Jump to content
Tuts 4 You


Popular Content

Showing content with the highest reputation since 08/19/2019 in all areas

  1. 2 points
  2. 1 point
    Exactly what i do now a days. Open your target app. find the xaml code in resource and save it... then create a wpf application into the visual studio and create a new test or dummy project. insert the saved xaml code into your project that you created. modify all the changes into the xaml that you edit into the wpf app. then compile the project. now open your project in the dnspy and go to resource and you will see xaml resources as baml. dont save it directly. save it with raw save baml resources. now again go to your target app and then delete your resoueces which you wanna change and create a new system.io resource and select tghe raw baml file which you saved using dnspy from the test or demo wpf project. now give the same name into the target and boom /// it will work good. i tested it.
  3. 1 point
    the scenario is @ A-target app B-a test app by you 1-get the XAML by DNSPY or Reflector 2-@B use the XAML make any modification and compile the project 3-extract the BAML from @B 4-replace the namspace then add it @A tested&working a demonstration https://workupload.com/file/RHt7JeCJ pass : b-at-s.info format:RAR5
  4. 1 point
    A better way to do this is - do all the change in Hex Format. Yes when you see in resources, you find xaml and you cant edit it. so just open file with hex editor and do changes !
  5. 1 point
    What features do you miss in my old tool ? creating a tracer for .NET requires knowledge in C++/COM technologies so it's not fun at all you can find several base projects on the web to build on but be ready for some fun with COM and interfaces
  6. 1 point
    https://github.com/Washi1337/Rivers I made one using this and read .net metadata and code using https://github.com/0xd4d/dnlib/ you should definitly look into this, the graph will will need work tho, mine looked very spiderweb-ish
  7. 1 point
    You can try modofied RegEx (compatible with javascript) ^"\/Date\((-?[0-9]+)(?:[a-zA-Z]|(?:\+|-)[0-9]{4})?\)\/" Matching: "/Date(-01234567890A)/" ^"\/Date\((-?[0-9]+)(?:[a-zA-Z] | (?:\+|-)[0-9]{4})?\)\/" or "|" Matching alternative: "/Date(-0123456789-1234)/ "/Date(-0123456789+1234)/
  8. 1 point
    Hi, uhhmm! Great!I was again not smart enough to see this.Sorry.But thank you for the link Progman. greetz
  9. 1 point
    They most certainly are available on the curl site: https://curl.haxx.se/download.html Which has special page for Windows builds: https://curl.haxx.se/windows/ 32-bit latest (7.65.3_1): https://curl.haxx.se/windows/dl-7.65.3_1/curl-7.65.3_1-win32-mingw.zip 32-bit latest (7.65.3_1) with OpenSSL 1.1.1c: https://curl.haxx.se/windows/dl-7.65.3_1/openssl-1.1.1c_1-win32-mingw.zip
  10. 1 point
    I Released a way of patching these vm's, here https://github.com/TobitoFatitoNulled/Venturi77CallHijacker but you'll need to manually inject agile for now (will try to fix the issue asap tho. My disc is TobitoFatito#5573
  11. 1 point
    Hi Any tutorial on how to patch HWID? I read sound's tutorial but it's in Chinese and I can't read Chinese, google translate was bad too.
  12. 1 point
    Not really a KeygenMe, but oh well.. Approach:
  13. 1 point
    Hi, I made a tool that interprets a vmp rsi-stream, it records the handlers (or vm instructions) and connects them via their data dependencies. This is how a JCC looks like The edges in this graph represent data dependencies. Sequences of nodes with one input and one output are collapsed into blocks. Green nodes are constant nodes. They do not depend on external values (such as CPU registers), unlike red nodes. The hex number left of a node is a step number, the right number is its result. Only const nodes (green) can have a result. The graph contains all nodes that directly or indirectly contribute to the lower right "loadcc" instruction. CMP/JCC in VMP works by executing an obfuscated version of the original CMP which also results in either zero or one. VMP then pushes 2 adresses to its stack (step 121f and 1209) and computes an address that points to either one, depending on zero/one result of the corresponding CMP (step 1265). It then simply loads from that computed address and uses its value for a JMP. The load that loads either address is represented by the "loadcc" node in the graph. Even though all puzzle pieces are here, it is still hard to figure out what the original CMP was, but luckily we have LLVM and luckily it isn't hard to lower the graph to LLVM IR: Godbolt Left is the graph as LLVM IR, middle is output of the optimizer, right is the optimized LLVM IR lowered to x64. The attachment contains the original x64 input, the complete vmp program as LLVM (not just the loadcc part), the optimized x64 (-O3) and an unoptimized version (-O0). The unopt version is interesting because it shows how vmp looks like after removing the junk but still leaving the handlers intact (RSI access is removed, RBP-stack is pre-baked to make it easier for the optimizer passes) I thought it was pretty impressive how LLVM's optimizer plows through the crap and produces such a beautiful result. That is all. Thanks for reading. testproc.zip
  14. 1 point
    Bullshit. I took a look on their VM (the sample that HellSpider uploaded). It is very simple VM with very simple "obfuscation" (or you can say almost no existing obfuscation). Totally out of league of Themida/VMProtect . (I worked on that a little bit more than one weekend and I think that I need one more weekend to finish devirtualizing his sample, but not so interested in it right now) The only reason that there are no tools/tutorials for it is because it is not as common as Themida/VMProtect. The same is probably true for all the other uncommon "much better" protectors. And about Themida/VMProtect, as someone who wrote a script that automatically devirtualize Themida. As I said in the past, I still think that their VM is better than VMProtect. All the reasons were already listed in this thread.
  15. 1 point
    Well guessing from the first post of the topic creator, he wants to use virtualization as protection (otherwise he wouldn't think about VMProtect or?). I didn't invest time in reversing Themida protected targets yet, neither code virtualized targets (but soon). Just from reading how Themida is using virtual machines as protections, with hybrid virtualizations like SHARK or EAGLE I would say that it's a better choice to go for Themida than VMProtect. Currently I'm working on VMProtect a lot in my free time, and what I can say that the VMs have a pretty straightforward pattern when it comes to the handlers. For me the biggest problem was actually the mutation of the assembly, but with compiler optimization techniques you can clean up the code pretty good and continue your analysis on the demutated code (which is one half the devirtualization process). The other half is pretty much identifying how the handlers work, analyzing them and translating them back but even this is dynamically possible with coding and I would think it's less effort than reversing the different themida vms. And if this isn't the case I would want to see a proof for that..
  16. 1 point
    First you say Themida is trashtier, then you pick a far inferior packer and state that it is better..? People need to start realizing, that if you have no clue what you're talking about, you should either start your sentence with "I assume" or you shouldn't say anything at all. Silence is bliss. VMProtect is actually rather bad, as the virtual machine in VMProtect is really easy to crack. If you have to choose between Themida and VMProtect, you should always pick Themida. Why? Because Themidas virtual machines are much more advanced and much harder to crack than VMProtect. Themida was initially known for their CISC VM which was (at the time) very strong. It has since been defeated (by Deathway) and is now considered weak (since it's actually rather simple once you start to understand it). VMProtect's virtual machine is almost an exact replica of the Themida CISC VM featuring stronger obfuscation, and as such it works in the exact same way, which makes it (almost) equally weak. Since then, Themida developed the RISC machine (RISC64 and RISC128), which was against defeated by Deathway. They then proceeded to develop the FISH and TIGER machines, which features very new tricks such as complex combined handlers (FISH) doing multiple operations each instead of a handler for each operation like CISC had, and also internal (yet simple) cryptography. The TIGER VM is very similar to the FISH VM (since it is built on the same engine), but doesn't utilize the cryptographic internal registers, etc. Themida also features hybrid virtual machines, such as SHARK, which is FISH virtualized by TIGER, or PUMA, which is TIGER virtualized by FISH. The newest machine(s) from Themida is the DOLPHIN machine, which is yet another layer of complexity upon the newer FISH/TIGER engine, while also supplying a hybrid VM called EAGLE, which is FISH virtualized by DOLPHIN (if memory serves right). If you want to compare the complexity of the newer Themida VMs (e.g. EAGLE) vs. VMProtect's VM, you're probably looking at a complexity scale saying 15:1 or something like that. TL;DR Don't listen to the guys above, as they are completely clueless on the topic. Pick Themida if you have to choose between the two of them.
  17. 1 point
    I think that the new VMs of Oreans are the best VMs out there. Until then all the VMs were with simple handlers, and the complexity were in other areas (in the obfuscation of the handlers or the obfuscation of the "vm code"). Oreans made vms with auto-generated complex handlers. (and now it isn't even necessary to obfuscate the handlers or the vm code) (As a side note: They protect their newer products with improved version of tiger, which does obfuscate the vm code with their regular obfuscation and using internal vm registers, but beside being annoying it doesn't add much to the protection..) I started working on VMProtect (just had one day to work on it), it looks similar to CISC, but they implement many operations with a small set of simple handlers, which make this vm more complex (than CISC, not the new vms, but I don't have the right to say that until I fully devirtaulize it) And about time consuming - it is enough to just devirtualize one of those new vms, if you do it good. I work on this project as a side project for fun (mostly on weekends), and it took me about two months to fully devirtualize fish. But after that it took me just a week to add support for tiger, and even less to add support for dolphin. I don't make money from this, but I don't share this project because then there won't be a point in this protection
  18. 1 point
    Well, there are few dedicated persons in the world who can do that. Noobs can't. And there are no up-to-date public tools (Deathway's tools are not working for most VMs already). So, after doing simple cost-benefit analysis, Themida guys will sleep really well.
  19. 1 point
    Yep. Yhis dump have the TM sections removed. Could have them on the right place but makes no difference to me. As i know Themida allocate al API's to VM'ed portions of memory outside the main exe. That is why i was so puzzled. Because i see that the redirection was into main exe virtual space and not in upper addresses. The IAT table can be restored via 4 patch points like in LCF-AT script or just bp on acces on a API and them memory bp on write on code section to see where is written. You can with a little patience to restore the IAT table or write a small Odbg script to automate. It remains to add the VM'ed antidumps and i think all is done. In you case. As you can see a dedicated person will UV the VM'ed code so i guess that Oreans cannot sleep well.
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
  • Create New...