Jump to content
Tuts 4 You


Popular Content

Showing content with the highest reputation since 05/24/2018 in all areas

  1. 15 points
    Hi guys, I am a fan of FFmpeg CLI tool but its always hard to remember all commandline arguments if I didnt used it for a longer while and I can't find my notes about it (as always).Now I thought it would be a good idea to code a GUI tool where I can use FFmpeg with and store all commandline argument combinations I want into it to call and execute them quickly.I know there are already a few GUI tools out there for FFmpeg but they have some limitations and or are not my taste.So you know I have always a special taste and wanna combine all together in the best case.Now after few months I am done with a first version and wanna also share it with you guys. First Steps -------------------------------------------- Start the app and enter your FFmpeg path.If you dont have it then download a static build from FFmpeg.org or ffmpeg.zeranoe.com/builds/ Next should have installed the VLC player (2.2.6 in my case) How it works? -------------------------------------------- So the app has 2 diffrent GUIs.The main GUI you can use for media editing,converting etc all what you can do with FFmpeg commandline arguments.The seconds GUI I made specially for quick handling of streams to play download them plus more features which could be important. Features: Main GUI -------------------------------------------- -Quick analysis of files after drag & drop into the app and showing the info into it -Full analysis of file by MediaInfo or FFmpeg itself -Preview image of video files & quick playing by your video player -Three diffrent commandline edit controls in main GUI to execute with FFmpeg -Quick Mux / DeMux function to extract / add / change streams without re-encoding in Concat or Input mode -Window to see whole FFmpeg traffic -Storage listview to (add / delete / send / play / record / search) manage your commandlines and infos -NoFile (you can use FFmpeg like in a normal CMD window) Features: Quicky GUI -------------------------------------------- -Store and choose diffrent URLs by menu -Store and choose diffrent commandline args by menu -Store and choose diffrent pre commandline args by menu -Store and choose diffrent names by menu (Will used to save into file and showing in VLC) -Play,Download,Edit,Search functions etc -Store names and URLs into extra listview -Store and call till three custom request headers -Diffrent choosable request methods,user agents and optinal headers -Url checking (with or without SSL) -Reading pagesources -Finding URL extensions -Response Header -Switch View (CRLF) -JSON Viewer -URL Decoder -OnTop On/Off I also created a video with some examples how to use my app but the video was getting a little big with 50 MB so I am sorry for that.Inside you can also find some text files with infos.If something not works or if I forgot to explain some feature or anything else than just post a reply in this topic.Have fun and till later. PS: I also wanna send some extra special thanks to our member fearless who always helped me a lot (without getting crazy - I think so..) with all my coding questions I had.Thank you. Merry Christmas and greetz FFmpeg Quicky 1.0.rar
  2. 14 points
    Hi! This is my first post on tuts4 you I hope that this is the right section, if not, please delete this post! Ok so... Few months ago I have made public my internal project called REDasm on GitHub. Basically it's a cross platform disassembler with an interactive listing (but it's still far, if compared to IDA's one) and it can be extended with its API in order to support new formats, assemblers and analyzers. Currently it supports: Portable Executable VB5/6 decompilation . It can detect Delphi executables, a decompiler is WIP. .NET support is WIP. Debug symbols are displayed, if available. ELF Executables Debug symbols are displayd, if available. DEX Executables Debug symbols are displayed, if available. x86 and x86_64 is supported. MIPS is supported and partially emulated. ARM support is implemented but still WIP. Dalvik assembler is supported. Most common assemblers are implemented by using Capstone library, Dalvik assembler is written manually and even the upcoming MSIL/CIL assembler will be implemented manually. The entire project is written in C++ and its UI is implemented with Qt5, internally, the disassembler is separated in two parts: LibREDasm and UI. LibREDasm doesn't contains any UI related dependencies, it's just pure C++, one day I will split it in two separate projects. Some links with source code, nightlies and wiki: Source Code: https://github.com/REDasmOrg/REDasm Nightly Builds (for Windows and Linux): https://github.com/REDasmOrg/REDasm-Builds Wiki: https://github.com/REDasmOrg/REDasm/wiki And some screenshots:
  3. 13 points
    Hi, I made a tool that interprets a vmp rsi-stream, it records the handlers (or vm instructions) and connects them via their data dependencies. This is how a JCC looks like The edges in this graph represent data dependencies. Sequences of nodes with one input and one output are collapsed into blocks. Green nodes are constant nodes. They do not depend on external values (such as CPU registers), unlike red nodes. The hex number left of a node is a step number, the right number is its result. Only const nodes (green) can have a result. The graph contains all nodes that directly or indirectly contribute to the lower right "loadcc" instruction. CMP/JCC in VMP works by executing an obfuscated version of the original CMP which also results in either zero or one. VMP then pushes 2 adresses to its stack (step 121f and 1209) and computes an address that points to either one, depending on zero/one result of the corresponding CMP (step 1265). It then simply loads from that computed address and uses its value for a JMP. The load that loads either address is represented by the "loadcc" node in the graph. Even though all puzzle pieces are here, it is still hard to figure out what the original CMP was, but luckily we have LLVM and luckily it isn't hard to lower the graph to LLVM IR: Godbolt Left is the graph as LLVM IR, middle is output of the optimizer, right is the optimized LLVM IR lowered to x64. The attachment contains the original x64 input, the complete vmp program as LLVM (not just the loadcc part), the optimized x64 (-O3) and an unoptimized version (-O0). The unopt version is interesting because it shows how vmp looks like after removing the junk but still leaving the handlers intact (RSI access is removed, RBP-stack is pre-baked to make it easier for the optimizer passes) I thought it was pretty impressive how LLVM's optimizer plows through the crap and produces such a beautiful result. That is all. Thanks for reading. testproc.zip
  4. 9 points
    It's a really nice challenge, thank you! Pseudo-solution: Step 1: make type/function/variable names readable. De4dot to the rescue. Step 2: get some idea how the VM works. In this case, we have P-Code stored in MemoryStream and stream.Position tells us which instruction we're currently executing (aka. EIP). Step 3: put some smart breakpoints and trace execution of the VM. We're looking for good boy/bad boy jumps, so focus on changes in stream.Position. I put a breakpoint in UnmanagedMemoryStream.Seek: Step 4: look at the log data and identify good boy/bad boy jump. In my case, logged data with some comments looked like this. So, we need to trace few instructions starting from EIP=16F4. Turns out that comparison instruction is at EIP=172B and good boy jump is EIP=173D. Step 5: patch P-Code or VM engine. I decided to patch P-Code directly, as integrity checks for the P-Code were not enabled. I changed comparison instruction to compare 2 identical values, so the check always succeeds and good boy jump is always taken. Mission accomplished. EDIT: attached file should not be in the middle of sentence. Out-patched-by-kao.zip
  5. 8 points
    Hello All 😁 this's my first post in Tuts 4 You , Hope it won't be the last 😅 Cmulator is ( x86 - x64 ) Scriptable Reverse Engineering Sandbox Emulator for shellcode and PE binaries Based on Unicorn & Capstone Engine & javascript . https://github.com/Coldzer0/Cmulator this's a work of 3 months , and the Development is Active , the project is fully written in FreePascal 😎 i'm planning to port the project "C" so it last longer ( so we get more contributors ) . Hope you find it useful
  6. 8 points
  7. 7 points
    just a try to add more feature's to x64dbg script system History Section: - version 2.0: 1-all numbers are hex numbers. 2-more nested in arguments. 3-Build bridge to make plugin system Compatible with x64dbg script system. 4-create parallel Functions to x64dbg Functions, like ( cmp >> cmpx ). 5-rename new name (Varx Getx Setx) and fix array index entry. 6-add VarxClear ( clear all variable to help user in test's ) , memdump with print style. - version 1.6: 1- add Parser system to recognize arguments. 2- begin build Script system. 3- add more Helper Functions. - version 1.4: 1- make StrCompx in separate Thread and add Sleep time to wait x64dbg to finish process. 2- Fix Hex2duint function add length check in case it less than 2 . - version 1.3: 1- Add another argument to cbLogxJustAtBP for printing on LogxWindow. 2- now it accept bool argument like this (true/false-on/off-1/0). 3- add StrComp_BP function for compare string in memory at BP. 4- compiled x32. Source Code: https://github.com/Ahmadmansoor/AdvancedScript If you find it useful please let me know, and if you want to add more feature's please leave a comment. support both x86 and x64 BR AdvancedScript.v2.0.rar
  8. 7 points
    Done! This has been added for your user group. I will see how this progresses. Obviously there is a possibility this could be abused by members however I currently trust persons in this group will use it appropriately. Done! You can now download PM's individually or bulk in HTML. The output HTML template is a bit crude. If you have some suggestions I'll contact the developer and propose the ideas with some of my own. Of the other suggestions proposed here I will reply to you all after I have thought them over and have appropriate time to reply accordingly. Thank you! Ted.
  9. 6 points
    Strings plugin for x64dbg. Download: https://github.com/horsicq/stringsx64dbg/releases Sources: https://github.com/horsicq/stringsx64dbg/ More Info: http://n10info.blogspot.com/2019/03/strings-plugin-for-x64dbg.html
  10. 6 points
    Everyone can see the code because Cawk's ConfuserEx unpacker works just fine.
  11. 6 points
    For unpacking 1) cawk unpacker 2) dump after decryption 3) fix EP 4) Proxy call fixer by Davicore 5) Strings decryptor by CC 6) Switch killer by CC 7) Dump resources (empty) 😎 Clean cctor and <module>methods (maybe 4, 5 and 6 can be replaced by cawk unpacker again) I will check the key algo tomorrow, don't have time now. a29p-EP-anti2_noproxy_stringdec-cleaned_deobfuscated-res2-cctor-module.exe -------------------------------------------------------- Username = "Usuario" Code = "161308" int length = username.length(); int num2 = length + 2 - 4 + 40 + 10; return Convert.ToString(419 * num2 * length - length); --------------------------------------------------- EDIT2: I have received a few PMs asking how to fix EP, so I will post the videos I used as reference here. Following this 2 videos you should be able to unpack confuserex fully.
  12. 6 points
    The FireEye Labs Advanced Reverse Engineering (FLARE) team’s annual reverse engineering challenge will start at 8:00 p.m. ET on Aug. 24, 2018. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security professionals. So dust off your disassembler, put a new coat of oil on your old debugger, and get your favorite chat client ready to futilely beg your friends for help. Once again, this contest is designed for individuals, not teams, and it is a single track of challenges. The contest runs for six full weeks and ends at 8:00 p.m. ET on Oct. 5, 2018. This year’s contest will once again host a total of 12 challenges covering architectures from x86, x64 on Windows, Java, .NET, Webassembly, and Linux, with special appearances of Bootloaders and Bootkits. This is one of the only Windows-centric CTF challenges out there and we have crafted it to represent the skills and challenges of our workload on the FLARE team. If you complete the Flare-On Challenge you will receive a prize and permanent recognition on the flare-on.com website for your accomplishment. Prize details will be revealed when the contest ends, but as always, it will be something that will be coveted and envied by your peers. In prior years we’ve had rodeo belt buckles, replica police badges, challenge coins, and a huge pin. Check out the Flare-On website for a live countdown timer and to see the previous year’s winners. For official news and support we will be using the Twitter hashtag: #flareon5. 9 days left, better brush up your skills and make sure your tools are in good order! Official site: http://www.flare-on.com/
  13. 6 points
    Yes, it's still active: I'm working on version 2.0 on the "next" branch, GitHub doesn't show branch activities. I have posted a video preview on Twitter few days ago which shows the upgraded engine in action along with the brand new disassembly widget. NOTE: Some parts of the UI are still disabled in that video, I have attached a screenshot with the latest enhancements here (the UI is still ugly, I'm planning to clearing up a bit).
  14. 5 points
    Download: https://github.com/horsicq/pex64dbg/releases Sources: https://github.com/horsicq/pex64dbg More Info: http://n10info.blogspot.com/2019/05/pe-viewer-plugin-for-x64dbg.html
  15. 5 points
    Hi there, With few guys we made a zoo dedicated to malware targeting ATM platforms, as far as i know nobody has made a similar public project so voila. You will find here malwares that specifically targets ATMs, and reports (notice) about them. Files of interest got harvested from kernelmode.info, but also virustotal and various other services and peoples interested about the project. I'm using binGraph, pedump, Python, bintext, for the engine on reports. Some samples exist in 'duplicate' on the wall (we also provide unpacks for few files), if it is the case: it's mentioned on the report. We have hashs who are without references (i mean not associated in a white paper or something) thoses files are regrouped on the statistics page, we tried to make the stat page interesting enough for everyone to have fun exploring the zoo from the stats. We have IoCs that others seem to don't have, e.g kaspersky report about winpot, that leaded also to funny react from ppl selling it no worry, everyone have it now. We have also a page that includes some yara rules for detecting some of these malwares, and a page with goodies, voila! Everything provided in old skool style, intro also available! CyberCrime quality http://atm.cybercrime-tracker.net/ Feedback welcome, enjoy the ride ! 💳🏧
  16. 5 points
    Language : .NET Platform : .NET/Mono OS Version : All Packer / Protector : Custom Description : This is something I've stopped working on over the last few months, but if someone's interested in taking up the project with me I'll gladly accept. The original password is hashed to prevent string equality hooking, so the goal here is just to make it respond correctly. Cracking : If you do crack this, please post in the thread (or DM me) about how you did it. It doesn't have to be step-by-step; a simple "after doing X all you need to do is Y" is fine. If you have any suggestions for additional obfuscation, please include those as well. Any method is acceptable (besides printing the correct string yourself):^) Screenshots are attached. Out.exe
  17. 5 points
    Anti Debugging Protection Techniques With Examples: https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software
  18. 5 points
    Challenge of Reverse Engineering - Rules and Guidelines All challenges will be reviewed and approved prior to them being made public. You must use and adhere to the above template (when submitting a challenge) and the template in the post below (when submitting an answer/solution). A challenge is regarded as being solved only when a successful solution has been posted containing a tutorial or a detailed explanation. Solutions posted without any information will remain hidden from public view until a tutorial or detailed explanation has been submitted. The challenge will continue to remain unsolved. Please allow up to 48 hours for challenges and solutions to be reviewed.
  19. 5 points
    Unpacked Use any long key to pass checks. GetMe_unp.zip
  20. 5 points
    It is indeed true that I work for Denuvo and this is public information you can see at my LinkedIn profile. We use x64dbg at work and I have assured that there in no conflicts of interest in that regard. I keep working on features I need like always. However I would like to say that those “rumors” don’t exist and my employer has no influence about what I do or say online. If you feel like you have some questions related to those “rumors” @p4r4d0x (or anybody else) you can ask those things to me directly instead of going deep in conspiracies that you hear from “senior reversers”. With regards to breaking communities, there is absolutely zero benefit like @Progman noted. The reversing community as a whole has been going downhill in my opinion for years now and if anything we need more people sharing information online, not less. @Kurapica I will keep sharing my tools and knowledge as always. Nowadays I’m more active on Github and Stack Exchange than these (and other) forums, but I’m sure you can appreciate how your available time changes if you start your first full time job 😀 Also only few people seem to write my nickname as I like it nowadays: “mrexodia”, which is surprising
  21. 5 points
    Reverse-Engineering WebAssembly binaries: https://www.forcepoint.com/blog/security-labs/analyzing-webassembly-binaries Best Regards, Evilcry
  22. 5 points

    Version 1.0.0


    hotkeys: m: (play/stop music) f1: (switch fullscreen/windows) f3: (nfo reader) elite: (hidden part) esc: (quit)
  23. 5 points
    It's official - I finished as #4 this year! Subjectively - first challenges are a bit harder than last year, probably due to the exotic targets (wasm, webinjects, etc..). All in all, I enjoyed it immensely!
  24. 5 points
    Does anyone even really care about the stupid 'scene rules' anymore? Who cares what some elitists want to state is required for something. If they can make the game run anywhere with or without Denuvo fully removed, that is what the players want. None of them care about the scene or what is still left in the exe as long as it works and plays.
  25. 5 points
    intel x86 / x64 opcode reference manuals (i think you can download them in pdf form on their site somewhere) then writing some apps in asm to get a grip for masm etc, or in c and then debug them to see how things work then lena's tuts (i've never used them though, i taught myself a long time ago, where i'd dl the opcode ref's and study them offline (inet connection was a rarity at the time for me)) pencil (to undo mistakes) and paper, to make notes, and lots of them tools like hiew, ida (never really liked ida too much as i thought it was slow), olly, x64dbg etc etc and referencing sites like this one, the masm32 site, woodmann and some others time and patience, and doing some homework before asking for help / pointers (i usually wont help people who want to get everything spoonfed to them or ask for videos etc or think they're somehow entitled)
  26. 5 points
    @unavailable: Don't give up! The success is by perseverance!! Cracking is a long process. I lost my interest on cracking programs, but I will still make some RE tools and try to help people the way I can.
  27. 5 points
    Hi In this method we're using dlls as loader, Some system files(I'm just tested dll files) can load from outside of system directory so we can use them to patch files !! Most "Delphi" and "Dotnet applications" loads "version.dll" by default so we can use this file as loader for them ! Best Regards, h4sh3m version.rar
  28. 4 points
  29. 4 points
    Hmmmm... Could it be because you didn't do time travel and never experienced 4th of May 2019 before? The expired certificate is inside your outdated copy of Firefox 56. And, as you said it yourself - you refuse to update it. So, how on earth do you expect Mozilla to fix something that's on your computer? Should they send Santa with magic powers to your home? Solution: download the XPI file from above. Extract files from it. Base64-decode new certificate from api.js. Add new certificate into your old Firefox (Tools-Options-Certificates). Done. Takes less time than writing those whiny posts. Full disclaimer: I couldn't test it 100% because I don't use Firefox on a daily basis and I couldn't find portable Firefox 56 with 3rd party addons.
  30. 4 points
    Hey all! I recently came across this neat paper here: https://tel.archives-ouvertes.fr/tel-01623849/document where they used what they called "Mixed-Boolean Arithmetic" to obfuscate arithmetic expressions, and then showed ways to deobfuscate them. Looking a the deobfuscation methods, they seemed largely either pattern-based or wouldn't work when bigger numbers were involved. So I thought to myself, "How can I mess with this?" Well, first things first, they have no concrete method there for creating these expressions. There are two pages total dedicated to the creation of these expressions, so I had to get creative to make it work. They describe using numpy to solve the matrix equation created and using a hack-y method to circumvent not having a square matrix, but I thought that I could do a bit better... Enter two painstaking days of learning linear algebra and figuring out exactly what I needed to do. They start by computing the truth tables of some expressions, putting them into a matrix as columns, then solving for the vector that, when using the dot product on the vector and the matrix, returned zero. After that, they filtered out various "rewrite rules" from the matrix generated. You can read more about this in the paper, though there's not much to go off of. They use numpy's linalg.solve to do this, but that only works with square matrices and produced results with constants that were a tad small for my taste :^) After a bit of research I found a python module called cvxpy, designed to find values that satisfy an expression under certain constraints. Even cooler was that you could specify matrix equations and integer-only solutions, which is exactly what I needed. After tinkering with it for a bit, I was able to reliably create expressions like these (representing a xor b): -27540 * (~a & b) + 373574 * (~a ^ ~b) + -27541 * (a & ~b) + -27541 * (~a & b) + -11 * (a + b) + -30436 * (~a & ~b) + -30436 * (~a * ~b) + 137712 * (a * ~b) + -27544 * (~a) + 1 * (b) + 3 * (~a + ~b) + -221347 * (~a - ~b) + 13 * (a + b) + -2 * (a) + -30454 * (~a + ~b) + -30454 * (~a + ~b) + -3 * (b) + -30449 * (a | b) + -27546 * (~b) 3672455 * (~a * b) + -362611 * (a ^ b) + 78113 * (a) + -524636 * (~b) + -524636 * (a ^ ~b) + 78113 * (a) + -524636 * (~a | b) + -362611 * (a ^ b) + -959545 * (a | b) + -78113 * (a - b) + -959545 * (~a + ~b) + -524636 * (~a) + 142249 * (a + b) + -959544 * (~a + ~b) + 142249 * (a + b) + -524637 * (a - ~b) + -524637 * (~a) + -524637 * (a & ~b) + 3241246 * (~a ^ ~b) Using truth tables modulo 4 instead of modulo 2 I was also able to compute equivalencies for multiplication, which was pretty neato. However, using the same method of computing the truth table and finding an equivalent expression you can reverse this sort of operation. I'll leave that as an exercise to the reader. EDIT: As a friend of mine pointed out, this will work with any operation that can be reducible to boolean math (i.e. xor, addition, subtraction, multiplication), not just arithmetic operations.
  31. 4 points
    How to become a Hack... .... greetz
  32. 4 points
    slugsnacks reversing series by c0lo: Link: https://kienmanowar.wordpress.com/slugsnacks-reversing-series-by-c0lo/slugsnacks-reversing-series-5/
  33. 4 points
    AdvancedScript beta version it is beta version it could have bug, so please report and if u like to add more features let me know. version 2.5 beta : 1- Script window is sperate. 2- Create Folder for script,form Load script with category. 3- add more mirror Functions (xorx - pushx ...), and Functions like ( if , goto,writestr ) to shortcut the work. 4- show all variables in a list with it's values. 5- edit script onfly. 6- enable to define array with range like z[n]. 7- writestr Function. 8- run from anyware in the script. 9- rest variables list in case maintenance. 10- insert rows as much as you need. 11- insert from clipboard replace all script. 12- insert from clipboard inside the script. 13- copy separated lines to used in other script. 14- insert description without confusing . 15- add the dll file of c++ runtime for each package. 16- add some scripts samples. 17- as it is beta version so it support one step not auto step , use F12 for step, sorry for that I need to check if it work then I will add auto step :} note : I forget to say use (Scriptw) command to show the Script window , but git has stop working and copy the script sample to ur script folder in x64dbg folder and pls read the help first AdvancedScript_2.5beta.zip
  34. 4 points
    Forum Ideas / Suggestions Some ideas that could potentially bring some life back into the forum and get things more active. Ranks - While this is a more of a gimmick type thing, a lot of people do focus on their status of a forum. Even if that status is nothing more than superficial text/colors. Active members that are liked a lot, thanked a lot and contribute to the site could have extra "glitter" added to their post information to the left where our name/avatar/post count etc. is. Something that shows the reputation in a more significant manner, newer ranks based on reputation and post counts, etc. could help give people incentive to share things. Badges/Awards - Another gimmick type thing, some extra flair to the users information to the left again, badges can be used to show various things such as post/reputation milestones. There are tons of different things that can earn a badge such as a post that has hit a certain amount of likes, a download that has been downloaded at least a certain number of times, etc. There are so many different things that can have a badge attached to it to give users ways to earn all kinds of things by helping out. Usergroup Images - Instead of just text, perhaps some images to add some more bling. Monthly MVP's / User Spotlights - To encourage people to be active and help/support others, post things and so on, we could have community voted MVP's each month, or user spotlights as a way to say thanks to a member for doing things that help the community. Someone that posts a lot of tutorials, explains things well to others, completes challenges with good answers/tutorials, etc. Most of these things are nothing more than just gimmicks but a lot of people like to see themselves earning something, even if it means nothing, while being part of a site. A great example of these kinds of systems in place are on sites like HackForums, UnknownCheats, and similar game hacking forums. These do not need to carry any type of weight or anything other than just being something earned for helping the site.
  35. 4 points
    Hi, sorry I wasn't online for so long. I am still alive 🙂 but I had a HDD crash and lost almost everything including account information. Today I was able to recover some account information from a forgotten USB stick. At least the forum here + bitbucket/github account. So I may be able to work on the projects again 🙂
  36. 4 points
    Find it funny how the agitator creates the topic to try and bring attention to what he had to post later on Puny schemes. People just have lives; RE isn't going anywhere. Same as there's been one generation of smart, skilled and enthused people, others will follow. Circle of life. What I do find funny is how this "high-level programming" works even with big companies, such as Denuvo. I put quotes because same as Java relies on a ton of shit OTHER people wrote across time, which they now just import, similarly Denuvo relies on VMProtect to shield whatever crap they've got going on. Were it not for it, we'd have gotten ourselves the ol' time SecuROM/SafeDisc fiascos. I digress.. Congrats, ExoD And keep it up, love your work.
  37. 4 points
    @p4r4d0x: enough already! If you can't stop whining about exetools and techlord, please go away - as this behavior is not bringing anything useful to this forum. :@ @mrexodia: I wish you all the best in your new job. You're extremely skillful person and I'm sure you'll enjoy the challenges this line of work will bring. And remember to learn as much new stuff as possible!
  38. 4 points
    Hi. its month after challenge v2, but i had free time just now, to work on target. Result of both Key 1 & 2 are identical compared to Protected file. Kind Regards devirtualizeme32_vmp_3.0.9_v2_DeVM_Final_OK.exe
  39. 4 points
    Hello All, I created my first reverse engineering project. It's an open source loader called patchya, It's not strong as dUP yet. I am planning to port it to Linux and to add more features as anti anti debugging tricks. Would appreciate any feedback! Github project: https://github.com/misaleh/patchya
  40. 4 points
    Doesnt matter what the players want, if the protector isnt fully defeated/removed it's not a proper crack.The purpose isnt to bring players a playable game but rather to crack the protector.
  41. 4 points
    To store all the paths you could use an INI-File with a structure like: [Settings] Count = Number of paths [0] Path = Path to the program to execute Param = Parameter value ... You could read the Count and Param value with GetPrivateProfileInt and the path with GetPrivateProfileString. To store the path and parameter you can create a structure in MASM that holds both values and allocate memory to store the stuff inside. After loading the INI-File you can iterate through your array and compare the Param attribute and execute the program if it's a match. This may not be the best solution but it should be pretty simple.
  42. 4 points
  43. 4 points
    ..and with one known key it's perfectly solvable. All credits go to @Reza-HNA for deobfuscating the keygenme. After that, it was a piece of cake. Keygen is not obfuscated in any way, so anyone can take a look how it's done. keygen for Newbe KeygenMe1.zip
  44. 3 points
    Yep, looks like Dotwall. But the main executable is totally boring - the interesting stuff is in .NET resources. So, don't waste much time trying to deobfuscate main executable. There are 2 malicious PE files in .NET resources - XOR-encrypted with key 76 00 6F 00 52 00 4E 00 66 00 48 00 73 00 44 00 One is Aspire.dll, protected with .NET Reactor - that's some sort of malware launcher. Other one is password stealer written in Delphi.
  45. 3 points
    Have a look at Sciter: If you use it in the binary form, it is free. Some real life applications that use Sciter core engine for their UI – HTML/CSS under the hood Quoting from their site: So , I guess it directly answers your question as you mentioned ESET Antivirus also in it. It even has its own forum where you can ask your questions.
  46. 3 points
    saw this earlier..makes no sense to me but im sure some of ya know what it all means.. cheers Injustice 2 Legendary Edition-CODEX Notes: This release contains the latest update from August 21st and all additional content of the Legendary Edition. For the reason explained below, we noticed that two of the 38 included fighters (Gorilla and Robin) can have some small delays/micro freezes when executing certain attacks. The slower your cpu, the more noticeable the lags are on these two. Even though the game isnt exactly new anymore, there are still a lot of bugs left in the legit version. Some Denuvo Techtalk : For example when Robin does one of his special attacks, throwing a smoke bomb on the ground, Denuvo starts writing a private key to the memory from 000000014C113692: 000000014C113692 | 44 88 07 | mov byte ptr ds:[rdi],r8b 000000014C113695 | 5F | pop rdi 000000014C113696 | 50 | push rax 000000014C113697 | 21 C0 | and eax,eax 000000014C113699 | 9C | pushfq 000000014C11369A | 44 01 C1 | add ecx,r8d 000000014C11369D | 4C 89 F0 | mov rax,r14 000000014C1136A0 | 48 89 C1 | mov rcx,rax 000000014C1136A3 | 48 C7 C0 00 00 00 00 | mov rax,0 000000014C1136AA | 48 09 D0 | or rax,rdx 000000014C1136AD | 48 83 C1 01 | add rcx,1 000000014C1136B1 | 49 89 CE | mov r14,rcx 000000014C1136B4 | C1 C1 08 | rol ecx,8 000000014C1136B7 | 9D | popfq 000000014C1136B8 | 58 | pop rax Then it fills the buffer at: 000000014779F593. When everything is filled and the key is obtained by Denuvo itself, it starts executing anti-tamper checks from 000000014774C37E: 000000014774C37E | 41 89 7D 00 | mov dword ptr ds:[r13],edi 000000014774C382 | 48 29 F3 | sub rbx,rsi 000000014774C385 | 41 54 | push r12 000000014774C387 | C1 CB 0D | ror ebx,D 000000014774C38A | BE D4 72 4D 3E | mov esi,3E4D72D4 000000014774C38F | 4C 8D 25 4F B5 06 FE | lea r12,qword ptr ds:[1457B78E5] 000000014774C396 | 4C 33 24 24 | xor r12,qword ptr ss:[rsp] 000000014774C39A | 48 8B 1C 24 | mov rbx,qword ptr ss:[rsp] 000000014774C39E | 4C 21 E3 | and rbx,r12 000000014774C3A1 | 4C 09 24 24 | or qword ptr ss:[rsp],r12 000000014774C3A5 | 0F BA F8 06 | btc eax,6 000000014774C3A9 | 0F BA F6 0D | btr esi,D 000000014774C3AD | 48 29 1C 24 | sub qword ptr ss:[rsp],rbx 000000014774C3B1 | 4C 89 E3 | mov rbx,r12 000000014774C3B4 | 48 23 1C 24 | and rbx,qword ptr ss:[rsp] 000000014774C3B8 | 4C 0B 24 24 | or r12,qword ptr ss:[rsp] 000000014774C3BC | 49 29 DC | sub r12,rbx 000000014774C3BF | C3 | ret Here it gets the addresses of the various functions inside the Denuvo code from r13 register and forces the original bytes, a single DWORD per cycle, essentially overwriting any potential patches that were applied to these functions before. The way our crack works is that it reads a huge amount of encrypted code, (including the code that the anti-tamper tries to overwrite) and therefore patching the required place causes some slowdowns thanks to Denuvo and the devs.
  47. 3 points
    @mrexodia Mr. Yuschuk delayed the OllyDbg 64-bit project for a long long time (the last updated: February 05, 2014). I think because of you, because of your debugger, your debugger is the main reason. Your debugger is my current lover but I wanna get back with ex-lover, Ms. OllyDbg. How can I? :)) P.S Thank for your daughter. She is so beautiful.
  48. 3 points
    Unpackers tools - source code C# My source code: https://gitlab.com/CodeCracker https://github.com/CodeCrackerSND https://bitbucket.org/CodeCrackerSND/ I will NOT share (anymore) the rest of my tools!
  49. 3 points
    Well, I was working on it too and unpacked it but did nto have time to clean it well enough to my liking. However, as you can see from my screenshot below, its unpacked and clean enough to give us the solution : Best Regards :)
  50. 3 points
    Really depends on what you want. First things first - "free" obfuscators for .NET don't do protection very well. At best they just rename the classes of your assembly, at worst they do absolutely nothing at all. When it comes to paid obfuscators, here is your options - they are bound to change as protection schemes get cracked and patched. Low End: .NETGuard is most likely your best option if you want low price protection. It does quite a nice job - when it actually works. It has a lot of issues with program compatibility & certain features not working on certain PCs, but the devs are still working on it. Medium End: ILProtector is quite good to stop script kiddies from reversing your assemblies, but recent unpackers (such as my own) have made it less worthwhile. Babel.NET's obfuscator also looks quite promising for about the same price. High End: Eazfuscator.NET is the obvious choice here. Its managed virtualization is the best on the market (as of now), and is quite difficult to deobfuscate. It also has extremely easy integration with VS and it works on almost any assembly. The only problem is that its control flow obfuscation is absolute shit and its string encryption has been broken by de4dot. I have also heard of an obfuscator named DNGuard HVM, which has a native VM obfuscation - but it is insanely expensive. There is also a few obfuscators which I recommend for you to avoid - here is the list: SmartAssembly - Its protection is complete crap (unpackable by de4dot) and is also more expensive then EAZ. Don't waste your money. .NET Reactor - Latest version is fully broken by de4dot. The project does not seem all too active also. Agile.NET - Another super expensive obfuscator that has been cracked by de4dot & is inactive. If you are going to be spending this amount of money, you are better off buying DNGuard. CryptoObfuscator - Completely broken by de4dot & inactive. Appfuscator - As of now a unpacker exists for this, but it might change at some point. Right now I suggest you to avoid until they patch their protection. Of course, all of these schemes are bound to be cracked at some point. The best protection is always to make it yourself. Custom protection is always the hardest and annoying to crack, as a cracker has no idea how the scheme works and must figure that out at their own peril.
  • Newsletter

    Want to keep up to date with all our latest news and information?

    Sign Up
  • Create New...