Jump to content
Tuts 4 You

Leaderboard

  1. TobitoFatito

    TobitoFatito

    Full Member


    • Points

      12

    • Content Count

      31


  2. kao

    kao

    Full Member+


    • Points

      8

    • Content Count

      2,294


  3. CodeExplorer

    CodeExplorer

    Moderator


    • Points

      7

    • Content Count

      3,083


  4. Abigor

    Abigor

    Junior+


    • Points

      3

    • Content Count

      14



Popular Content

Showing content with the highest reputation since 05/18/2020 in all areas

  1. 5 points
    What's the point of this? You ran my file under de4dot and repost it? i can recognise my file ya know, i intentionally left this out (i haven't finished local types yet but i manually set the third local to int32) + i added 9 locals when only 3 get used
  2. 5 points
    It might have a few weird instructions since i'm new to this Crackme-cleaned-Devirtualized2.zip Info: This is the first version of eaz that i analyze so i can't say how 2019.x is different from 2020.1 but its definitely not uncrackable Steps i took (as i should have included since the beginning): 1 Learn how CIL works / CIL fundamentals (there are some nice ebooks that i can't link here ) 2 Learn how the assembly reader/writer of your choice works (dnlib for example) 3 Learn how a simple VM works ( https://github.com/TobitoFatitoNulled/MemeVM (the original creator of this vm left so this is a fork to keep the project alive)) 4 https://github.com/saneki/eazdevirt See how the previous devirt was made (and you could also check previous eazvm protected executables) 5 Practice your skills trying to make MemeVM Devirt, you can message me if you have any issues with this step (You can always disable renaming on memevm to make the process easier to understand). 6 Start renaming a EazVM test assembly (you can make your own with trial) with all the knowledge you got from the previous steps (and find how crypto streams are initialized, where opcodes are located & how they are connected to the handlers etc etc etc, things that you would find in a vm) Editing saneki's eazdevirt might be a good idea, though i was more comfortable making my own base.
  3. 3 points
    New features, interesting. File correct? ggggg_cleaned.zip
  4. 2 points
    Here's the old content of Ubbelol.
  5. 2 points
    Who are you to say that it's shit? Have you made an unpacker for it? If you do, you are free to correct me but if you don't you shouldn't make these silly comments, in my opinion.
  6. 1 point

    Version 11.10.2017

    23 downloads

    When using OllyDbg as a portable version (e.g. on an USB stick) there are always problems with the UDD/Plugin path not being set correctly. The features: DLL, which sets Plugins, UDD and win32.hlp paths automatically Dummy export so it's easy to add the DLL to your olly mod Open source Attached is DLL + Source, I hope it's useful for somebody. Feel free to modify to your needs, just credit where you think it's needed. P.S. To add the DLL to your mod: Use CFF explorer to add the import "dummy" (which does nothing) to ollydbg.exe, this will execute the DllMain function (which can be considered illegal) and set the paths in the INI file. OllyPath2.dll must be in the same directory than ollydbg.exe
  7. 1 point
    View File KoiVM Modified (ConfuserEx-Mod-By-Bed 1.4.1) KoiVM is a virtualizing protector for .NET applications, as a plugin of ConfuserEx. ConfuserEx is a open-source protector for .NET applications. It is the successor of Confuser project. This file is protected with KoiVM using; MD5 Hash Check Constants Renamer Anti-Tamper I took KoiVM from https://github.com/BedTheGod/ConfuserEx-Mod-By-Bed (1.4.1) and modified it to make OldRod fail devirt. Submitter 0x72 Submitted 05/20/2020 Category UnPackMe (.NET)  
  8. 1 point
    Civ VI Free on Epic Store https://www.epicgames.com/store/en-US/product/sid-meiers-civilization-vi/home
  9. 1 point
    View File VMProtect v3.4.0.1155 Try to unpack or alternatively provide a serial. If there is no solution provided by Saturday 11am (GMT+0) I will attach the same without debugger detection. Protections used: Debugger detection (User-mode + Kernel-mode) Ultra (Mutation + Virtualization) Disabled protections: Virtual Machine Packer Submitter whoknows Submitted 05/20/2020 Category UnPackMe (.NET)  
  10. 1 point
  11. 1 point
    Have to agree with this here. As far as I know, tuts4you is a place for educational content, not a place for showing off. What's the point of sharing just the unpacked binary, other than for bragging rights?
  12. 1 point
    Still around, but not really doing any RE nowadays. :) It truly is weird hearing yourself on video 8 years later..
  13. 1 point
    Okay asked ubbe to make videos public again it should be fine now https://www.youtube.com/user/UbbeLoLHF/videos
  14. 1 point
    How these Unpacking Posts are getting approved ? It is clearly written in the Rules that the solution of challenge will not be accepted if you don't describe the steps. Here everyone showing that they have cleaned it but no one is telling how ? so literally this is not a valid contribution to the forum if you don't descibe how it has been done. Just uploading files of cleaned is not all about unpacking. I think everyone must need to describe the steps or approach he has done to clean it. If I sound rude, I am sorry but this is what i feel.
  15. 1 point
    View File Example CrackMe - Debug Blocker x64 This is an example for submitting a CrackMe in the Downloads section of the site. You can download the file and run Debug Blocker x64. Nothing too exciting will happen! The challenge here would be to patch the debug-blocker function so that it does not spawn a second process. Submitter Teddy Rogers Submitted 02/23/2020 Category CrackMe  
  16. 1 point
    Hi , A disassembler is a software that coverts machine code (Hex) into assembly language mnemonic ex ( mov al,1) . A debugger is a program that allow you to detect and correct errors in other computer programs. A decompiler is a software which try to reverse the process of compilation to attempt to get the source code from a compiled executable . PS : try to use the google and the search button . Regards
  17. 1 point
  18. 1 point
    There are jobs like security analyst out there too but they are generally protocol oriented with background in cryptography and mathematics. Government agencies in all countries also recruit top talent. Otherwise, as a career choice unless as a malware analyst or software protection analyst or something it's too much of a niche to talk about. I got into RE because I enjoyed the challenge, and liked learning at lower levels or under the hood of how things work. Having a deeper understanding is my style for everything. That shadowy world lurks out there too but it's as organized and controlled as anything. It is a whole package deal to take that route, a lifestyle even. And even then you cant lose sight of what is right and what is wrong and where the laws draw the boundary. Fortunately merely toying around with some RE stuff is not really an issue. Software businesses and RE community have an interesting relationship but it's mostly been win-win despite occasional spats. Best hobby you can have though IMO
  19. 1 point
    If the only reason you want to learn RE is to have a unique skill for your resume/job application, you're very mistaken. Don't even try that. Anyone can learn to write (crappy) JavaScript/PHP/CSS in a few weeks and call himself/herself a "freelance web developer". Not everyone can become a reverse engineer - it requires a specific mindset and dedication. As for job positions, it really depends where you live and what your area of expertise would be. Analyzing malware requires a totally different skillset than finding bugs in hardware chips. Entry level positions usually are paid similarly to entry level developer positions. However, as a developer, you will have a pretty well-defined career path. As a reverse engineer, the path is less defined and really depends on your talent and dedication. It is possible to freelance and make a good living out of it - but again, it depends on your area of expertise. One of the best recent examples that come to mind, is Azeria (https://twitter.com/Fox0x01) - her ARM reverse engineering skills are superb. And there are freelancers who make $100k/year on HackerOne - but that's quite an extreme example. And then there is "dark side" - reverse engineers that work on not-exactly-legit tasks. For example, the entire game hacking industry is based on those. If you're a superstar, the customers will wait in line and the money is great. If you're just starting, you won't be able to make more than few hundred bucks a month - as you'll be competing with hundreds of Indians, Filipinos and Vietnamese in a very crowded market. First step would be to define the area you want to explore. As I mentioned above, reverse engineering hardware chips is totally different from reversing Windows malware. Once you know exactly what you want to learn, it will be much easier to suggest a specific book or course. Hope this helps. kao.
  20. 1 point
    Personally I find picking locks very interesting ! This channel has many great videos : https://www.youtube.com/channel/UCm9K6rby98W8JigLoZOh6FQ/videos
  21. 1 point
    It's been a while, here is some new graph related to zbot (warning, they are heavy) Zbot graph: https://www.virustotal.com/graph/embed/gf288663e9d4245c7b8384b9ab36b64f41b58a7df62a145e3ad643bfe140ffb02 (4k nodes) With some additional details related to Microsoft citadel sinkhole operation. CCAM (atmos monitoring): https://www.virustotal.com/graph/embed/g5edbfcddab834a59a105964ffdc24492b03a6a5ab4824cca96949cd0d9a3395b With some details about in the wild locations.
  22. 1 point
    Hey there, i've been playing with VirusTotal graph since some weeks. Originally i did a graph just for building a landscape of files for ATM Wall, the graph can be seen here: https://www.virustotal.com/graph/embed/g9521270d163a4778aa5bc376c0d80375b11f2d95beee484498dbdaafc989ee5f I got the idea of doing this after having seen the work of @vanjasvajcer about ATM malware classification. But i started to got vicious with VT graph so here is some interesting graphs i did based with VT and kernelmode.info: Zeus World (v2.1.0.1 and inferior): https://www.virustotal.com/graph/embed/gf17a46025f554bc4a4d0edaff78d4aabee6388c959584ac8981961ae32af6994 Big nebula of zeus builders since code leak of v2.0.8.9, contain also few very old builders and some have funny messages inside destined to AV vendors. IceIX World (v1.2.5 and v1.2.6): https://www.virustotal.com/graph/embed/g3e3dfb66d191404593284509fbf9028c5253ee1651ee4da9b24225bf262634bf Citadel World (v1.3.4.5 and v1.3.5.1): https://www.virustotal.com/graph/embed/g1d0637aa096e45b2b1336844fe81e1e286a588fa049a4d529357c0a1d2f1646d Atmos World (v1.01): https://www.virustotal.com/graph/embed/ga7f70bed1f6f4394b4b503b5dcee997c66251a48418b4b3fba03119d3196389e Builders, releases, fews files. SpyEye World: https://www.virustotal.com/graph/embed/g98d5440408854a90b8e5fce2bd4003b40a7295519d5c4e0abe39a470a9fcadb5 Research about plugins are based on the spyeye thread on kernelmode.info, contain a nice timeline of the versioning and most of interesting files i guess. Carberp 'krabs.7z': https://www.virustotal.com/graph/embed/gd6210da59ece445f8e0469a7408a4905126fa5722cdb4b759330e073a29e7429 Files annotation based on kernelmode.info thread again (https://www.kernelmode.info/forum/viewtopic.php?f=16&t=2793), chaos mosaic at the image of the archive. BestAV affiliate: https://www.virustotal.com/graph/embed/g0741bdd40e4b4bc7a4c77e8240de0667f2ea89df4124484b87717ad081f741aa Lot of FakeAV files found with communicating IPs, graph based also on fews posts on kernelmode and also from my personal archive about thoses guys And not related to malware but you can do also funny things: Looking for an ollydbg modification ? https://www.virustotal.com/graph/embed/gd11e600f461c476082159553dadde7ac102288cd74df42d38f84291e97f2263a You have lost your SoftIce CD ? https://www.virustotal.com/graph/embed/g7534bcb28a2a439a8d466f69542374127b54265b605c4589adbf97191a1b0467 a small landscape about dongle piracy https://www.virustotal.com/graph/embed/g035609ac24c94751ae94aef309b6599010d8ccd1549f49f3b8ef7e20febd3f9f
  23. 1 point
    Nice... Tutorial Video İs Here.
  24. 1 point

    Version 1.0.0

    46 downloads

    Hello friends. I try to prepare a classic logo for the forum. -Feel free to use in your projects or documents. I hope you will like it. note:Source file only xcf format. for GIMP. sory for photoshop users. Detailed previw ( click to support button in forum page.)
  25. 1 point
    The resource obfuscation is not that amazing. With time, someone can sit down and figure out all the strings. The resource reader uses the function: internal static string <ascii_name>(int num, int num2, int num3){ num += 593; Assembly executingAssembly = Assembly.GetExecutingAssembly(); num2 -= 331; Stream manifestResourceStream = executingAssembly.GetManifestResourceStream("resource"); int num4 = num ^ num2; num4 = num4 * 17 / 27; manifestResourceStream.Seek((long)(7 + num4), SeekOrigin.Begin); byte[] array = new byte[8]; manifestResourceStream.Read(array, 0, 4); int num5 = (BitConverter.ToInt32(array, 0) ^ 2100157544) - 100; manifestResourceStream.Read(array, 0, 4); int num6 = BitConverter.ToInt32(array, 0) - 5 ^ 485648943; manifestResourceStream.Seek((long)num5, SeekOrigin.Begin); array = new byte[num6]; manifestResourceStream.Read(array, 0, num6); for (int i = 0; i < array.Length; i++) { array[i] = (byte)((int)array[i] ^ num3); } return Encoding.UTF8.GetString(array);}This points to the resource file 'resource' for the strings. Then it is a matter of finding where the strings are created and mimic the creation.For example, one of the text boxes is created like this: private TextBox <bell_char>;this.<bell_char> = new TextBox();this.<bell_char>.Location = new Point(77, 46);Control arg_604_0 = this.<bell_char>;int arg_5FF_0 = (int)27079.0;int arg_5FF_1 = checked((int)28538L);arg_604_0.Name = <Module>.<decode_string_from_resource>(arg_5FF_0, arg_5FF_1, (((uint)num6 >> 7) - 3892314112u == (uint)(128 * (num6 & 6475))) ? checked(326302297 + 895344590) : (sizeof(ushort) + 60));this.<bell_char>.Size = new Size(278, 20);this.<bell_char>.TabIndex = 2;base.Controls.Add(this.<bell_char>);So we know that the Name of this text box is made from the above, we can mimic it like this: using (var fStream = new FileStream("C:\\Users\\atom0s\\Desktop\\resource", FileMode.Open, FileAccess.Read)) { int arg_5FF_0 = (int)27079.0; int arg_5FF_1 = checked((int)28538L); var test1 = checked(326302297 + 895344590); var test2 = (sizeof(ushort) + 60); Debug.WriteLine(decomp(fStream, arg_5FF_0, arg_5FF_1, test1)); Debug.WriteLine(decomp(fStream, arg_5FF_0, arg_5FF_1, test2)); }The second print gives us the valid name: textBox1So then we look at the function that handles the button click for testing our info. We see the following at the top: bool flag = this.<bell>.Text == this.<soh> && this.<bs>.Text == this.<stx>;So we dig for the info that sets <soh> and <stx> which we find: int num = checked(-269761182 + 269768102); int arg_A1_0 = num; int arg_A1_1 = (int)checked((long)(612651665 - 612644079)); int arg_A1_2; if (num * 4 + -63008 == 32 * (num / 8 + -9144)) { int <si> = <Module>.<si>; arg_A1_2 = ((<si> - 3386368 == (<si> & 3317)) ? (Type.EmptyTypes.Length + -1258285692) : (Type.EmptyTypes.Length + 1963304847)); } else { arg_A1_2 = Type.EmptyTypes.Length + 241; } this.<stx> = <Module>.<decode_string>(arg_A1_0, arg_A1_1, arg_A1_2); private string <soh> = <Module>.<decode_string>(sizeof(float) + 25083, checked(1822738687 + -1822712593), sizeof(Guid) + -11);// then we had to dig for the <Module>.<si> value which is:<Module>.<si> = -942491469;Decoded we get:Username <soh> = Tuts4You Password <sx> = IvancitoOzTutoAppFuscator Working key:
  26. 0 points
    almost everyone here has opened this protection. the same protection exists in the beds protector private (over) and was easy to remove. and empty talk.
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...