Jump to content
Tuts 4 You


Popular Content

Showing content with the highest reputation since 10/10/2019 in Posts

  1. 2 points
    Hey guys, After a long time I started writing on my blog again. https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-1 Best regards
  2. 1 point
    Analyzing Keyboard Firmware Part 2 Ted.
  3. 1 point
    Unpacked! Steps to unpack: 1. Renamed file and the assembly due to loading errors 2. Removed antitamper with dnspy. 3. Removed all junk calls in cctor with my tool (Too lazy to nop it 1 by 1 in dnspy). 4. Removed remaining calls such as antidump, antitamper call, and etc. 5. Resolved values for sizeOfs and parsed strings that are integers. 6. Converted x86 Methods to IL 7. Decrypted strings with my tool 8. Cleaned cflow Credits: NotAccursed for cflow remover Key: Nword2-callsremoved-SizeOfRemoved-StrToIntResolved_noProxy-NoX86-StringDec_cleaned.exe
  4. 1 point
    Not all of this is correct. However, I am not going to tell you which information is incorrect.
  5. 1 point
    Hi You just need look at GetLastError with debugger
  6. 1 point
    DNS resolvers and queries (over HTTPS) seem to be a bit of a popular topic in the news of late. There are a number of reasons why people should be using DoH (or DoT); privacy, security, prevention against eavesdropping and man-in-the-middle attacks. For those not familar and for those of you interested there are ad-blocking DoH resolvers. Below is a list of ad-blocking resolvers that I am currently aware of. Obviously these will perform better or worse depending on where you are located geographically in the world. My top three for performance are the first three in the list, the others are ranked in no preferential order. https://adblock.mydns.network/dns-query - Anycast (Cloudflare) / DNSSEC / DDoS https://dns.adguard.com/dns-query https://doh.tiarap.org/dns-query - Malware / DNSSEC https://ads-doh.securedns.eu/dns-query - DNSSEC https://doh.dnswarden.com/adblock - DNSSEC https://dns-nyc.aaflalo.me/dns-query https://dns.aaflalo.me/dns-query - DNSSEC https://doh.tiar.app/dns-query - Malware / DNSSEC https://dns.oszx.co/dns-query - DNSSEC If you know of some others out there please share them... Ted.
  7. 1 point
  8. 1 point
    I used this in my MyAppSecured exe protector project. This code emulates the winAPI CreateThread using ZwCreateThread, in pure MASM, compiled in WinASM studio. Feel free to use it for your own projects. ZwCreateThread example.rar
  9. 1 point
    Many years ago I wrote a software protector called MyAppSecured. Somewhere in the middle of porting it from Delphi to C++ I lost my interest in this project. Just found it on my HDD so I thought it might be helpful for someone. In short, the GUI of this protector is written in C++ and the protection stub in written in MASM. The C++ code loads a target in memory and adds 2 PE sections to it. One for the TLS callback code and one for the main code. The MASM stub will be written to those 2 sections. This protector has just 2 protection features: Analyze Immunity (anti-debug) and Memory Shield (anti debug-tools, OEP relocation). Note this is not a download-and-use-right-away protector. The code is written years ago so it's not very well written and also for some unknown reason the MASM stub could not be written into the 2 created sections. It did work very well years ago but I don't have the time to investigate why it doesn't work now. To be clear, the compiled exe file you will find in the package should run nicely but once you try to secure a exe file, that exe file is gonna be corrupted. This project is free for personal and commercial purposes. If you have any questions please ask, but keep in mind I abandoned this project and removed it from my HDD right after posting it here. Even if you are not gonna use this project it might be interesting to check the code. Some interesting stuff you might find there for your own project, such as emulating the CreateThreadW function in pure MASM, adding PE sections & relocation of OEP. MyAppSecured v1.00 Beta source.zip
  10. 1 point
    You make me cry a little everytime I see your replies. I will before-hand declare that this is my last response to your impeccable rant of stupidity, but I feel the need to put out these points. Yes, you did just say a few posts back, that "OP asked for protection, not virtualization", thus claiming that virtualization is not protection. Yes, OP asked for a native packer, as he asked for a packer for his Win32 file. Win32 is a native format, unlike .NET which is a non-native format. If you claim otherwise, I'll die of laughter. Nope, Themida is not useless. It might be easily unpacked (since LCF-AT made a superior script), but there's a big difference between unpacking and devirtualizing. If you have succesfully unpacked a file, no matter how you did it, the file is still protected (as an unpacked software) as long as the virtualization is not broken (which is a whole different league to unpacking). The virtualized code sections will not be made readable by any public tools, and there are very few people world-wide who has even got the capability of making such tools. So nope, I'm not unknowledgeable. Actually, I'd go as far as to claim that on the contrary, I am moderately knowledgable and you are simply extremely uninformed. Yes, OP was looking for constructive feedback, which is why I striked down on you, as you were supplying false information. Oh my god.. I don't even know what to say to this... Themida not an obfuscator? If you had the time to properly read that image, you'd immediately notice the big fat .NET in front of the obfuscator. They're saying it's not a .NET Obfuscator, which means it doesn't obfuscate the IR for .NET. It is however, a compressor, an obfuscator and a virtual machine software for native formats.
  11. 1 point
    Once again, you bless us with your unfathomable stupidity. First you claim virtualization is not "protection"..? If he OP wants protection, and asks which protection software to go with, it includes all features of the protection software, such as virtualization. Themida offers exceptional protection in real situations, when you don't want people to understand certain functions. Next you pick a .NET virtualizer and tell us that, if we're to deduce the best virtualization protection software (while the choice stands between VMProtect and Themida) we should pick Agile.NET??? In case that point flew over your head, here's another stupid point to this: He's asking for a packer for a native Win32 file. You suggest using a non-native .NET packer.
  12. 1 point
    I created this thread because of this thread: http://forum.tuts4yo...ction-question/ Some beginner still think that ImpREC works on Windows 7, this is simply not true. Here is a prove screenshot. The test application is a simple C++ application not packed/protected. Scylla is the only tool which can rebuild the IAT correctly. I guess this doesn't need any explanation just see for yourself. (Download the .zip for better resolution) compare_ir_.zip
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
  • Create New...