpAdvancedScript.txt). 4- add AutocompleteMenu.dll . 5- add copy AutocompleteMenu.dll to x64dbg root . 6- add AdvSconfig.txt for AutoComplete list for define Commands and variables. 7- update AutocompleteMenu.dll. 8- add comments_ to Variables class to add it next to the description of the variables when call them by Ctrl+j 9- call list var's by Ctrl+j 10- add ReFill_FunctionsAutoComplete_AtLoad. 11- highlight_system done for good look and analyze. 12- add autoCompleteFlexibleList to handle commands defined in AdvSconfig.txt. 13- add open Script from out side. 14- refresh by menu and F5 to refresh highlight_system. 15- add var of x64dbg system. note : by AdvSconfig.txt u can define the commands in AdvancedSecript . AdvancedScript_4.0.zip
  2. 1 point
    Scan search result: https://www.virustotal.com/gui/file/7458820875f3511395ccc6f0f342c0efc276717ae25187ded0852bbda772b338/detection It is native 64 bits executable.
  3. 1 point
    Jose Roca's site is the place to go for all GDIPlus stuff, or the MSDN/Microsoft Docs pages. And the forums on that site for examples: - GDI: http://www.jose.it-berater.org/smfforum/index.php?board=416.0 - GDI+: http://www.jose.it-berater.org/smfforum/index.php?board=417.0 Also I would suggest doing the GdiplusStartup at the beginning of the program and the GdiplusShutdown as the program is exiting rather than every time inside the function. Looks pretty good. Glad you got it all working.
  4. 1 point
    Hi again, after longer time of working on that ico stuff I did it today and found a method how to change a icon handle into bitmap handle and using it with SetMenuItemBitmaps function and to draw it perfectly transparent without any issues. 😀 The solution was it to use GDI+ functions (never really used before) what does the work already.After while of checking how to use GDI+ functions I did manage it and created a own function code to do the work and it works with all the diffrent ico files I have and also postet above in earlier post.Just great Baby!Special self congrats to me this time hehe.Anyway,I am just really really happy that I got it working now after long time of trying etc.Below my code function so far.... Create HBITMAP Handles from Icon resources ................................................................................................................. invoke CreateHBITMAPfromResICON,hInstance,400,16 .if eax != FALSE mov _IconBitmapObject,eax ; invoke DeleteObject,_IconBitmapObject if no more needed .endif invoke CreateHBITMAPfromResICON,hInstance,401,16 .if eax != FALSE mov _IconBitmapObject2,eax ; invoke DeleteObject,_IconBitmapObject2 if no more needed .endif invoke CreateHBITMAPfromResICON,hInstance,402,16 .if eax != FALSE mov _IconBitmapObject3,eax ; invoke DeleteObject,_IconBitmapObject3 if no more needed .endif invoke CreateHBITMAPfromResICON,hInstance,200,16 .if eax != FALSE mov _IconBitmapObject4,eax ; invoke DeleteObject,_IconBitmapObject4 if no more needed .endif ................................................................................................................. invoke SetMenuItemBitmaps,popupmenuhandle,MEN_1, MF_BYCOMMAND, _IconBitmapObject, _IconBitmapObject invoke SetMenuItemBitmaps,popupmenuhandle,MEN_2, MF_BYCOMMAND, _IconBitmapObject2, _IconBitmapObject2 invoke SetMenuItemBitmaps,popupmenuhandle,MEN_3, MF_BYCOMMAND, _IconBitmapObject3, _IconBitmapObject3 invoke SetMenuItemBitmaps,popupmenuhandle,MEN_4, MF_BYCOMMAND, _IconBitmapObject4, _IconBitmapObject4 ................................................................................................................. CreateHBITMAPfromResICON proc uses edi esi _hInstance:DWORD,_ResID:DWORD,_size:DWORD local _hicon:DWORD local _bitmap:DWORD local _Hbitmap:DWORD local _graphics:PVOID local _gsi:GdiplusStartupInput local _gtkn:PULONG invoke LoadImage,_hInstance,_ResID,IMAGE_ICON,_size, _size,LR_DEFAULTSIZE .if eax != FALSE mov _hicon, eax mov _gsi.GdiplusVersion,TRUE mov _gsi.DebugEventCallback,NULL mov _gsi.SuppressBackgroundThread,NULL mov _gsi.SuppressExternalCodecs,NULL invoke GdiplusStartup,ADDR _gtkn,ADDR _gsi,NULL .if eax == NULL ; OK invoke GdipCreateBitmapFromHICON,_hicon,addr _bitmap .if eax == NULL invoke GdipCreateHBITMAPFromBitmap,_bitmap,addr _Hbitmap,NULL .if eax == FALSE invoke GdipDisposeImage,_bitmap invoke GdiplusShutdown,_gtkn invoke DestroyIcon,_hicon mov eax, _Hbitmap .else invoke GdipDisposeImage,_bitmap invoke GdiplusShutdown,_gtkn invoke DestroyIcon,_hicon mov eax, FALSE .endif .else invoke GdiplusShutdown,_gtkn invoke DestroyIcon,_hicon mov eax, FALSE .endif .else invoke DestroyIcon,_hicon mov eax, FALSE .endif .else mov eax, FALSE .endif Ret CreateHBITMAPfromResICON endp ....and this I got to see now when I select all menu items with the mouse.... .....do you see it now?Only the icon itself is visible without any other menu color around (like using with DrawIconEx / see pic from older posts above).All 4 diffrent ico icons / sizes gets handled perfecty like real bitmap icons.Thats it and all what I wanted.Just using normal ico icons without creating and using extra bitmap icons.Doing all directly on fly.So what do you think?Its good so or could my function using GDI make some problems later etc?Just asking so I didnt used GDI+ before. I found some references about GDI+ functions here... http://www.jose.it-berater.org/gdiplus/iframe/index.htm ....does anyone know whether there are also some GDI / + function help file to download?I mean similar like Win32 Programmers Reference or Windows Sockets 2 Application Program Interface with function descriptions you know.Just would like to know which references are all to get and to download for any xy modules. greetz
  5. 1 point
    Hey there, i've been playing with VirusTotal graph since some weeks. Originally i did a graph just for building a landscape of files for ATM Wall, the graph can be seen here: https://www.virustotal.com/graph/embed/g9521270d163a4778aa5bc376c0d80375b11f2d95beee484498dbdaafc989ee5f I got the idea of doing this after having seen the work of @vanjasvajcer about ATM malware classification. But i started to got vicious with VT graph so here is some interesting graphs i did based with VT and kernelmode.info: Zeus World (v2.1.0.1 and inferior): https://www.virustotal.com/graph/embed/gf17a46025f554bc4a4d0edaff78d4aabee6388c959584ac8981961ae32af6994 Big nebula of zeus builders since code leak of v2.0.8.9, contain also few very old builders and some have funny messages inside destined to AV vendors. IceIX World (v1.2.5 and v1.2.6): https://www.virustotal.com/graph/embed/g3e3dfb66d191404593284509fbf9028c5253ee1651ee4da9b24225bf262634bf Citadel World (v1.3.4.5 and v1.3.5.1): https://www.virustotal.com/graph/embed/g1d0637aa096e45b2b1336844fe81e1e286a588fa049a4d529357c0a1d2f1646d Atmos World (v1.01): https://www.virustotal.com/graph/embed/ga7f70bed1f6f4394b4b503b5dcee997c66251a48418b4b3fba03119d3196389e Builders, releases, fews files. SpyEye World: https://www.virustotal.com/graph/embed/g98d5440408854a90b8e5fce2bd4003b40a7295519d5c4e0abe39a470a9fcadb5 Research about plugins are based on the spyeye thread on kernelmode.info, contain a nice timeline of the versioning and most of interesting files i guess. Carberp 'krabs.7z': https://www.virustotal.com/graph/embed/gd6210da59ece445f8e0469a7408a4905126fa5722cdb4b759330e073a29e7429 Files annotation based on kernelmode.info thread again (https://www.kernelmode.info/forum/viewtopic.php?f=16&t=2793), chaos mosaic at the image of the archive. BestAV affiliate: https://www.virustotal.com/graph/embed/g0741bdd40e4b4bc7a4c77e8240de0667f2ea89df4124484b87717ad081f741aa Lot of FakeAV files found with communicating IPs, graph based also on fews posts on kernelmode and also from my personal archive about thoses guys And not related to malware but you can do also funny things: Looking for an ollydbg modification ? https://www.virustotal.com/graph/embed/gd11e600f461c476082159553dadde7ac102288cd74df42d38f84291e97f2263a You have lost your SoftIce CD ? https://www.virustotal.com/graph/embed/g7534bcb28a2a439a8d466f69542374127b54265b605c4589adbf97191a1b0467 a small landscape about dongle piracy https://www.virustotal.com/graph/embed/g035609ac24c94751ae94aef309b6599010d8ccd1549f49f3b8ef7e20febd3f9f
  6. 1 point
    Fallout 76 free week to trial - June 11th-18th Kingdom: New Lands Borderlands 2: Commander Lilith & The Fight for Sanctuary DLC Free Ted.
  7. 1 point
    Hello, so I keep getting asked what’s the best obfuscators around so I am posting this so I don’t keep repeating it. I have decided to give my opinion on all obfuscators if I am missing any let me know If you are a developer of any of these obfuscators don’t take what I say as an insult use it to improve DNGuard - an obfuscator I used to say was Chinese crap however I’ve recently spent some time analysing this and can say that the HVM technology is very strong and makes unpacking a lot harder. However when not using the HVM setting it makes unpacking extremely simple with jit dumping and can use codecrackers unpacker for this. Compatibility on this obfuscator is its biggest flaw (along with price) which can be a big NO for a lot of people as this protector can cause files to not run on certain .NET frameworks if they fixed this issue and improved compatibility across systems it would make this obfuscator much better. Price is extremely high but I suppose has worked in its favour with not many files around and extremely hard to get test files to test features. Eazfuscator - a .NET VM that has been around for a while now with the last unpacker for version 4.8 I think from saneki on GitHub. Since then Eazfuscator has improved a lot however the concept stays the same and sanekis unpacker is still a brilliant base to start from. Meaning that an unpacker for this isn’t extremely difficult. The compatibility and performance of this obfuscator is actually fairly good for a VM and tells the user not to overuse the VM and only apply on secret methods as to save performance. The problem with Eazfuscator is that any protection method apart from the VM isn’t good, de4dot handles the control flow perfectly and the strings can be easily decrypted by either updating de4dot code which isn’t too hard or simply invoke. So if you’re app is sensitive on performance then maybe avoid this one as for all VMs performance is hurt no matter how efficient it is. In conclusion I do think this obfuscator is one of the top of its game as even with the old unpackers it’s still a lot of work to update ILProtector - An obfuscator I really do like the concept of keeping performance and security balanced, however in recent times with the release of dynamic unpackers it has kind of died as it seems the developer is applying small patches instead of fixing this properly so each unpacker only requires a few changes. In terms of static unpacking they have this down well, it’s actually a very hard job to statically unpack this protector so if they were to patch the dynamic flaws it would quickly appear back at the top but it’s credibility has been stumped due to the release of unpackers that I think may still work on the latest version (something I haven’t checked). Compatibility and performance on this obfuscator are good but one flaw of this obfuscator is that if the dynamic method is decrypted the original ilcode is there, they apply no MSIL mangling which in my eyes they should do both. Agile.Net another .NET VM however I haven’t analysed this myself that much but a few things I have noticed is that updating de4dot to support the latest version is not all that challenging however it is time consuming, a few modifications to de4dot can make it supply all the data you need to update it for the VM. the method encryption can be removed by jit dumpers from codecracker, from what I’ve seen in de4dot the obfuscator isn’t to hard to completely unpack but we have to thank 0xd4d for all he has done on this obfuscator he has done all the hard work for us so it’s just a matter of taking his code and updating, yes this takes a very long time to do Netguard - Now this is one I’m very familiar with, as most people know netguard is a modified confuserex however a fairly heavy modification. Now the actual protection isn’t that strong however for its price it’s very good, the base of netguard is still the same concept as confuserex and many of its protections can be defeated in the exact same way, the only real changes are the native stub and mutations. However once you remove these protections like control flow and constants can be removed in the same theory as I use in my confuserex unpacker2. This obfuscator like I said is the best for its price however if you’re looking for something better there are other options if you’re willing to pay, now compatibility and performance on netguard are something that it’s known for and not in a good way, it has improved a lot recently however they still add lots of junk that adds no real benefit and just slows down code. Appfuscator - now I don’t know why people don’t use this obfuscator anymore. In my eyes it’s still extremely powerful, codecrackers tools are not stable and if you’re tool is larger than a crackme then it will fail, appfuscator uses opaque predicates and CFG to generate its control flow both of which have no public solvers for so is an extremely powerful obfuscator especially if you mix it with something custom. Performance wise this is actually negligible effect so still to this day one of the higher rated obfuscators. Babel.Net - this is similar to ilprotector in the way it makes dynamic methods however in a different approach. The good thing about this obfuscator is that it provides you with more options than just encrypt msil where you have cflow constants and other expected protections making it not as simply as dumping the dynamic method. The dynamic methods itself are not tricky to solve dynamically similar to ilprotector, invoke the correct method and you have the dynamic method ready to read with dnlib. Statically it gets slightly more complex however a few hours debugging with dnspy and some static analysis will reveal its secrets of how it decrypts the encrypted bodies. Performance and compatibility wise I don’t really know enough about it but I’ve not really seen many complaints about it ArmDot - a relatively new .NET VM which I’m fairly interested in. At its current stage it needs polishing, they currently put the whole vm into each method it’s encrypted making it extremely slow. I explained to the developer that it holds no real benefit as to devirtualize it follows the same concept as all vms which is find the instruction handlers and convert back as most are 1:1 with CIL it makes this step relatively easy once you have detected all handlers however if this obfuscator works on your file and performs well I do recommend it especially as its new and being actively worked on and the developer is always interested in seeing ways to improve which is a good thing. KoiVM - another magical creation from yck so do we expect anything other than greatness. Now this was something he sold to customers until he left the scene and trusted XenoCodeRCE with and gave it him to improve and use. Xeno decided that he would sell this to others and ended up causing it to be leaked on GitHub however let’s ignore that. KoiVM is absolutely insane and different to all other VMS we talked about so far. This doesn’t relate 1:1 with CIL and actually converts it to a form of ASM meaning if you manage to get all the code back you then need to translate ASM to CIL which again is no easy task. People think because it’s opensource it makes it not worth it. Remember confuser/ex was open source and undefeated for a long time. KoiVM is on another level compared to those. Compatibility and performance does take a hit and has limitations which you can read on koivm website now if you’re app works fine and you’re happy with performance then I would strongly suggest sticking with it. You can even make modifications to confuserex and use it with that as after all it’s a confuserex plugin. These are just my thoughts and personal opinions on these obfuscators. I do not mean any disrespect to the developers apart from what I think is good and bad. If you would like further explanation on anything let me know or any specific obfuscator that I haven’t covered as I most likely have some sort of opinion on it feel free to ask Regards Cawk
  8. 1 point
    Easy method to unpack .NET Reactor last version: Step 1. Check the file. If not native, go to step 3. Step 2. Dump with Megadumper. After dump if file crashes, just add a resource type of RC_DATA named "__" with CFF Explorer Step 3. Check <Module>.cctor. If it not exists go to step 6. Step 4. Dump methods with ManagedJitter Step 5. Go to <Module>.cctor. Double click on method call (there's only one) Point on your mouse cursor on method list to get method token: Convert it to decimal. In this case 06000033 --> 33 in decimal is 51. Open CFF Explorer, go to methods table and find method with your number. In this case, it is 51. Copy RVA address of this method and go to Address Converter. Type in your RVA and click Enter. Edit bytes 1B 30 to 06 2A (return). Save file. Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options).
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
  • Create New...