Jump to content
Tuts 4 You

Leaderboard

  1. BataBo

    BataBo

    Junior+


    • Points

      9

    • Posts

      17


  2. whoknows

    whoknows

    Full Member+


    • Points

      9

    • Posts

      1,013


  3. Kurapica

    Kurapica

    Full Member


    • Points

      6

    • Posts

      947


  4. Bartosz Wójcik

    Bartosz Wójcik

    Full Member


    • Points

      5

    • Posts

      101


Popular Content

Showing content with the highest reputation since 07/23/2021 in all areas

  1. This is update to my last post, I've decided to continue working on my unpacker and was able to figure out how to decrypt operands, when it comes to callinternal it's operand, when decrypted, tells you which method to execute, the next problem I've gotten was homomorphic encryption, but it wasn't a hard nut to crack all you have to do is bruteforce the key and use it to decrypt method body. With all this I've finally made the devirtualiser and was able to unpack the assembly.Then I ran it through de4dot to clean it up a bit. And then I have manually taken care of debug code(I haven't removed it I've just put if(true)return; at the beginning of each debug method). Here is a video of me unpacking it : https://streamable.com/gynmi9 The file password is superfrog. For some reason I couldn't upload the raw exe so I zipped it ggggg-unpacked-cleaned.zip
    6 points
  2. Target uses homomorphic encryption of two pieces of code, which are the crucial part of verifying the serial. Not sure if it's keygennable, maybe someone else will make it. If the string that we enter to the input box is passed to these following two methods and both of them return expected result then we get goodboy ("Hooollaaaaa :)") message. Result of this method internal static int check1(string input) { int num = 0; for (int i = 0; i < input.Length; i++) { num += (int)(input[i] + 'P'); } return num; } must be 5214 Result of this method internal static int check2(string input) { int num = 0; for (int i = 0; i < input.Length; i++) { num += i * (int)input[i] % 0x7FFFFFFF; } return num; } must be 40106
    4 points
  3. x0man's version of starfield with bmp aboutbox effect - ripped from Casino PokeR Analyzer v4.17 by tPORt.zip , with IDA pro. (yep, this aboutbox wasn't really open-source - like Funny Word, Crazy Word and New year theme - back then) Also available on Xylitol's collection of masm32 graphical effects repository on github . starfield_with_bmp[tPORt].zip
    3 points
  4. I was unable to unpack this executable but have made some progress in creating a devirtualiser.First thing I've done it debug the program to understand how the vm works.There I've realised that class \u0008\u2008 is the VM class, in which most of the VM code is located.Then I dumped \u0008\u2008.\u0006\u2002 this is a field of type Dictionary<int, \u0008\u2008.\u0002\u2000> where int is vm op code id and \u0008\u2008.\u0002\u2000 is a method associated with that VM opcode.After I had that dumped I ran it through my program and was able to link some of those methods to CIL opcodes.You'll be able to download the map from the file below.Then I linked those CIL opcodes to instruction ids.This allows me to devirualise virtualized code. Now I needed method bodies. Those were pretty easy to obtain.You'll be able to see both virtualised and devirtualised bodies in the file below.Ok so I knew what op code corresponds to what VM op code and had all the virtualised bodies so I should be able to unpack it, but that wasn't the case because of 2 factors.First one is that the operands for certain instruction(call,ldtoken,callvirt,ldfld,stfld...) are encrypted.All eaz assemblies have an encrypted resource from which they get these values.I tried to decrypt these values but failed, but fortunately I was able to semi-circumvent this. Eaz caches all the decrypted operands so I ran the program gave a wrong input and dumped the assembly and obtained these value, unfortunately the values that were not decrypted didn't get cached so I was unable to obtain them.List of decrypted operands are in the file below.Second issue is the eaz opcode callinernal(my nickname).This opcode takes an encrypted operand as the argument and uses it to pretty much create a dynamic method, I wasn't able to get bodies for these methods(I was able to get 3 including anti-dbg code), and from the looks of it they are important.I tried to fix these to issue but couldn't so I gave up.I decided to just devirtualise bodies I had with limited information I had and you can get those unpacked bodies from the file below.I hope this info proves useful to someone so they can make an unpacker.I just wanna be clear on this one <Decrypted></Decrypted> field refers to wheter the operand was decrypted and <BranchTo></BranchTo> refers to command that branch instruction is referencing. Forgot to mention, might be important the method that runs the vm code looks like this: private void \u0008\u2000(bool \u0002) { uint u0005_u = this.\u0005\u2001; for (;;) { try { while (!this.\u000E) { if (this.\u0008\u2003 != null) { this.\u0003\u2001 = this.\u0008\u2003.Value; this.\u0002((long)((ulong)this.\u0003\u2001)); this.\u0008\u2003 = null; } else if (this.\u0003\u2001 >= u0005_u) { break; } this.\u0006(); } } catch (object u) { this.\u0002(u, 0U); if (\u0002) { continue; } this.\u0008\u2000(true); } break; } } the part that executed the vm op code is this.\u0006(); and it looks like this private void \u0006() { this.\u0002\u2002 = this.\u0003\u2001; int key = this.\u000E\u2003.\u0006(); this.\u0003\u2001 += 4U; \u0008\u2008.\u0002\u2000 u0002_u; global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u); u0002_u.\u0003(this, this.\u0002(this.\u000E\u2003, u0002_u.\u0002)); } This like generated vm opcode id int key = this.\u000E\u2003.\u0006(); And this line gets the method associated with that key global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u); and the last line executes it Data.xml
    3 points
  5. Google parent Alphabet launches Intrinsic www.theverge.com/2021/7/23/22590109/google-intrinsic-industrial-robotics-company-software Mark Zuckerberg says Facebook will turn into a ‘metaverse’ www.independent.co.uk/life-style/gadgets-and-tech/facebook-mark-zuckerberg-metaverse-augmented-vitual-mixed-reality-b1889284.html Biden administration sounds the alarm on the semiconductor crisis fortune.com/2021/07/16/biden-administration-sounds-the-alarm-on-the-semiconductor-crisis/ Meet the Microsoft Game Developer Kit (GDK) developer.microsoft.com/en-us/games/blog/meet-the-microsoft-game-developer-kit-gdk/ Scientists Finish the Human Genome at Last www.nytimes.com/2021/07/23/science/human-genome-complete.html Insight.js – Never Console.log Again getinsight.dev/ Anybody can read the registry in Windows 10 doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5 Amiga 2000 EATX PCB github.com/jasonsbeer/Amiga-2000-ATX Rivian announces $2.5 bln funding round led by Amazon, Ford www.reuters.com/business/autos-transportation/ev-startup-rivian-announces-25-bln-funding-round-led-by-amazon-ford-2021-07-23/ Schools opened, suicide attempts in girls skyrocketed insidemedicine.bulletin.com/2977384169199489/ K-9 Mail new release v5.8 (finally!) k9mail.app/2021/07/24/K-9-Mail-is-back Hacking the DLink DIR-615 noob3xploiter.medium.com/hacking-the-dlink-dir-615-for-fun-and-no-profit-part-2-cve-2020-10215-586204d42bba Chimpanzees have been spotted attacking and killing gorillas edition.cnn.com/2021/07/22/africa/chimpanzee-gorilla-attacks-scn-scli-intl/index.html
    2 points
  6. I went to the office for the first time. I fornicationing hated it (lol) www.reddit.com/r/cscareerquestions/comments/oosru6/i_went_to_the_office_for_the_first_time_i_fornicationing/ Windows 96 windows96.net Developers at Activision Blizzard say they'll walk out Wednesday www.axios.com/activision-blizzard-walkout-harassment-lawsuit-fefa807b-107e-41e2-a6e2-78a086119e04.html Curated list of personal blogs refined.blog/ Docker in Production: A History of Failure (2016) thehftguy.com/2016/11/01/docker-in-production-an-history-of-failure/ WeChat suspends new user registration for security compliance www.reuters.com/technology/tencents-wechat-suspends-new-user-registration-cites-technical-upgrade-2021-07-27/ Analysis of large binaries and games in Ghidra-SRE kiwidog.me/2021/07/analysis-of-large-binaries-and-games-in-ghidra-sre/
    1 point
  7. Shadow is in hole other level he unpacked exe fully packed with pelock 2.x In half hour
    1 point
  8. cracked attached cracked password 1234567891011121314151617 from csv , original password <TuAurasPasLeMdpCroisPas> still has csv dynamic encryption crackme_1234567891011121314151617.7z
    1 point
  9. @BataBo : Impressive work man
    1 point
  10. ^fantastic job @BataBo I have to say, when @SHADOW_UAreplied, the same day, sent me also the naked file via PM.
    1 point
  11. Unsigned types are zero extended and signed types are sign extended with shift instructions. C does not have efficient implementations of some hardware details. For example, shifting left or right by 1 gives the removed bit in the carry flag CF. Or addition/subtraction. But in C you must do some bit twiddling expressions to turn a native efficient operation into something taking a few instructions. I doubt the compiler actually optimizes it. So if you want to shift a big integer stored in an integer array, it will be an annoyance especially since rotate with carry or double precision shifts are strictly necessary. No idea if SIMD instructions can speed this up given it's a sequential memory op
    1 point
  12. If you not saving (and need to use) JavaScript and other client side assets than HTML you could use something like WinCHM. Numerous PDF editors can import and categories HTML. Even Word and open source variants can do a similar job... Ted.
    1 point
  13. Migrating Facebook to MySQL v8.0 engineering.fb.com/2021/07/22/data-infrastructure/mysql/ Akamai Edge DNS Down edgedns.status.akamai.com/ www.bbc.com/news/technology-57929544 AlphaFold Protein Structure Database alphafold.ebi.ac.uk/ Even if you’re paying, you’re still the product odysee.com/@CyberLounge:a/even-if-youre-paying-youre-still-the-product:7 Wiser – minimal hypervisor boots Linux VM. Written in C github.com/flouthoc/wiser open-source-alternatives www.btw.so/open-source-alternatives Reflections as the Internet Archive turns 25 blog.archive.org/2021/07/21/reflections-as-the-internet-archive-turns-25/ Man Arrested in Connection with Alleged Role in Twitter Hack www.justice.gov/opa/pr/man-arrested-connection-alleged-role-twitter-hack NSO group say enough is enough www.nsogroup.com/Newses/enough-is-enough/ Colorado River is shrinking www.sciencemag.org/news/2021/07/colorado-river-shrinking-hard-choices-lie-ahead-scientist-warns sudo - music for developers sudo.fm Bezos donates $100 million each to CNN contributors www.cnn.com/2021/07/20/media/van-jones-bezos-100-million/index.html Telegram founder listed in leaked Pegasus project data www.theguardian.com/news/2021/jul/21/telegram-founder-pavel-durov-listed-spyware-targets-nso-leak-pegasus Epic Games acquires Sketchfab techcrunch.com/2021/07/21/epic-games-acquires-sketchfab-a-3d-model-sharing-platform/ How do Chrome extensions impact browser performance? www.debugbear.com/blog/chrome-extension-performance-2021 Neverinstall – A platform to bring desktop applications to the browser neverinstall.com/ Intel Distribution for Python software.intel.com/content/www/us/en/develop/tools/oneapi/components/distribution-for-python.html Google pushed a one-character typo to production, bricking Chrome OS devices arstechnica.com/gadgets/2021/07/google-pushed-a-one-character-typo-to-production-bricking-chrome-os-devices/ G - Introducing the Data Validation Tool for EDW migrations cloud.google.com/blog/products/databases/automate-data-validation-with-dvt Kaseya obtained a decryptor for victims of the REvil ransomware apnews.com/article/lifestyle-technology-joe-biden-europe-business-bb7298b31b7157640fbd5f90fc19c224 helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-21st-2021 California Sues Gaming Giant Activision Blizzard Over Unequal Pay, Sexual Harassment www.npr.org/2021/07/22/1019293032/activision-blizzard-lawsuit-unequal-pay-sexual-harassment-video-games Our genes shape our gut bacteria www.sciencedaily.com/releases/2021/07/210708170331.htm Zip - How not to design a file format games.greggman.com/game/zip-rant How TikTok's Algorithm Figures Out Your Deepest Desires www.wsj.com/video/series/inside-tiktoks-highly-secretive-algorithm/investigation-how-tiktok-algorithm-figures-out-your-deepest-desires
    1 point
  14. Be mindful of what types functions return. The intrinsic function '_rotr' returns an unsigned value, which goes against the signed types you are trying to use. Because of that, you need to cast its return back to a signed type or store it in a signed variable first. int32_t eax = 0; int32_t ebx = 0x288d6c47; //_rotr(ebx ^ 0x9714, 0x2) = 0xca237ed4 eax = (int32_t)_rotr(ebx ^ 0x9714, 0x2) >> 0x3; Should get what you want.
    1 point
  15. I am of the opinion that any solution posted here should be reproducible (hence the name tuts4you). Anyone reading my solution should be able to follow the steps and get to the same conclusion. For the case of a VM, since they are complicated beasts, it means it gives me only two options: I would have to release the source code of any type of devirtualizer that I would've made, or I would have to spend an entire blog post talking about how VMP's VM works and how to reverse it. While I genuinely enjoy doing both, both options take a lot of time, something I have very little of these days. But even if I had the time, it's arguably not really worth it. If I were to make a devirtualizer for VMP and release it, it will not take long for the VMP developers to catch on and update their software. Unless the devirtualizer was made in such a way that it would be resistant towards the kinds of changes (which again, takes more time), it means it is probably only going to be useful for a short period. Just doing this for a single unpackme posted on a forum does not really make it worth it for me. Also, while I generally don't have any problem with publishing articles or source code (unlike other people that post solutions here it seems), I do have a problem with potentially harming other people's businesses. I am not a fan of releasing devirtualizers or unpackers for protectors that are still in business and have customers. From a legal and ethical perspective, that's just not something I would do easily. Generally speaking though, with reverse engineering it is often not required to fully unpack anyways. You extract what you need and leave out the unimportant business. In a lot of cases that does not require a full deobfuscation. Especially not with keygenme's like these. Maybe someone else thinks differently about that, and does pick this up as a challenge though
    1 point
  16. Methodology - Since It is a CrackMe I won't bother myself to generate/find a Valid Serial by understanding the Algo. So I simply gonna patch it to accept any Key or show Valid Message from any of that. Thanks to RCE Community Members from all those diff Forums who shared their Knowledge with Public. Valid Key - Steps - Image - Method 2 - Since it is a Crack Me so these method makes sense but in Real World App, these are not so useful. We must need to Devirt the App to fully Read the Code. So You can follow my 1st Comment regarding Complete Unpacking of Your Code.
    1 point
  17. i hope u have SnD PERMISSION TO POST IT , AT FIRST BEFORE POST U SHOULD HAVE YCK1509 TAKE PERMISSION FROM YCK1509 . THIS SOFTWARE SRC I HAVE . YCKPERMITTED ME TO SHARE THIS APP binary only not src, UNTIL POST U SHOULD SEARCH WITH MY USER ID I ALREADY POSTED JITDUMPER DNLIB EDTION CREATE BY YCK1509 . SEARCH BY FOLLOWING MY USER ID U GET LATEST FIXED BINARY JITDUMPER LAST EDITION WHICH HE LAST MODIFIED FOR ME
    1 point
  18. Hello, so I have created & protected a new UnpackMe for you. I added also some detect stuff [medium level]. Just start the exe file and press the splash. Have fun again. ENIGMA 2.33 UnpackMe.rar
    1 point
  19. Hi, if your file is a NET target then script does fail to unpack your target because its a NET one.If you can bypass the RegNag successfully and your target does run (press run in Olly after you get "Found no valid API call or Jump commands") like it should then you can start to do some NET dump & fixing by using NET tools.Just try this.Dont remember anymore about that NET stuff. PS: Script does check the first section RVA address for 1000.In case of NET the first section start at 2000.But as I said, script isnt a NET Enigma unpacker. greetz
    1 point
  20. Hi, so you do see that this topic is more than 10 years old already right. The NetFrameWork infos should be wrong because the file is not NFW.Problem should be the Windows OS you are running and the arch.. (x64) where you can get diffrent results by using the script because the unpacking conditions are not same as you would try to unpack the target on XP x86 system.What you can try it running the script under VM & XP SP2 OS.Otherwise you need to debug the script itself and analyze the Error messages and trying to fix / bypass it manually. greetz
    1 point
  21. 41 downloads

    The perefect way to play XM music is by using the MiniFmod. since it is free to use, we can producereally cool keygens. i'v choosed keygens as the perfect taregt to play music on, as we all know its cool in the end. The best way to find our XM music is the mod archive located at: http://www.modarchive.com/. It is a huge archive, and allot of cool music can be found there, so just before coding, select ur file (recomended size : 2k-30k) i especially like the "Hybrid Song.XM", (i first heard it in a installer of Worms ) or "trainer.XM", but i am sure there are millions of them out there. Once we choose our music, we need to dump its content!! now, sicne this article is for Visual C++ coders, our dump is apparently C++ style hex. For the dumping rutine we will use Thigo's exccelent Table Extractor, located at protools/anticrack..or just google for it.
    1 point
  22. Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00
    1 point
  23. I do not release the decoder but the code optimizer (not immediately), this is not specific to the oream vm, it is only far more effective than others. What do you say about angr or miasm or optimice or codedoctor ?? do we eliminate them all the tools for binary code analysis ?? I do not issue the decoder code because my hobby is a hobby and I do not want to give anybody a damn but reversing is sharing (I unfortunately belong to the old old reverser school). If I spoke good English I would probably share a lot more info and would not like others who just write for self-celebration. Do you know Scherzo or Softworm ?? I'm an old man who now deals with reversing and my only good luck is that the day they will all program in python or javascript I will not be there anymore..hahahahaha
    1 point
  24. a friend from kazakstan , he is expert offline html reader
    0 points
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...