Jump to content
Tuts 4 You

Leaderboard


Popular Content

Showing content with the highest reputation since 12/08/2018 in all areas

  1. 10 points
    - version 4.0: 1- add RegexSearch form. 2- New GUI after replace DataGridView with RichTextBox to easy deal and fast coding. 3- edit CustomBuildStep to Auto copy files (AdvSconfig.txt , HelpAdvancedScript.txt). 4- add AutocompleteMenu.dll . 5- add copy AutocompleteMenu.dll to x64dbg root . 6- add AdvSconfig.txt for AutoComplete list for define Commands and variables. 7- update AutocompleteMenu.dll. 8- add comments_ to Variables class to add it next to the description of the variables when call them by Ctrl+j 9- call list var's by Ctrl+j 10- add ReFill_FunctionsAutoComplete_AtLoad. 11- highlight_system done for good look and analyze. 12- add autoCompleteFlexibleList to handle commands defined in AdvSconfig.txt. 13- add open Script from out side. 14- refresh by menu and F5 to refresh highlight_system. 15- add var of x64dbg system. note : by AdvSconfig.txt u can define the commands in AdvancedSecript . AdvancedScript_4.0.zip
  2. 7 points
    Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00
  3. 7 points
    At least they made him look cute!
  4. 7 points
    Done! This has been added for your user group. I will see how this progresses. Obviously there is a possibility this could be abused by members however I currently trust persons in this group will use it appropriately. Done! You can now download PM's individually or bulk in HTML. The output HTML template is a bit crude. If you have some suggestions I'll contact the developer and propose the ideas with some of my own. Of the other suggestions proposed here I will reply to you all after I have thought them over and have appropriate time to reply accordingly. Thank you! Ted.
  5. 6 points
    Hey guys, After a long time I started writing on my blog again. https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-1 Best regards
  6. 5 points
    Challenge of Reverse Engineering - Rules and Guidelines All challenges will be reviewed and approved prior to them being made public. You must use and adhere to the above template (when submitting a challenge) and the template in the post below (when submitting an answer/solution). A challenge is regarded as being solved only when a successful solution has been posted containing a tutorial or a detailed explanation. Solutions posted without any information will remain hidden from public view until a tutorial or detailed explanation has been submitted. The challenge will continue to remain unsolved. Please allow up to 48 hours for challenges and solutions to be reviewed.
  7. 5 points
    Find it funny how the agitator creates the topic to try and bring attention to what he had to post later on Puny schemes. People just have lives; RE isn't going anywhere. Same as there's been one generation of smart, skilled and enthused people, others will follow. Circle of life. What I do find funny is how this "high-level programming" works even with big companies, such as Denuvo. I put quotes because same as Java relies on a ton of shit OTHER people wrote across time, which they now just import, similarly Denuvo relies on VMProtect to shield whatever crap they've got going on. Were it not for it, we'd have gotten ourselves the ol' time SecuROM/SafeDisc fiascos. I digress.. Congrats, ExoD And keep it up, love your work.
  8. 4 points
    And here is the fully deobfuscated file with strings decrypted i havent ran through de4dot since this will simplify your button click method to one messagebox.show Unpacked.exe
  9. 4 points
    Hey all! I recently came across this neat paper here: https://tel.archives-ouvertes.fr/tel-01623849/document where they used what they called "Mixed-Boolean Arithmetic" to obfuscate arithmetic expressions, and then showed ways to deobfuscate them. Looking a the deobfuscation methods, they seemed largely either pattern-based or wouldn't work when bigger numbers were involved. So I thought to myself, "How can I mess with this?" Well, first things first, they have no concrete method there for creating these expressions. There are two pages total dedicated to the creation of these expressions, so I had to get creative to make it work. They describe using numpy to solve the matrix equation created and using a hack-y method to circumvent not having a square matrix, but I thought that I could do a bit better... Enter two painstaking days of learning linear algebra and figuring out exactly what I needed to do. They start by computing the truth tables of some expressions, putting them into a matrix as columns, then solving for the vector that, when using the dot product on the vector and the matrix, returned zero. After that, they filtered out various "rewrite rules" from the matrix generated. You can read more about this in the paper, though there's not much to go off of. They use numpy's linalg.solve to do this, but that only works with square matrices and produced results with constants that were a tad small for my taste :^) After a bit of research I found a python module called cvxpy, designed to find values that satisfy an expression under certain constraints. Even cooler was that you could specify matrix equations and integer-only solutions, which is exactly what I needed. After tinkering with it for a bit, I was able to reliably create expressions like these (representing a xor b): -27540 * (~a & b) + 373574 * (~a ^ ~b) + -27541 * (a & ~b) + -27541 * (~a & b) + -11 * (a + b) + -30436 * (~a & ~b) + -30436 * (~a * ~b) + 137712 * (a * ~b) + -27544 * (~a) + 1 * (b) + 3 * (~a + ~b) + -221347 * (~a - ~b) + 13 * (a + b) + -2 * (a) + -30454 * (~a + ~b) + -30454 * (~a + ~b) + -3 * (b) + -30449 * (a | b) + -27546 * (~b) 3672455 * (~a * b) + -362611 * (a ^ b) + 78113 * (a) + -524636 * (~b) + -524636 * (a ^ ~b) + 78113 * (a) + -524636 * (~a | b) + -362611 * (a ^ b) + -959545 * (a | b) + -78113 * (a - b) + -959545 * (~a + ~b) + -524636 * (~a) + 142249 * (a + b) + -959544 * (~a + ~b) + 142249 * (a + b) + -524637 * (a - ~b) + -524637 * (~a) + -524637 * (a & ~b) + 3241246 * (~a ^ ~b) Using truth tables modulo 4 instead of modulo 2 I was also able to compute equivalencies for multiplication, which was pretty neato. However, using the same method of computing the truth table and finding an equivalent expression you can reverse this sort of operation. I'll leave that as an exercise to the reader. EDIT: As a friend of mine pointed out, this will work with any operation that can be reducible to boolean math (i.e. xor, addition, subtraction, multiplication), not just arithmetic operations.
  10. 4 points
    slugsnacks reversing series by c0lo: Link: https://kienmanowar.wordpress.com/slugsnacks-reversing-series-by-c0lo/slugsnacks-reversing-series-5/
  11. 4 points
    Hi, sorry I wasn't online for so long. I am still alive 🙂 but I had a HDD crash and lost almost everything including account information. Today I was able to recover some account information from a forgotten USB stick. At least the forum here + bitbucket/github account. So I may be able to work on the projects again 🙂
  12. 4 points
    @p4r4d0x: enough already! If you can't stop whining about exetools and techlord, please go away - as this behavior is not bringing anything useful to this forum. :@ @mrexodia: I wish you all the best in your new job. You're extremely skillful person and I'm sure you'll enjoy the challenges this line of work will bring. And remember to learn as much new stuff as possible!
  13. 3 points
    https://invidio.us/ src - https://github.com/omarroth/invidious
  14. 3 points
    https://github.com/DefCon42/op-mutation decided to release the source because it's a neat example of a practical application of linear algebra yes, i know the code does not look great and there's blatant violations of like every standard ever no, i won't change that :^) note: only works with relatively simple operations. add, sub, not, etc will work but higher order operators like multiplication and exponentiation will not
  15. 3 points
    Hi New Update with more features : https://github.com/Ahmadmansoor/AdvancedScript AdvancedScript version 4.3 https://github.com/Ahmadmansoor/AdvancedScript/releases * Add new commands and fix some bugs * fix error load of the Auto Commands when there is no ; * Fix AutoRun and stepson ( wait command to finish). * Fix color variable name. * Add ReadFile , Write2Mem , ReadMem * Add GoToByBase Form ( https://www.youtube.com/watch?v=gQxlbC8RnRg ) * Assigne variable directly no need to Setx Command. Sample : Varx str,memory // var will hold the hex value Varx int,rax_,0 // read rax value +1 Varx str,ourStr // read test string ReadMem $memory,{rax},5 $rax_={rax} +1 $rax_=ads.exebase ReadStr $ourStr,{rdx}
  16. 3 points
    That is most likely not your crackme. But what the hell.. Load it in IDA, decompile serial check and it will look like this: if ( ++idx >= 29 ) { if ( count_of_sevens == 1 && String[6] == '7' ) { v5 = (unsigned __int8)entered_key[0]; if ( entered_key[0] ) { LOBYTE(v5) = entered_key[4]; if ( v5 ) { LOBYTE(v5) = entered_key[8]; if ( v5 ) { LOBYTE(v5) = entered_key[12]; if ( v5 ) { LOBYTE(v5) = entered_key[16]; if ( v5 ) { LOBYTE(v5) = entered_key[21]; if ( v5 ) { part1 = getintfromkey(0, 4, 0); part2 = getintfromkey(0, 4, v6); part3 = getintfromkey(0, 4, v7); part4 = getintfromkey(0, 4, v8); part5 = getintfromkey(0, 5, v9); part6 = getintfromkey(0, 8, v10); v11 = part1 * (unsigned __int8)entered_key[7]; v12 = part1 * (unsigned __int8)entered_key[6]; v13 = part1 * (unsigned __int8)entered_key[4]; if ( v11 == part5 && v12 == part3 && !(part1 * (unsigned __int8)entered_key[5]) && v13 == part4 && 1000 * v13 + 10 * v12 + v11 == part6 ) { ...show good boy message... There are some checks for specific character values: * char 6 must be "7", there may not be any other "7" in the key; * char 5 must be "0"; * chars 4,8,12,16,21 may not be "0"; Key is split into in several parts: part1 = first 4 chars part3 = chars 8..11 part4 = chars12..15 part5 = chars16..20 part6 = chars21..28 Then it does some simple multiplication and checks the result. At this point you have 2 options: - make a tool that will randomly choose part1 and chars 4 and 7, do the multiplication to calculate parts 3, 4, 5, 6 and see if it passes all checks. - remember math lessons from school and figure out the only possible combination that will pass all checks. First one is much faster, second one will be .. challenging. Either way, you should arrive at the only possible solution: Well, in fact, there is infinite number of valid keys. You can append random characters to the key above, they are not checked..
  17. 3 points
    Download: https://github.com/horsicq/nfdx64dbg/releases Sources: https://github.com/horsicq/nfdx64dbg More Info: https://n10info.blogspot.com/2017/05/nfd-plugin-for-x64dbg.html
  18. 3 points
    I really, really disagree. Not all websites are valuable. And not all passwords should chosen to be secure. In fact, this was something I wanted to write about for a long time already, so here it goes: https://lifeinhex.com/my-password-is-password/ (shameless self-promo, I know! )
  19. 3 points
    https://github.com/LisaDziuba/Awesome-Design-Tools#no-code-tools bonus (free -> add to cart -> mailinator -> 498mb) - hxxps://fusionretrobooks.com/collections/pdf/products/the-story-of-the-commodore-amiga-in-pixels_pdf
  20. 3 points
    Used protector (I've forget to specify): https://www.52pojie.cn/thread-652274-1-1.html http://distro.crack.vc/index.php?dir=RceTools/Packers/ Finally made scripts and a tutorial on how to restore stolen bytes: https://forum.tuts4you.com/topic/41211-obsidium-olly-scripts/ BR.
  21. 3 points
    I have my own take on why this is, there are a number of different reasons. I only have to look at my own interests in RCE over the last few years to partly understand the reason. A full answer to this requires a topic of its own that I will save replying to in full for another day. A number of members now have to have their posts reviewed and approved before it is visible to everyone. I am hoping this will help to reduce things like this from going on in the future. This has been a bone of contention with other members too. I'll have to take in all the suggestions and issues raised and try to come up with workable solutions. One of the problems is reviewing the submissions, currently it is often taken on good faith that the difficulty and content is accurate. I also don't want to restrict too heavily which user groups can submit crackme's as new members have come and made okay entries in the past. You guys fortunately don't see just how many actually do end up getting trashed. Possibly I will have to split the sections up to filter out ConfuserEx trash or stop them altogether. I am open to further suggestions and ideas on this, if you have some keep firing them at me... Ted.
  22. 3 points
    Lets assume we have this code: test_proc proc VM_EAGLE_BLACK_START add rax, rcx add rax, rdx add rax, rsi add rax, rdi ret VM_EAGLE_BLACK_END test_proc endp So we have a single basicblock with multiple inputs: RAX, RCX, RDX, RSI, RDI and a single output: RAX. The protected version of that has about 10.000.000 instructions (Themida 2.4.6.0 demo). Lets run it through Unicorn and connect instructions via their sideeffects. While we are at it, lets assume we have an unlimited number of registers so we can remove memory indirections and connect instructions directly. Out of the initial 10mio instructions, how many contribute directly or indirectly to the output in RAX? About 300.000 (log_ins.txt). Thats a little better, but still too much. An instruction is considered constant when all its inputs are constant, because they are either literal constant values or they were produced by instructions that are constant themself. A memory read that wasnt written by ourself is also considered constant (it might be written by pre-OEP program, but this is irrelevant). Using this definition of constant, out of the 300k instructions that contribute to the result, how many instructions are constant and thus can be const-folded? A lot: themida.svg. This graph contains everything that contributes to the final value of RAX, but is not constant. The left number is a step number which corresponds to log_ins.txt, the right number is the result of the instruction. You can already kind of see the original program, but its still a bit obfuscated. You can also kind of see what Themida does most of the time: modifying values. Again and again. And every modification relies on thousands of instructions to produce the values that are used for the modification. And they manage somehow that everything depends on everything else, which is kind of impressive. It certainly makes it hard to identify opcode handlers or eliminate dead stores. Now the final question: can this graph be optimized? Yes. (I have created the IR program out of the initial 300k instructions without dropping the consts or any other optimization. LLVM's IR api does const folding itself, otherwise it would be the full 300k instructions) Using unicorn to extract the instructiondependencies obviously works only for basicblocks, it doesn't work for controlflows without additional work. But this is another topic. themida.svg, log_ins.txt and ir.ll are attached. tuts4you_themida.rar
  23. 3 points
    Good Luck @mrexodia but we are patiently waiting for the source leaks << Just kidding and check that private message I sent you long ago if you have a minute
  24. 3 points
    I've been reporting all the posts made here about all the nonsense going on there that they are trying to bleed into this site as well. Just ignore him as well mrexodia, it's not the real p4r4d0x. It's one of Tech's groupies, if not Tech himself, looking to stir drama up on this site as well. Congrats on the job, perhaps you can steer them into a better direction from being so anti-consumer.
  25. 2 points
    I am glad you have a workaround for this in the end. You may find suspending operation for around ~10 milliseconds after setting the cursor position and before simulating the mouse down input, using the Sleep function, adds a little bit more reliability and may not require you to add a second call to SetWindowPos. If you are concerned about accidentally activating a menu when simulating the mouse down you can calculate the centre of the windows titlebar or populate NONCLIENTMETRICS structure. Just be mindful there may be occasions where this may still occur particularly with owner drawn windows and Windows 10 apps. I still recommend the timer option... 😎 Ted.
  26. 2 points
    @Washi has finally made his writeups public: https://github.com/Washi1337/ctf-writeups/tree/master/FlareOn/2019/ Some of his solutions make me green with envy. Great job!
  27. 2 points
    I created this experimental project. I hope someone can be useful. any collaboration and improvement is welcome thank you https://github.com/Pigrecos/Triton4Delphi
  28. 2 points
    Hi, hmmm,long time ago already.Dont remember anymore about that.I just checked my codes and seen that I was using the PEB reading method like this... local STARTUP:STARTUPINFO local PI:PROCESS_INFORMATION local PIS:PROCESS_BASIC_INFORMATION local BASEADDRESS:DWORD invoke RtlZeroMemory,addr STARTUP,sizeof STARTUP invoke RtlZeroMemory,addr PI,sizeof PI invoke RtlZeroMemory,addr PIS,sizeof PIS mov STARTUP.STARTUPINFO.cb ,sizeof STARTUPINFO invoke CreateProcess,addr TARGETNAMEPATHBUF,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,addr STARTUP,addr PI .if eax == 0h ; fails ret .endif invoke NtQueryInformationProcess,PI.PROCESS_INFORMATION.hProcess,ProcessBasicInformation,addr PIS,sizeof PIS,NULL .if eax != 0h ; fails @@: invoke TerminateProcess,PI.PROCESS_INFORMATION.hProcess,0 .if eax != 1 ; fails .endif mov eax, 0h ret .endif mov esi,PIS.PROCESS_BASIC_INFORMATION.PebBaseAddress add esi,8 invoke ReadProcessMemory,PI.PROCESS_INFORMATION.hProcess,esi,addr BASEADDRESS,sizeof BASEADDRESS,NULL .if eax != 1 ; fails jmp @B .endif mov esi, BASEADDRESS greetz
  29. 2 points
    Read about LR_LOADTRANSPARENT flag for LoadImage. That's how it was done in the old days before alpha blending..
  30. 2 points
    Load icon Create a compatible bitmap same size as icon Use DrawIcon / DrawIconEx to draw the icon into the hdc's bitmap return the hBitmap and free any resources not required - dc's, icon (if not needed anymore) Use the SetMenuItemBitmaps Might need to include a few other steps but the basics outlined should convert the icon to a bitmap.
  31. 2 points
    login pass: steps to unpack: 1. removed anti tamper and some junk calls 2. cleaned cflow (Thanks to Tesla for cflow cleaning) 2. removed proxy calls 3. removed proxy calls again 4. converted x86 methods to IL 5. decrypted all constants 6. cleaned cflow again (Thanks to Tesla for cflow cleaning) 7. cleaned some small stuff with de4dot. UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe
  32. 2 points
    Best days of programming before all this Java and Android chaos
  33. 2 points
    Here is the hotfix for anyone who wants to install without turning on Data Collection and Use... hotfix-update-xpi-intermediate@mozilla.com-1.0.2-signed.xpi
  34. 2 points
    I knocked up a quick example, you could do something similar to this... Declare.i WinProc(hWnd, Msg, wParam, lParam) Declare.i SetMenuItemBold(MenuNum) Global hMenu If OpenWindow(0, 0, 0, 250, 100,"Right click in the window...", #PB_Window_SystemMenu | #PB_Window_ScreenCentered) If SetWindowCallback(@WinProc()) hMenu = CreatePopupMenu(0) If hMenu ; Create a text array for the menu item text. Global Dim menutext.s(4) menutext(0) = " MenuItem 0" menutext(1) = " MenuItem 1" menutext(2) = " MenuItem 2" menutext(3) = " End" ; Create the menu items and point to the array containing the text. MenuItem(0, menutext(0)) MenuItem(1, menutext(1)) MenuItem(2, menutext(2)) MenuItem(3, menutext(3)) ; Set menu items to #MFT_OWNERDRAW For a = 0 To 3 With tag.MENUITEMINFO \cbSize = SizeOf(MENUITEMINFO) \fMask = #MIIM_TYPE \fType = #MFT_OWNERDRAW \dwTypeData = @menutext(a) SetMenuItemInfo_(hMenu, a, #True, @tag) EndWith Next EndIf ; PureBasic window event loop. Repeat Event = WaitWindowEvent() Select Event Case #PB_Event_RightClick DisplayPopupMenu(0, WindowID(0)) ; When a menu item is clicked on set it to bold. Case #PB_Event_Menu Select EventMenu() Case 0 : SetMenuItemBold(EventMenu()) Case 1 : SetMenuItemBold(EventMenu()) Case 2 : SetMenuItemBold(EventMenu()) Case 3 : End EndSelect EndSelect Until Event = #PB_Event_CloseWindow EndIf EndIf Procedure.i WinProc(hWnd, Msg, wParam, lParam) Static hbrush Select Msg Case #WM_DESTROY ; Delete created objects once the window is destroyed. DeleteObject_(hbrush) Case #WM_MEASUREITEM ; lParam - Pointer to a MEASUREITEMSTRUCT structure that contains the dimensions of the owner-drawn control or menu item. *lpm.MEASUREITEMSTRUCT = lParam ; Define the width and height for the menu item to be created. *lpm\itemWidth = 200 *lpm\itemHeight = 30 Case #WM_DRAWITEM: ; lParam - Pointer to a DRAWITEMSTRUCT structure containing information about the item to be drawn and the type of drawing required. *lpd.DRAWITEMSTRUCT = lParam ; If a menu item is selected, use #COLOR_MENUHILIGHT. If *lpd\itemState & #ODS_SELECTED hbrush = CreateSolidBrush_(GetSysColor_(#COLOR_MENUHILIGHT)) SelectObject_(*lpd\hDC, hbrush) EndIf ; Set the background mix mode of the specified device context to #TRANSPARENT. ; This sets the text background to #TRANSPARENT (otherwise its background will be filled a different colour from that of the menu). SetBkMode_(*lpd\hDC, #TRANSPARENT) ; Set the device context boundary pen colour, the null pen draws nothing. SelectObject_(*lpd\hDC, GetStockObject_(#NULL_PEN)) ; A rectangle that defines the boundaries of the control to be drawn. ; When drawing menu items, the owner window must not draw outside the boundaries of the rectangle defined by the rcItem member. Rectangle_(*lpd\hDC, *lpd\rcItem\left, *lpd\rcItem\top, *lpd\rcItem\right, *lpd\rcItem\bottom) If menutext(*lpd\itemID) = menutext(1) SetTextColor_(*lpd\hDC, #Green) DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #Null) ElseIf menutext(*lpd\itemID) = menutext(2) ; Calculate the length of the menu item text. DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #DT_CALCRECT) ; Set the menu item text colour and then draw it. SetTextColor_(*lpd\hDC, #Blue) DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #Null) ; Save the old right co-ordinate so we can offset the additional menu item text. oldRight = *lpd\rcItem\right ; Calculate the length of the additional menu item text. DrawText_(*lpd\hDC, " Tuts4You", -1, @*lpd\rcItem, #DT_CALCRECT) ; Calculate the offset to add the new text in the menu. *lpd\rcItem\left = oldRight *lpd\rcItem\right + oldRight ; Set the menu item text colour and then draw it. SetTextColor_(*lpd\hDC, #Red) DrawText_(*lpd\hDC, " Tuts4You", -1, @*lpd\rcItem, #Null) Else DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #Null) EndIf EndSelect ProcedureReturn #PB_ProcessPureBasicEvents EndProcedure Procedure SetMenuItemBold(hMenuNumSel) bold.MENUITEMINFO bold\cbSize = SizeOf(bold) bold\fMask = #MIIM_STATE bold\fState = #MFS_DEFAULT SetMenuItemInfo_(hMenu, hMenuNumSel, #True, bold) EndProcedure Ted. Coloured Menu Item.exe
  35. 2 points
    Check Ted's answer again: So if you want colors (any at all) or mix normal/bold then you will need to draw the items yourself using the GDI api SetTextColor and TextOut and those functions after responding to the draw item event by setting the owner draw flag.
  36. 2 points
    I use something like this if I want to make a menu item bold... bold.MENUITEMINFO bold\cbSize = SizeOf(bold) bold\fMask = #MIIM_STATE bold\fState = #MFS_DEFAULT SetMenuItemInfo_(MenuID(0), 2, #True, bold) ;"2" is the MenuItem to be made bold https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-setmenuiteminfow https://docs.microsoft.com/en-au/windows/desktop/api/winuser/ns-winuser-tagmenuiteminfoa Ted.
  37. 2 points
    9.0.2 released with the source which notes can be found on their site: https://ghidra-sre.org/releaseNotes.html With the source, they did include the decompiler's source code which some were concerned with being released. It's there and is coded in C/C++ so there is potential for things to get better as time goes on with community help/support. Would love to see it become on par with IDA's and better in the long run. Given how Ghidra is setup too, if it does start to become on par/better of a decompiler someone could essentially turn it into an IDA plugin if they wanted.
  38. 2 points
    https://github.com/Pigrecos/Z34Delphi My new repository for using Z3 in delphi(porting z3 c api to delphi). I tried and there were no tools for symbolic execution in delphi
  39. 2 points
    I see that Teddy has already implemented certain changes in "Crackmes" section. One small request to consider - since all solutions will be moderated and hidden by default, it would be nice to see something like "Post by XYZ is awaiting moderation" or at least "X posts are awaiting moderation". Reason for the request - it's no fun to reinvent the wheel and solve a crackme that's already been solved. So, if I see that someone-I-know-as-a-good-reverser has already posted a solution that is awaiting moderation, I'll probably spend my time on something else. Other thing - what will happen to comments like "Crackme is not working on Windows 7" and similar? Will they go through moderation queue as well?
  40. 2 points
    Going to leave some suggestions for going into 2019. Will break this into a few posts to make it easier to read/respond to if people want to discuss it. Challenge Section Issues One of the main sections that sees traffic still on this forum is the challenge sections. However, that isn't to say there aren't issues with these sections and the rules that are attached to them. Over the last few years, these sections have undergone some changes, focusing on bettering them but it feels like while the changes were made, they weren't enforced or continued with. These sections have degraded a lot over the last few years for a few reasons, in my opinion. Lack of Real Solutions - One of the biggest issues we still see is a lack of solutions. This became a big enough issue that newer rules and reorganization was done last year to try and help with it, but I feel we are just slipping right back to where we started with that. People post more for their ego and less for the community. Solutions are supposed to include details or a tutorial in how the solution was figured out but instead, that is back to not happening or is extremely lacking in actual info. People just post "unpacked manually" type posts that explain nothing with a solution and that is being accepted which is not what the rules say is a valid solution. Lack of Discussions - Another huge issue is that there is no encouragement to talk and discuss the challenge. Instead, it is actually quite the opposite. Newer members that have questions or request for a tutorial on how a solution was obtained are generally responded to with insults or some other ego-driven response belittling the person asking for help. So many new members land up leaving this forum because there is no real community anymore. Questions are met with ego-driven responses, requests for tutorials/solutions are met with "figure it out yourself" type responses, any type of attempt to learn is seen as leeching anymore. There are a few public and semi-public forums that focus on reverse engineering similar to this site that have grown a lot in the last few years because of how toxic this site has become. Challenge Types/Restrictions - While this isn't something that is at the fault of the staff, there is an issue with the constant reposting of ConfuserEx challenges that make up the majority of whats posted lately. I think we should start enforcing some type of system or rule that limits posting a new challenge that is nothing more than a minor-altered version of ConfuserEx. These are most commonly posted by new members with little to no posts. So also perhaps adding a post limit before being allowed to create a challenge. Along with that, ensuring in some manner that the user has read the rules. (I'm sure there is a forum plugin to force people to read the rules page or at least force it to load and they have to click OK or similar.) In nearly all the reposts of ConfuserEx, it's generally the same thing where people alter the name, edit 1-2 hardcoded values that do nothing, and in return the challenge is still fully unpackable by automated tools. Challenge Rankings - As kao pointed out, having the submitter of the challenge be the one that rates the difficulty is a bit of a skewed value. Most of these new posters always rate their protection 10/10 when they edit two lines in ConfuserEx and upload a sample. Most of these people posting these things are not even able to unpack it themselves, let alone unpack even basic things like UPX. There is really no reason to have the person posting the challenge be required to include a rank. Instead, this should be optional and a suggestion. The people solving the challenge should give a rating instead. Along with this, I think we should, as a community, create a guideline on how to rank a challenge. Be it a 1 to 10 type system or something else, I think there should be some kind of guideline as to what the value means so that others can look at a challenge, see a number and understand that it could be something they are interested in. A challenge that I personally feel is 2/10 may be an 8/10 to someone else that's new, or similar. Instead, perhaps ranking the numbers in terms of what's involved and if automation works/is available for parts of it. For example: 1/10 = An automated solution exists that works for this challenge. (ie. Running upx's unpack switch from the command line, de4dot works entirely, the ConfuserEx tools work, etc.) 2/10 = Automated solutions work but some minor manual work is required. 3/10 = Automated solutions may/may not work. Manual work is required, seen as basic/entry level understanding. 4/10 = Automated solutions may/may not work. Manual work is required, seen as higher than basic but still easy. ... 10/10 = Automated solutions do not exist. Manual work is required. Includes VMs and other difficult processing. and so on. This is something that could help let users gauge things easier. This could also be used to allow the poster of the challenge to better gauge their challenge.
  41. 2 points
    1. String: Crawling in my skin These wounds they will not heal Fear is how I fall Confusing what is real ... 2. String I'll take everything from the inside and throw it all away Cuz I swear for the last time I won t trust myself with you Everything from the inside and just throw it all away Cuz I swear for the last time I won't trust myself with you Source code of "Launcher": I hate XAML and BAML and these things, i had problems with extracting the form, so i will give there only .exe https://mega.nz/#!X1t3AACL!AtGVdCnQ_acasocB_ytRTywAbeISsQQM3NgvVVL02SY
  42. 2 points
    I use a Pintool to run the executable to OEP, then dump all modules and heap memory to file. Then I load everything into Unicorn and jump to the protected function. In UC_HOOK_CODE handler, I then inspect the current instruction and create/connect corresponding nodes. When the protected function returns, I'll grab the node(s) that wrote RAX last (or any other register) and walk backwards to generate dotgraph or IR. Theres a bunch of different node implementations, each one knows how to generate itself as IR and tries to const-evaluate itself (given its inputs are const themself). I prefer Unicorn because its so much easier to debug than a Pintool. My tool needs about 35seconds to run the protected function from above and generate opimized IR.
  43. 1 point
    No, thanks. Compared to Themida v2, the themida v3 does not have a great improvement over the VMs. There are two types of VMs in this UnPackMe, Dolphin and Tiger.
  44. 1 point
    Code like this. You can copy dlls in OpenFileDialog. If you can't copy dlls (maybe anti dump?), you can use the code like "File.WriteAllBytes(@"I:\Downloads\Yes.dll2", File.ReadAllBytes(@"I:\Downloads\Yes.dll"));". ILProtector detects the first few bytes of the compiled machine code. You can fake it.
  45. 1 point
    nice to see you here XenocodeRCE nice trick for dump .net module (it work, Thank) and i use code virtualization on key check algorithms, maybe debugging is an extremely hard task i'm waiting for someone's can get correct key or crack this app for accept every key
  46. 1 point
    You have to reverse engineer how and from what the file checksum is calculated, and then fix the checksum in your exploit-file, yes. If you are lucky and need just the one checksum, you can try to find where it compares the invalid checksum with the one it expects, and just replace the checksum in your file with that.
  47. 1 point
    Native layer seems to be protected by Enigma. .NET looks like ILProtector!
  48. 1 point
    My guess would be deep inside the protector...
  49. 1 point
    Just used public tools to get everything. Lazy2Clean.exe
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...