Jump to content
Tuts 4 You

Leaderboard


Popular Content

Showing content with the highest reputation since 05/23/2018 in all areas

  1. 15 points
    Hi guys, I am a fan of FFmpeg CLI tool but its always hard to remember all commandline arguments if I didnt used it for a longer while and I can't find my notes about it (as always).Now I thought it would be a good idea to code a GUI tool where I can use FFmpeg with and store all commandline argument combinations I want into it to call and execute them quickly.I know there are already a few GUI tools out there for FFmpeg but they have some limitations and or are not my taste.So you know I have always a special taste and wanna combine all together in the best case.Now after few months I am done with a first version and wanna also share it with you guys. First Steps -------------------------------------------- Start the app and enter your FFmpeg path.If you dont have it then download a static build from FFmpeg.org or ffmpeg.zeranoe.com/builds/ Next should have installed the VLC player (2.2.6 in my case) How it works? -------------------------------------------- So the app has 2 diffrent GUIs.The main GUI you can use for media editing,converting etc all what you can do with FFmpeg commandline arguments.The seconds GUI I made specially for quick handling of streams to play download them plus more features which could be important. Features: Main GUI -------------------------------------------- -Quick analysis of files after drag & drop into the app and showing the info into it -Full analysis of file by MediaInfo or FFmpeg itself -Preview image of video files & quick playing by your video player -Three diffrent commandline edit controls in main GUI to execute with FFmpeg -Quick Mux / DeMux function to extract / add / change streams without re-encoding in Concat or Input mode -Window to see whole FFmpeg traffic -Storage listview to (add / delete / send / play / record / search) manage your commandlines and infos -NoFile (you can use FFmpeg like in a normal CMD window) Features: Quicky GUI -------------------------------------------- -Store and choose diffrent URLs by menu -Store and choose diffrent commandline args by menu -Store and choose diffrent pre commandline args by menu -Store and choose diffrent names by menu (Will used to save into file and showing in VLC) -Play,Download,Edit,Search functions etc -Store names and URLs into extra listview -Store and call till three custom request headers -Diffrent choosable request methods,user agents and optinal headers -Url checking (with or without SSL) -Reading pagesources -Finding URL extensions -Response Header -Switch View (CRLF) -JSON Viewer -URL Decoder -OnTop On/Off I also created a video with some examples how to use my app but the video was getting a little big with 50 MB so I am sorry for that.Inside you can also find some text files with infos.If something not works or if I forgot to explain some feature or anything else than just post a reply in this topic.Have fun and till later. PS: I also wanna send some extra special thanks to our member fearless who always helped me a lot (without getting crazy - I think so..) with all my coding questions I had.Thank you. Merry Christmas and greetz FFmpeg Quicky 1.0.rar
  2. 14 points
    Hi! This is my first post on tuts4 you I hope that this is the right section, if not, please delete this post! Ok so... Few months ago I have made public my internal project called REDasm on GitHub. Basically it's a cross platform disassembler with an interactive listing (but it's still far, if compared to IDA's one) and it can be extended with its API in order to support new formats, assemblers and analyzers. Currently it supports: Portable Executable VB5/6 decompilation . It can detect Delphi executables, a decompiler is WIP. .NET support is WIP. Debug symbols are displayed, if available. ELF Executables Debug symbols are displayd, if available. DEX Executables Debug symbols are displayed, if available. x86 and x86_64 is supported. MIPS is supported and partially emulated. ARM support is implemented but still WIP. Dalvik assembler is supported. Most common assemblers are implemented by using Capstone library, Dalvik assembler is written manually and even the upcoming MSIL/CIL assembler will be implemented manually. The entire project is written in C++ and its UI is implemented with Qt5, internally, the disassembler is separated in two parts: LibREDasm and UI. LibREDasm doesn't contains any UI related dependencies, it's just pure C++, one day I will split it in two separate projects. Some links with source code, nightlies and wiki: Source Code: https://github.com/REDasmOrg/REDasm Nightly Builds (for Windows and Linux): https://github.com/REDasmOrg/REDasm-Builds Wiki: https://github.com/REDasmOrg/REDasm/wiki And some screenshots:
  3. 13 points
    Hi, I made a tool that interprets a vmp rsi-stream, it records the handlers (or vm instructions) and connects them via their data dependencies. This is how a JCC looks like The edges in this graph represent data dependencies. Sequences of nodes with one input and one output are collapsed into blocks. Green nodes are constant nodes. They do not depend on external values (such as CPU registers), unlike red nodes. The hex number left of a node is a step number, the right number is its result. Only const nodes (green) can have a result. The graph contains all nodes that directly or indirectly contribute to the lower right "loadcc" instruction. CMP/JCC in VMP works by executing an obfuscated version of the original CMP which also results in either zero or one. VMP then pushes 2 adresses to its stack (step 121f and 1209) and computes an address that points to either one, depending on zero/one result of the corresponding CMP (step 1265). It then simply loads from that computed address and uses its value for a JMP. The load that loads either address is represented by the "loadcc" node in the graph. Even though all puzzle pieces are here, it is still hard to figure out what the original CMP was, but luckily we have LLVM and luckily it isn't hard to lower the graph to LLVM IR: Godbolt Left is the graph as LLVM IR, middle is output of the optimizer, right is the optimized LLVM IR lowered to x64. The attachment contains the original x64 input, the complete vmp program as LLVM (not just the loadcc part), the optimized x64 (-O3) and an unoptimized version (-O0). The unopt version is interesting because it shows how vmp looks like after removing the junk but still leaving the handlers intact (RSI access is removed, RBP-stack is pre-baked to make it easier for the optimizer passes) I thought it was pretty impressive how LLVM's optimizer plows through the crap and produces such a beautiful result. That is all. Thanks for reading. testproc.zip
  4. 9 points
    It's a really nice challenge, thank you! Pseudo-solution: Step 1: make type/function/variable names readable. De4dot to the rescue. Step 2: get some idea how the VM works. In this case, we have P-Code stored in MemoryStream and stream.Position tells us which instruction we're currently executing (aka. EIP). Step 3: put some smart breakpoints and trace execution of the VM. We're looking for good boy/bad boy jumps, so focus on changes in stream.Position. I put a breakpoint in UnmanagedMemoryStream.Seek: Step 4: look at the log data and identify good boy/bad boy jump. In my case, logged data with some comments looked like this. So, we need to trace few instructions starting from EIP=16F4. Turns out that comparison instruction is at EIP=172B and good boy jump is EIP=173D. Step 5: patch P-Code or VM engine. I decided to patch P-Code directly, as integrity checks for the P-Code were not enabled. I changed comparison instruction to compare 2 identical values, so the check always succeeds and good boy jump is always taken. Mission accomplished. EDIT: attached file should not be in the middle of sentence. Out-patched-by-kao.zip
  5. 8 points
    Hello All 😁 this's my first post in Tuts 4 You , Hope it won't be the last 😅 Cmulator is ( x86 - x64 ) Scriptable Reverse Engineering Sandbox Emulator for shellcode and PE binaries Based on Unicorn & Capstone Engine & javascript . https://github.com/Coldzer0/Cmulator this's a work of 3 months , and the Development is Active , the project is fully written in FreePascal 😎 i'm planning to port the project "C" so it last longer ( so we get more contributors ) . Hope you find it useful
  6. 8 points
  7. 7 points
    just a try to add more feature's to x64dbg script system History Section: - version 2.0: 1-all numbers are hex numbers. 2-more nested in arguments. 3-Build bridge to make plugin system Compatible with x64dbg script system. 4-create parallel Functions to x64dbg Functions, like ( cmp >> cmpx ). 5-rename new name (Varx Getx Setx) and fix array index entry. 6-add VarxClear ( clear all variable to help user in test's ) , memdump with print style. - version 1.6: 1- add Parser system to recognize arguments. 2- begin build Script system. 3- add more Helper Functions. - version 1.4: 1- make StrCompx in separate Thread and add Sleep time to wait x64dbg to finish process. 2- Fix Hex2duint function add length check in case it less than 2 . - version 1.3: 1- Add another argument to cbLogxJustAtBP for printing on LogxWindow. 2- now it accept bool argument like this (true/false-on/off-1/0). 3- add StrComp_BP function for compare string in memory at BP. 4- compiled x32. Source Code: https://github.com/Ahmadmansoor/AdvancedScript If you find it useful please let me know, and if you want to add more feature's please leave a comment. support both x86 and x64 BR AdvancedScript.v2.0.rar
  8. 7 points
    Done! This has been added for your user group. I will see how this progresses. Obviously there is a possibility this could be abused by members however I currently trust persons in this group will use it appropriately. Done! You can now download PM's individually or bulk in HTML. The output HTML template is a bit crude. If you have some suggestions I'll contact the developer and propose the ideas with some of my own. Of the other suggestions proposed here I will reply to you all after I have thought them over and have appropriate time to reply accordingly. Thank you! Ted.
  9. 6 points
    Strings plugin for x64dbg. Download: https://github.com/horsicq/stringsx64dbg/releases Sources: https://github.com/horsicq/stringsx64dbg/ More Info: http://n10info.blogspot.com/2019/03/strings-plugin-for-x64dbg.html
  10. 6 points
    Everyone can see the code because Cawk's ConfuserEx unpacker works just fine.
  11. 6 points
    For unpacking 1) cawk unpacker 2) dump after decryption 3) fix EP 4) Proxy call fixer by Davicore 5) Strings decryptor by CC 6) Switch killer by CC 7) Dump resources (empty) 😎 Clean cctor and <module>methods (maybe 4, 5 and 6 can be replaced by cawk unpacker again) I will check the key algo tomorrow, don't have time now. a29p-EP-anti2_noproxy_stringdec-cleaned_deobfuscated-res2-cctor-module.exe -------------------------------------------------------- Username = "Usuario" Code = "161308" int length = username.length(); int num2 = length + 2 - 4 + 40 + 10; return Convert.ToString(419 * num2 * length - length); --------------------------------------------------- EDIT2: I have received a few PMs asking how to fix EP, so I will post the videos I used as reference here. Following this 2 videos you should be able to unpack confuserex fully.
  12. 6 points
    The FireEye Labs Advanced Reverse Engineering (FLARE) team’s annual reverse engineering challenge will start at 8:00 p.m. ET on Aug. 24, 2018. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security professionals. So dust off your disassembler, put a new coat of oil on your old debugger, and get your favorite chat client ready to futilely beg your friends for help. Once again, this contest is designed for individuals, not teams, and it is a single track of challenges. The contest runs for six full weeks and ends at 8:00 p.m. ET on Oct. 5, 2018. This year’s contest will once again host a total of 12 challenges covering architectures from x86, x64 on Windows, Java, .NET, Webassembly, and Linux, with special appearances of Bootloaders and Bootkits. This is one of the only Windows-centric CTF challenges out there and we have crafted it to represent the skills and challenges of our workload on the FLARE team. If you complete the Flare-On Challenge you will receive a prize and permanent recognition on the flare-on.com website for your accomplishment. Prize details will be revealed when the contest ends, but as always, it will be something that will be coveted and envied by your peers. In prior years we’ve had rodeo belt buckles, replica police badges, challenge coins, and a huge pin. Check out the Flare-On website for a live countdown timer and to see the previous year’s winners. For official news and support we will be using the Twitter hashtag: #flareon5. 9 days left, better brush up your skills and make sure your tools are in good order! Official site: http://www.flare-on.com/
  13. 6 points
    Yes, it's still active: I'm working on version 2.0 on the "next" branch, GitHub doesn't show branch activities. I have posted a video preview on Twitter few days ago which shows the upgraded engine in action along with the brand new disassembly widget. NOTE: Some parts of the UI are still disabled in that video, I have attached a screenshot with the latest enhancements here (the UI is still ugly, I'm planning to clearing up a bit).
  14. 6 points
    Hello. Who the heck designed the new security requirements as far as passwords for this forum? Its absolutely insane. This time I submit a fully devirtualized version of the aforementioned crackme for the 64 bit version of VMP. Of course, I didn't work on this entirely by myself, it was more like a joint project with other reversers that are no strangers to this forum. Because we all had the same interests (code deobfuscation/VMs devirtualization/Unpacking) we decide to create our own group, where we essentially reverse some well known protectors for PE files. Current group members: @fvrmatteo @SmilingWolf @mrexodia @xSRTsect @Raham @root @Downpour People involved in the coding of the 64 bit VMP devirtualization tool: @fvrmatteo, @SmilingWolf, @mrexodia, @xSRTsect. The tools will never be released. There is a tiny chance that an outsider can join our group IFF you have pwned an interesting protector and you are willing to share your insight with our group or you are willing to impress us with some mad unpacking / deobfuscation skills. Best Regards, The European Reversers Alliance. Edit: Added gay @ symbols to the nicknames (some people really wanted that). And added a more gay version of the devirtualized binary which is essentially the same but with the devirtualized functions linked statically. devirtualized.rar inlined_version_ERA.7z
  15. 5 points
    Hi there, With few guys we made a zoo dedicated to malware targeting ATM platforms, as far as i know nobody has made a similar public project so voila. You will find here malwares that specifically targets ATMs, and reports (notice) about them. Files of interest got harvested from kernelmode.info, but also virustotal and various other services and peoples interested about the project. I'm using binGraph, pedump, Python, bintext, for the engine on reports. Some samples exist in 'duplicate' on the wall (we also provide unpacks for few files), if it is the case: it's mentioned on the report. We have hashs who are without references (i mean not associated in a white paper or something) thoses files are regrouped on the statistics page, we tried to make the stat page interesting enough for everyone to have fun exploring the zoo from the stats. We have IoCs that others seem to don't have, e.g kaspersky report about winpot, that leaded also to funny react from ppl selling it no worry, everyone have it now. We have also a page that includes some yara rules for detecting some of these malwares, and a page with goodies, voila! Everything provided in old skool style, intro also available! CyberCrime quality http://atm.cybercrime-tracker.net/ Feedback welcome, enjoy the ride ! 💳🏧
  16. 5 points
    Language : .NET Platform : .NET/Mono OS Version : All Packer / Protector : Custom Description : This is something I've stopped working on over the last few months, but if someone's interested in taking up the project with me I'll gladly accept. The original password is hashed to prevent string equality hooking, so the goal here is just to make it respond correctly. Cracking : If you do crack this, please post in the thread (or DM me) about how you did it. It doesn't have to be step-by-step; a simple "after doing X all you need to do is Y" is fine. If you have any suggestions for additional obfuscation, please include those as well. Any method is acceptable (besides printing the correct string yourself):^) Screenshots are attached. Out.exe
  17. 5 points
    Anti Debugging Protection Techniques With Examples: https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software
  18. 5 points
    Challenge of Reverse Engineering - Rules and Guidelines All challenges will be reviewed and approved prior to them being made public. You must use and adhere to the above template (when submitting a challenge) and the template in the post below (when submitting an answer/solution). A challenge is regarded as being solved only when a successful solution has been posted containing a tutorial or a detailed explanation. Solutions posted without any information will remain hidden from public view until a tutorial or detailed explanation has been submitted. The challenge will continue to remain unsolved. Please allow up to 48 hours for challenges and solutions to be reviewed.
  19. 5 points
    Unpacked Use any long key to pass checks. GetMe_unp.zip
  20. 5 points
    It is indeed true that I work for Denuvo and this is public information you can see at my LinkedIn profile. We use x64dbg at work and I have assured that there in no conflicts of interest in that regard. I keep working on features I need like always. However I would like to say that those “rumors” don’t exist and my employer has no influence about what I do or say online. If you feel like you have some questions related to those “rumors” @p4r4d0x (or anybody else) you can ask those things to me directly instead of going deep in conspiracies that you hear from “senior reversers”. With regards to breaking communities, there is absolutely zero benefit like @Progman noted. The reversing community as a whole has been going downhill in my opinion for years now and if anything we need more people sharing information online, not less. @Kurapica I will keep sharing my tools and knowledge as always. Nowadays I’m more active on Github and Stack Exchange than these (and other) forums, but I’m sure you can appreciate how your available time changes if you start your first full time job 😀 Also only few people seem to write my nickname as I like it nowadays: “mrexodia”, which is surprising
  21. 5 points
    Reverse-Engineering WebAssembly binaries: https://www.forcepoint.com/blog/security-labs/analyzing-webassembly-binaries Best Regards, Evilcry
  22. 5 points

    Version 1.0.0

    29 downloads

    hotkeys: m: (play/stop music) f1: (switch fullscreen/windows) f3: (nfo reader) elite: (hidden part) esc: (quit)
  23. 5 points
    It's official - I finished as #4 this year! Subjectively - first challenges are a bit harder than last year, probably due to the exotic targets (wasm, webinjects, etc..). All in all, I enjoyed it immensely!
  24. 5 points
    Does anyone even really care about the stupid 'scene rules' anymore? Who cares what some elitists want to state is required for something. If they can make the game run anywhere with or without Denuvo fully removed, that is what the players want. None of them care about the scene or what is still left in the exe as long as it works and plays.
  25. 5 points
    intel x86 / x64 opcode reference manuals (i think you can download them in pdf form on their site somewhere) then writing some apps in asm to get a grip for masm etc, or in c and then debug them to see how things work then lena's tuts (i've never used them though, i taught myself a long time ago, where i'd dl the opcode ref's and study them offline (inet connection was a rarity at the time for me)) pencil (to undo mistakes) and paper, to make notes, and lots of them tools like hiew, ida (never really liked ida too much as i thought it was slow), olly, x64dbg etc etc and referencing sites like this one, the masm32 site, woodmann and some others time and patience, and doing some homework before asking for help / pointers (i usually wont help people who want to get everything spoonfed to them or ask for videos etc or think they're somehow entitled)
  26. 5 points
    @unavailable: Don't give up! The success is by perseverance!! Cracking is a long process. I lost my interest on cracking programs, but I will still make some RE tools and try to help people the way I can.
  27. 5 points
    Hi In this method we're using dlls as loader, Some system files(I'm just tested dll files) can load from outside of system directory so we can use them to patch files !! Most "Delphi" and "Dotnet applications" loads "version.dll" by default so we can use this file as loader for them ! Best Regards, h4sh3m version.rar
  28. 5 points
    Crashing on my Win10 inside VMware as well. Windows Defender stopped, no other AV. It's a perfect protection - if nobody can run it, nobody can crack it.
  29. 4 points
  30. 4 points
    Hmmmm... Could it be because you didn't do time travel and never experienced 4th of May 2019 before? The expired certificate is inside your outdated copy of Firefox 56. And, as you said it yourself - you refuse to update it. So, how on earth do you expect Mozilla to fix something that's on your computer? Should they send Santa with magic powers to your home? Solution: download the XPI file from above. Extract files from it. Base64-decode new certificate from api.js. Add new certificate into your old Firefox (Tools-Options-Certificates). Done. Takes less time than writing those whiny posts. Full disclaimer: I couldn't test it 100% because I don't use Firefox on a daily basis and I couldn't find portable Firefox 56 with 3rd party addons.
  31. 4 points
    Hey all! I recently came across this neat paper here: https://tel.archives-ouvertes.fr/tel-01623849/document where they used what they called "Mixed-Boolean Arithmetic" to obfuscate arithmetic expressions, and then showed ways to deobfuscate them. Looking a the deobfuscation methods, they seemed largely either pattern-based or wouldn't work when bigger numbers were involved. So I thought to myself, "How can I mess with this?" Well, first things first, they have no concrete method there for creating these expressions. There are two pages total dedicated to the creation of these expressions, so I had to get creative to make it work. They describe using numpy to solve the matrix equation created and using a hack-y method to circumvent not having a square matrix, but I thought that I could do a bit better... Enter two painstaking days of learning linear algebra and figuring out exactly what I needed to do. They start by computing the truth tables of some expressions, putting them into a matrix as columns, then solving for the vector that, when using the dot product on the vector and the matrix, returned zero. After that, they filtered out various "rewrite rules" from the matrix generated. You can read more about this in the paper, though there's not much to go off of. They use numpy's linalg.solve to do this, but that only works with square matrices and produced results with constants that were a tad small for my taste :^) After a bit of research I found a python module called cvxpy, designed to find values that satisfy an expression under certain constraints. Even cooler was that you could specify matrix equations and integer-only solutions, which is exactly what I needed. After tinkering with it for a bit, I was able to reliably create expressions like these (representing a xor b): -27540 * (~a & b) + 373574 * (~a ^ ~b) + -27541 * (a & ~b) + -27541 * (~a & b) + -11 * (a + b) + -30436 * (~a & ~b) + -30436 * (~a * ~b) + 137712 * (a * ~b) + -27544 * (~a) + 1 * (b) + 3 * (~a + ~b) + -221347 * (~a - ~b) + 13 * (a + b) + -2 * (a) + -30454 * (~a + ~b) + -30454 * (~a + ~b) + -3 * (b) + -30449 * (a | b) + -27546 * (~b) 3672455 * (~a * b) + -362611 * (a ^ b) + 78113 * (a) + -524636 * (~b) + -524636 * (a ^ ~b) + 78113 * (a) + -524636 * (~a | b) + -362611 * (a ^ b) + -959545 * (a | b) + -78113 * (a - b) + -959545 * (~a + ~b) + -524636 * (~a) + 142249 * (a + b) + -959544 * (~a + ~b) + 142249 * (a + b) + -524637 * (a - ~b) + -524637 * (~a) + -524637 * (a & ~b) + 3241246 * (~a ^ ~b) Using truth tables modulo 4 instead of modulo 2 I was also able to compute equivalencies for multiplication, which was pretty neato. However, using the same method of computing the truth table and finding an equivalent expression you can reverse this sort of operation. I'll leave that as an exercise to the reader. EDIT: As a friend of mine pointed out, this will work with any operation that can be reducible to boolean math (i.e. xor, addition, subtraction, multiplication), not just arithmetic operations.
  32. 4 points
    How to become a Hack... .... greetz
  33. 4 points
    slugsnacks reversing series by c0lo: Link: https://kienmanowar.wordpress.com/slugsnacks-reversing-series-by-c0lo/slugsnacks-reversing-series-5/
  34. 4 points
    AdvancedScript beta version it is beta version it could have bug, so please report and if u like to add more features let me know. version 2.5 beta : 1- Script window is sperate. 2- Create Folder for script,form Load script with category. 3- add more mirror Functions (xorx - pushx ...), and Functions like ( if , goto,writestr ) to shortcut the work. 4- show all variables in a list with it's values. 5- edit script onfly. 6- enable to define array with range like z[n]. 7- writestr Function. 8- run from anyware in the script. 9- rest variables list in case maintenance. 10- insert rows as much as you need. 11- insert from clipboard replace all script. 12- insert from clipboard inside the script. 13- copy separated lines to used in other script. 14- insert description without confusing . 15- add the dll file of c++ runtime for each package. 16- add some scripts samples. 17- as it is beta version so it support one step not auto step , use F12 for step, sorry for that I need to check if it work then I will add auto step :} note : I forget to say use (Scriptw) command to show the Script window , but git has stop working and copy the script sample to ur script folder in x64dbg folder and pls read the help first AdvancedScript_2.5beta.zip
  35. 4 points
    Forum Ideas / Suggestions Some ideas that could potentially bring some life back into the forum and get things more active. Ranks - While this is a more of a gimmick type thing, a lot of people do focus on their status of a forum. Even if that status is nothing more than superficial text/colors. Active members that are liked a lot, thanked a lot and contribute to the site could have extra "glitter" added to their post information to the left where our name/avatar/post count etc. is. Something that shows the reputation in a more significant manner, newer ranks based on reputation and post counts, etc. could help give people incentive to share things. Badges/Awards - Another gimmick type thing, some extra flair to the users information to the left again, badges can be used to show various things such as post/reputation milestones. There are tons of different things that can earn a badge such as a post that has hit a certain amount of likes, a download that has been downloaded at least a certain number of times, etc. There are so many different things that can have a badge attached to it to give users ways to earn all kinds of things by helping out. Usergroup Images - Instead of just text, perhaps some images to add some more bling. Monthly MVP's / User Spotlights - To encourage people to be active and help/support others, post things and so on, we could have community voted MVP's each month, or user spotlights as a way to say thanks to a member for doing things that help the community. Someone that posts a lot of tutorials, explains things well to others, completes challenges with good answers/tutorials, etc. Most of these things are nothing more than just gimmicks but a lot of people like to see themselves earning something, even if it means nothing, while being part of a site. A great example of these kinds of systems in place are on sites like HackForums, UnknownCheats, and similar game hacking forums. These do not need to carry any type of weight or anything other than just being something earned for helping the site.
  36. 4 points
    Hi, sorry I wasn't online for so long. I am still alive 🙂 but I had a HDD crash and lost almost everything including account information. Today I was able to recover some account information from a forgotten USB stick. At least the forum here + bitbucket/github account. So I may be able to work on the projects again 🙂
  37. 4 points
    Find it funny how the agitator creates the topic to try and bring attention to what he had to post later on Puny schemes. People just have lives; RE isn't going anywhere. Same as there's been one generation of smart, skilled and enthused people, others will follow. Circle of life. What I do find funny is how this "high-level programming" works even with big companies, such as Denuvo. I put quotes because same as Java relies on a ton of shit OTHER people wrote across time, which they now just import, similarly Denuvo relies on VMProtect to shield whatever crap they've got going on. Were it not for it, we'd have gotten ourselves the ol' time SecuROM/SafeDisc fiascos. I digress.. Congrats, ExoD And keep it up, love your work.
  38. 4 points
    @p4r4d0x: enough already! If you can't stop whining about exetools and techlord, please go away - as this behavior is not bringing anything useful to this forum. :@ @mrexodia: I wish you all the best in your new job. You're extremely skillful person and I'm sure you'll enjoy the challenges this line of work will bring. And remember to learn as much new stuff as possible!
  39. 4 points
    Hi. its month after challenge v2, but i had free time just now, to work on target. Result of both Key 1 & 2 are identical compared to Protected file. Kind Regards devirtualizeme32_vmp_3.0.9_v2_DeVM_Final_OK.exe
  40. 4 points
    Hello All, I created my first reverse engineering project. It's an open source loader called patchya, It's not strong as dUP yet. I am planning to port it to Linux and to add more features as anti anti debugging tricks. Would appreciate any feedback! Github project: https://github.com/misaleh/patchya
  41. 4 points
    Doesnt matter what the players want, if the protector isnt fully defeated/removed it's not a proper crack.The purpose isnt to bring players a playable game but rather to crack the protector.
  42. 4 points
    To store all the paths you could use an INI-File with a structure like: [Settings] Count = Number of paths [0] Path = Path to the program to execute Param = Parameter value ... You could read the Count and Param value with GetPrivateProfileInt and the path with GetPrivateProfileString. To store the path and parameter you can create a structure in MASM that holds both values and allocate memory to store the stuff inside. After loading the INI-File you can iterate through your array and compare the Param attribute and execute the program if it's a match. This may not be the best solution but it should be pretty simple.
  43. 4 points
    SHADOW_YXXIZQ 8HG DNJ 656 8J5 KN8 65K NHF IU4 3JK NGD
  44. 4 points
    ..and with one known key it's perfectly solvable. All credits go to @Reza-HNA for deobfuscating the keygenme. After that, it was a piece of cake. Keygen is not obfuscated in any way, so anyone can take a look how it's done. keygen for Newbe KeygenMe1.zip
  45. 3 points
    Here is the code without strings decrypted more to show that i havent just remade the method from scratch but have actually devirtualised the file obfuscator is not that good in all honesty once you get your head around everything in one method its just like any other vm private void button1_Click(object sender, EventArgs e) { int num = 0; if (num != 0) { object obj; char[] value = obj = new char[16]; obj[0] = (2049885642 ^ 2049885579); obj[1] = (721969625 ^ 721969580); obj[2] = (1722827470 ^ 1722827450); obj[3] = (675984423 ^ 675984463); obj[4] = (1647779473 ^ 1647779505); obj[5] = (1793770717 ^ 1793770638); obj[6] = (640259843 ^ 640259958); obj[7] = (959731082 ^ 959731177); obj[8] = (1744869780 ^ 1744869879); obj[9] = (237600744 ^ 237600653); obj[10] = (492056264 ^ 492056251); obj[11] = (327956409 ^ 327956426); obj[12] = (688741927 ^ 688741953); obj[13] = (658212064 ^ 658211989); obj[14] = (454212694 ^ 454212666); obj[15] = (28756323 ^ 28756290); MessageBox.Show(new string(value)); } else { object obj; char[] value2 = obj = new char[10]; obj[0] = (1435200779 ^ 1435200842); obj[1] = (853162666 ^ 853162719); obj[2] = (2119875586 ^ 2119875702); obj[3] = (712244489 ^ 712244577); obj[4] = (1541140050 ^ 1541140082); obj[5] = (2107783153 ^ 2107783095); obj[6] = (1703953462 ^ 1703953495); obj[7] = (1864360465 ^ 1864360568); obj[8] = (2035746888 ^ 2035746852); obj[9] = (620298057 ^ 620298088); MessageBox.Show(new string(value2)); } }
  46. 3 points
    Apparently, a "new" disassembler made by the NSA (lol) named "GHIDRA" is going to be released at the RSA conference in ~2 months for free. Its made in Java, and seems to have a fully functioning decompiler. Not much more details were released other then that, but it seems interesting as a competitor to IDA. https://www.rsaconference.com/events/us19/agenda/sessions/16608-come-get-your-free-nsa-reverse-engineering-tool
  47. 3 points
    REDasm 2.0 is available for download at http://redasm.io, binary packages has been tested on Windows and Linux. I have attached some screenshots to see how it looks now. Source Code: https://github.com/REDasmOrg/REDasm Changelog - Brand new disassembler engine. - Brand new disassembler widget. - Brand new Signature Engine (SDB files). - Brand new Hex Widget. - Multithreaded analysis. - QtWebEngine powererd graphs. - Simplified LibREDasm API. - Reimplemented Emulation APIs. - Improved ARM/Thumb switch heuristics. - Improved ARM listing. - Added IDA style popup on symbols. - Added Dark Theme. - Added jump arrows in listing. - Recent file support. - Projects support (RDB files). - Improved keyboard shortcuts. - CMake Porting. - UI/LibREDasm/Database split. - MSVC RTTI Analysis. - MSVC Demangling. - Improved VB Decompiler. - Implemented GBA Loader (WIP). - Implemented N64 Loader (WIP). - Unified loader for ELF Format (Little/Big endian, 32/64 bits). - Unified loader for PE Format (Little/Big endian). - Clang support on 64bit. - UI Redesign. - Lots of bug fixes.
  48. 3 points
    That post was just because we (the administrators) are frustrated with the situation at exetools. The TechLord situation has been getting out of hand over there, but I see no reason to go on about it here. I have been voting to ban him for years now, because this is exactly what I was afraid of happening. That is my personal opinion, not the one of my employer.
  49. 3 points
    "not a proper crack" is exactly what I meant in my post, players do not care about that. I guarantee you that not a single normal player ever reads the .nfo/readme's that come with things ever. Unless its to find specific information on how to use said release/crack none of them are ever read. Normal players don't give a shit about whats in them, what the scene people want to say or bicker about, or any of that. Normal people just want the game, not the drama behind the scenes. All the release drama that happens with the scene is completely in its own world separated from the majority of the users of things that are released. Normal people don't pay attention to what was done, who did what first, who did what best, who did what correctly/incorrectly, who "propered" a release, etc. People literally search until something releases and download it immediately as its available. Go ask any normal player/user of things like game cracks/releases and I guarantee you none of them will have a clue about the scene, scene "rules", or any of the stupid drama associated with it.
  50. 3 points
    saw this earlier..makes no sense to me but im sure some of ya know what it all means.. cheers Injustice 2 Legendary Edition-CODEX Notes: This release contains the latest update from August 21st and all additional content of the Legendary Edition. For the reason explained below, we noticed that two of the 38 included fighters (Gorilla and Robin) can have some small delays/micro freezes when executing certain attacks. The slower your cpu, the more noticeable the lags are on these two. Even though the game isnt exactly new anymore, there are still a lot of bugs left in the legit version. Some Denuvo Techtalk : For example when Robin does one of his special attacks, throwing a smoke bomb on the ground, Denuvo starts writing a private key to the memory from 000000014C113692: 000000014C113692 | 44 88 07 | mov byte ptr ds:[rdi],r8b 000000014C113695 | 5F | pop rdi 000000014C113696 | 50 | push rax 000000014C113697 | 21 C0 | and eax,eax 000000014C113699 | 9C | pushfq 000000014C11369A | 44 01 C1 | add ecx,r8d 000000014C11369D | 4C 89 F0 | mov rax,r14 000000014C1136A0 | 48 89 C1 | mov rcx,rax 000000014C1136A3 | 48 C7 C0 00 00 00 00 | mov rax,0 000000014C1136AA | 48 09 D0 | or rax,rdx 000000014C1136AD | 48 83 C1 01 | add rcx,1 000000014C1136B1 | 49 89 CE | mov r14,rcx 000000014C1136B4 | C1 C1 08 | rol ecx,8 000000014C1136B7 | 9D | popfq 000000014C1136B8 | 58 | pop rax Then it fills the buffer at: 000000014779F593. When everything is filled and the key is obtained by Denuvo itself, it starts executing anti-tamper checks from 000000014774C37E: 000000014774C37E | 41 89 7D 00 | mov dword ptr ds:[r13],edi 000000014774C382 | 48 29 F3 | sub rbx,rsi 000000014774C385 | 41 54 | push r12 000000014774C387 | C1 CB 0D | ror ebx,D 000000014774C38A | BE D4 72 4D 3E | mov esi,3E4D72D4 000000014774C38F | 4C 8D 25 4F B5 06 FE | lea r12,qword ptr ds:[1457B78E5] 000000014774C396 | 4C 33 24 24 | xor r12,qword ptr ss:[rsp] 000000014774C39A | 48 8B 1C 24 | mov rbx,qword ptr ss:[rsp] 000000014774C39E | 4C 21 E3 | and rbx,r12 000000014774C3A1 | 4C 09 24 24 | or qword ptr ss:[rsp],r12 000000014774C3A5 | 0F BA F8 06 | btc eax,6 000000014774C3A9 | 0F BA F6 0D | btr esi,D 000000014774C3AD | 48 29 1C 24 | sub qword ptr ss:[rsp],rbx 000000014774C3B1 | 4C 89 E3 | mov rbx,r12 000000014774C3B4 | 48 23 1C 24 | and rbx,qword ptr ss:[rsp] 000000014774C3B8 | 4C 0B 24 24 | or r12,qword ptr ss:[rsp] 000000014774C3BC | 49 29 DC | sub r12,rbx 000000014774C3BF | C3 | ret Here it gets the addresses of the various functions inside the Denuvo code from r13 register and forces the original bytes, a single DWORD per cycle, essentially overwriting any potential patches that were applied to these functions before. The way our crack works is that it reads a huge amount of encrypted code, (including the code that the anti-tamper tries to overwrite) and therefore patching the required place causes some slowdowns thanks to Denuvo and the devs.
  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up
×
×
  • Create New...