Jump to content
Tuts 4 You


Popular Content

Showing content with the highest reputation since 07/11/2019 in Posts

  1. 4 points
    Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00
  2. 2 points
    I am mostly wondering why an unpackme needs an anti VM mechanism in place. I am not running any foreign binaries on my host machine. Yes I can patch it myself, but what is the point? Given the fact that it also takes a huge amount of time to even start up, I find it a little unsettling if I have to be honest.
  3. 2 points
    Got a chance to check out Ghidra 9.0.4 (released in May) to compare again and will say they have really optimized the disassembler compared to before. A file I work with often in IDA for a specific game now takes around the same time to disassemble in Ghidra which is a lot better than before. (The previous 9hr post was not for this file, will test that one again in the future.) The decompiler has seen some improvements as well which for this file results in some nice output, a bit cleaner than HexRays even at times. Would say in the short time of it being open source, things have shaped up pretty well for this tool.
  4. 1 point
    https://visualstudio.microsoft.com/es/vs/support/community-edition-expired-buy-license/ really need login for unlock the ide, only that Community Edition is free. You just need to sign-in with your Microsoft account and everything will be fine again. im was using from 2017 to today..never i was need a licence .. only login BR, Apuromafo
  5. 1 point
    Just be mindful of UIPI and process elevation levels if you plan on using SendMessage. Otherwise you will need to look at changing window message filters (ChangeWindowMessageFilterEx) of lower privileged windows. You can check if your messages are being blocked by calling GetLastError and checking for access denied (5)... Ted.
  6. 1 point
    Another option is to use WM_COPYDATA https://docs.microsoft.com/en-us/windows/win32/dataxchg/wm-copydata The following example demonstrates how to send information between two applications using the WM_COPYDATA message: https://docs.microsoft.com/en-us/windows/win32/dataxchg/using-data-copy
  7. 1 point
    Depends on how much data you intend on exchanging as there are a number of different options. This link explains some of them... https://docs.microsoft.com/en-au/windows/win32/ipc/interprocess-communications Ted.
  8. 1 point
    pleas explain how u unpack it?
  9. 1 point
    I'd be sure that they made a devirt only if i saw the koivmhelper.dll without dnguard, for some reason i think that they check the parameters and the calls with the handle invoker Why would i think of that? well i've searched the 'devirted' file and i've only seen this change (on vcall opcodes) which basically changes the methodinfo.invoke to be invoked from the .dll? (which makes it easy to change the result and also check the parameters and the call) Another thing i found is that they load all the stuff from the resources instead of the metadata stream (the stuff that cant be preserved with dnspy saving) which makes me think the same thing. Final thing, i had the original vpnhunter exe with koivm and the types and methods were not differently named... which means that it hadn't been koivm'ed on top of the devirt
  10. 1 point
    Which is a bloody stupid idea in the first place. Just don't do it. To answer the question - the cause of your problem is MUI files that were introduced in Windows Vista. They enable you to have Windows UI in your own (non-English) language. If you copy some of the Windows built-in executables, you also need to copy the corresponding MUI file to correct subfolder, otherwise it won't be able to load correct resources and you'll see the error you mentioned. Example: Further reading: https://docs.microsoft.com/en-us/windows/win32/intl/mui-fundamental-concepts-explained https://afana.me/archive/2016/06/27/restoring-classic-calculator-in-windows-10.aspx/ https://ntcore.com/?p=266
  11. 1 point
    Overcooked is free this week on Epic. Good fun for local multiplayer
  12. 1 point
    I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies. If you can not understand it, you can reply me. Best wish.
  13. 1 point
    [.NET]实战UnpackMe.mp4 -> https://mega.nz/#!YxwQSAxA!Lwd9XStVyue8fdYKZXmYkoDxE0Y7ftsyNYtBKLTRrGM
  14. 1 point
    @mdj: 使用x64dbg暴打非托管强壳.mp4 -> https://mega.nz/#!Y5JBTaCS!hJXzN5ssvUyRHW8VgpGxINEVrW1zJ2Up96vqqJVG5co I can upload the second video tomorrow, if you need that too. @all: Please be nice and don't abuse the link, it is a free Mega account and has traffic limitations.
  15. 1 point
    Yes, i wrote some of that information on v3. Well, if it's entirely online-based that of course takes away much of the fun...
  16. 1 point
    https://github.com/x64dbg/x64dbg/releases https://github.com/wwh1004/ExtremeDumper/releases
  17. 1 point
    Yep, looks like Dotwall. But the main executable is totally boring - the interesting stuff is in .NET resources. So, don't waste much time trying to deobfuscate main executable. There are 2 malicious PE files in .NET resources - XOR-encrypted with key 76 00 6F 00 52 00 4E 00 66 00 48 00 73 00 44 00 One is Aspire.dll, protected with .NET Reactor - that's some sort of malware launcher. Other one is password stealer written in Delphi.
  18. 1 point
    I do not release the decoder but the code optimizer (not immediately), this is not specific to the oream vm, it is only far more effective than others. What do you say about angr or miasm or optimice or codedoctor ?? do we eliminate them all the tools for binary code analysis ?? I do not issue the decoder code because my hobby is a hobby and I do not want to give anybody a damn but reversing is sharing (I unfortunately belong to the old old reverser school). If I spoke good English I would probably share a lot more info and would not like others who just write for self-celebration. Do you know Scherzo or Softworm ?? I'm an old man who now deals with reversing and my only good luck is that the day they will all program in python or javascript I will not be there anymore..hahahahaha
  19. 1 point
    ILSpy mod by Medsft: NET assembly browser and decompiler, debugger, High and Low level Editor Project renamed. ILSpy NEXT. NET assembly browser and decompiler, debugger, High and Low level Editor Description: ILSpy (latest ILSpy public version -add debugger from the SharpDeveloper studio -add CopyFullyQualifiedTypeName.Plugin -add OpCodeTableForm -add to treeview contextmenu: - strong name utility - rename class utility - Jump to EntryPoint - string viewer utility (search enable) - extension exeecute utility (reservation work enable) - hexeditor methodbody utility (runtime compilation enable, - search any text in decompileTextView - find method call - Analyze. Reference calls positioning and highlight ("IL Code" view) two technologies save the result(High Level:recompile assembly and Low Level:Binary Patch(See results and work in Patch_table))) add to decompiletextview contextmenu: - replace instruction (High Level,need recompile to save assembly) - nop instruction (High Level,need recompile to save assembly) - reverse branch (High Level,need recompile to save assembly) - nop instruction (Low Level, no need recompile binary patch see Patch Table) - reverse branch (Low Level, no need recompile binary patch see Patch Table) - class or method injector (High level) - "Undo" operation Mono.Cecil -ignore null type (Read TypeDefinition) -ignore invalid parameter(Read MethodDefinition) -ignore invalid generic argument() -ignore invalid attribute (if (attribute.Constructor == null) continue;) -ignore invalid signature(GetSecurityDeclarationSignature) -fix handle null value in obfuscated assembly -add ToString for CustomAttributeArgument -add ToString for CustomAttributeNamedArgument -ignore null element(MemberDefinition) -avoid recursive declaringtype of some obfuscated assemblies,currently only one level checking -add AllMemberReferences(IEnumerable<MemberReference> GetMemberReferences) -add ElementTypeIntValue(ElementTypeIntValue) -add support to read/write directly from bytes(FromBytes) -Read reloc section, Contributed by Khiem Nguyen -add alternative "Save" technology modified assembly (support obfuscated assembly) Pack "ALL in One" The latest releases of ILSpy.NEXT on http://il4re.ml// [t]We are opened! Welcome, guys.[/t] Last build: 12_08_2016 Sorry for my bad English and WPF
  20. 1 point
    Hi required start pass? we should bypass this manually? Best Regards, h4sh3m
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
  • Create New...