Jump to content
Tuts 4 You

Leaderboard

  1. kao

    kao

    Full Member+


    • Points

      212

    • Posts

      2,483


  2. Teddy Rogers

    Teddy Rogers

    Administrator


    • Points

      136

    • Posts

      9,098


  3. CodeExplorer

    CodeExplorer

    Moderator


    • Points

      132

    • Posts

      3,154


  4. Xyl2k

    Xyl2k

    Full Member


    • Points

      119

    • Posts

      191


Popular Content

Showing content with the highest reputation since 07/30/2020 in all areas

  1. Here are some of my keygen/crack GFX's / templates i've made on photoshop + WinASM studio these days : (1) https://imgur.com/vS71RaO (2) https://imgur.com/3fWUf30 (3) https://imgur.com/5YfB8Xg (4) https://imgur.com/2Bt54Ne (5) https://imgur.com/fDC4FfK (6) https://imgur.com/p4TBQ4J (7) https://imgur.com/gNOgPnR (8) https://imgur.com/vkwSQ01 Please note that PERYFERiAH team is not a warez group. It is actually a vlogging team since i was making vlogs in high school in the past. And the people of the PERYFERiAH (PRF for short) were actually my high school friends (not "crackers/keygenners" as they were mentioned on the templates) and i have always made vlogs with them until March (haven't made vlogs from march because of the Covid19 pandemic and the high school was also closed after all). I've founded this team since 2018 and we have started to make vlogs in high school (not only there, but i've also made on different locations). But in this topic, i've just wanted to show you all my GFX skills and even Assembly language programming skills (i've included only these images because they have keygen algo's in them and i don't want to get a warn after posting), ever since September 2019 i was really interested in whole demoscene and warez-scene too, even ASM/Delphi programming. However, the keygen algo's used in these keygen projects were not made by me, but they were used only to make the keygens look real (that's why i've censored some serials on some of the pictures above), not to rip them, but BIG thanks to ev1l^4, TomaHawk, DigitalDreamer and s3rh47 for the keygen algo's , so please don't blame on me for that. Templates no.6 and 7 are only crack templates and haven't inserted any patch engine on them cuz i was just lazy (or it doesn't need to include them since they're only templates). :m Perhaps on graphical effects and music, I've used: x0man's aboutbox effect on six of these ( templates no. 1, 2, 3, 4, 6 and 8 ), and thanks to Xylitol for sharing it and to x0man for the effect. BASSMOD for the music ( used on temps 1, 4 and 8 ) , thanks to Xylitol for the ASM applet and Ufo-Pu55y for the lib. It was used only for non-interpolation playback for most chiptunes. uFMOD for the music used only on template no.7 (linear playback). Magic's V2m engine ( used on temps 2 , 3 , 5 and 6 ) , thanks to MagicH_2001 for the engine fudowarez's starfield effect (used only on template no.7) , thanks to him for it diablo2oo2's text scroller effect (used on temps 5 and 7), thanks to him for the applet MackT's image effect (used on template no.5), thanks to him for it If you guys want me to share the full ASM projects, let me know so i can remove the keygen algo's and post them through zip/rar files. Plus, some of the GFx's were inspired from tPORt's, and from other ones . :p And as i said earlier, i am just showing you my GFX and assembly programming skills only, and i don't want to release the full keygens nowhere cuz they are only templates. By the way , have a nice day , and if you guys are interested, pm me and i'll make GFX's for you tho .
    11 points
  2. So you want to download some releases from snd? alright let's see at snd.webscene.ir, the distribution section menu contain a link pointing at hxtps://keygens.pro/ Super, looks like there a lot of cracks over here! and the site is virus free, right? So let's pick something, i don't know, maybe 7-Data.Card.Recovery.1.1.keygen-SND hxtps://keygens.pro/crack/729775/ lol @ description on the page, didn't know reagan was from snd and born in russia Anyway we got redirected on a download page after clicking 'Download only Keygen' button, we have to fill a captcha and agree to the conditions The archive is password protected and contain only one file "setup_pass-123.exe" If we try to download some other random files from the keygens.pro collection, sometime we have variations. e.g: Any.video.converter.Ultimate.keygen-URET hxtps://keygens.pro/crack/733508/ who contain a 'readme.txt' but we still have our suspicious setup_pass-123.exe inside. antiviruses aren't really happy about the file when sent to virustotal, but hey, it's kind of normal it's a crack afterall. The file in question is identified massively as 'remcos' (avira, kaspersky, f-secure,..) remcos is a know trojan, and this time they have right. I've sent the file to my capev2 (like cuckoo sandbox but with python3) who also identified it as remcos, and even exactly version 2.7.0 Pro. The process tree: path-pass-123.exe 1204 powershell.exe 764 powershell -w 1 -e cwB0AGEAcgB0AC0A [REDACTED] mc.exe 588 mc.exe 2816 trading_bot.exe 2776 services.exe 484 C:\Windows\system32\services.exe lsass.exe 2992 C:\Windows\system32\lsass.exe mc.exe do a NtOpenMutant with mutex name 'Remcos_Mutex_Inj' fews deletefile() DeletedFile: C:\Users\PC\AppData\Local\Temp\g23cbt11.tv1.ps1 DeletedFile: C:\Users\PC\AppData\Local\Temp\rgmxlij1.zlj.psm1 DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a5a4f0c9-7658-465a-89b7-50210e17552a DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aa1cabc1-b688-4c89-bf51-d9e59fc195d8 DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_33715418-423c-4ee6-9bfb-e19632c208c1 DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d9fccf31-e642-45c3-b729-86cbf5ec234c DeletedFile: C:\Users\PC\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_99c3bc19-136a-483f-a231-8276ab84ee13 DeletedFile: C:\Users\PC\AppData\Roaming\Microsoft\mc.exe DeletedFile: C:\Users\PC\AppData\Local\Temp\webcam.png DeletedFile: C:\Users\PC\AppData\Local\Temp\screenshot.jpg DeletedFile: C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\fuv0sisu.default-release\cookies.sqlite24628718 DeletedFile: C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\fuv0sisu.default-release\formhistory.sqlite24628875 About the dropped files, it write a file 'logs.dat' into \AppData\Roaming\temp\, in my case: [2020/10/15 05:31:33 Offline Keylogger Started] [ Program Manager ] [Following text has been copied to clipboard:] h [End of clipboard text] { User has been idle for 400 minutes } And what's was the 'screenshot.png' he created and then deleted? this: one of my capev2 vm, the malware have a bit oversized the screenshot tought. The file sniff keystrokes, harvest/steal private information from browsers and messenger clients, take screenshots from pc and webcam if connected, and installs itself for autorun at startup, yep that not really what we where looking for. Alright... let's search for another site then.. We type "download crack" on google and we are now on keygenninja.com (former KeygenGuru) according to them. site is in second result in google main page, the authors of the sites play on search engine rankings, .. and are extremely well positioned (they pay Google for that) Let's try to download something, idk, maybe 'Panopticum IcePattern v1.2 for Adobe Photoshop' hxtps://keygenninja.com/serial/panopticum_icepattern_v1_2_for_adobe_photoshop.html We click the 'Download Keygen' button and get redirected on another site hxtps://cracknet.net/d/a95b2bff8a272ss9p.html Now we are on a page with 2 big 'download' buttons, the text indicate also that the archive password is 12345 When you click on the button the download is launched, but from another external site: hxtps://get.ziplink.xyz/ I've found also another site: serialms.com, this is just another 'showcase site'. All the cracks point to the same address (cracknet.net). they also have the same db as keygenninja.com Well, we have 3 files in the archive, one executable, and unless keygens.pro, this time we have the info files (nfo and diz file), apparently a release from team inferno (a cracking group who disbanded in 2006) The nfo says it was released in may 2020 and the files timestamp seem from 2020, is inferno back ? When extracting the executable from the archive, we got a suspicious 'rar sfx archive' icon, if we look for executable properties, windows will confirm it's a self-extracting archive. Meaning we can also rename the file to .rar and open it with winrar to see what's going on. btw that archive inside the archive [insert xzibit yo dawg meme here] is also password protected with '12345' According to virustotal only 10 on 70 engines detect it as hostile. Suspicious again huh? let's send this file to capev2 too. When sending a password protected sfx archive, you need to fill the option field with: 'arguments=-p 12345' in capev2, so it will be able to run it with the password. And.. here is the process tree.. yep a big one too, the sfx archive contain a sfx archive, who contain severals other sfx archives [insert again xzibit meme here] and execute everything, resulting a lot of new processes. Panopticum.IcePatter.exe 172 -p12345 cmd.exe 2696 C:\Windows\system32\cmd.exe /c ""C:\Users\PC\AppData\Local\Temp\RarSFX0\keygen.bat" " intro.exe 816 intro.exe 1O5ZF keygen-step-1.exe 3916 keygen-step-1.exe keygen-pr.exe 3892 keygen-pr.exe -p83fsase3Ge key.exe 1280 keygen-step-3.exe 3524 keygen-step-3.exe cmd.exe 3804 cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\PC\AppData\Local\Temp\RarSFX0\keygen-step-3.exe" PING.EXE 2572 ping 1.1.1.1 -n 1 -w 3000 keygen-step-4.exe 2624 keygen-step-4.exe file.exe 3896 002.exe 4548 Setup.exe 4152 slic.exe 4148 1 984D0A19445AA8C5.exe 1552 0011 installp1 984D0A19445AA8C5.exe 1144 200 installp1 cmd.exe 3280 cmd.exe /c taskkill /f /im chrome.exe msiexec.exe 2880 msiexec.exe /i "C:\Users\PC\AppData\Local\Temp\gdiview.msi" services.exe 472 C:\Windows\system32\services.exe svchost.exe 592 C:\Windows\system32\svchost.exe -k DcomLaunch dllhost.exe 3832 C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} dllhost.exe 2064 C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} svchost.exe 3224 C:\Windows\system32\svchost.exe -k netsvcs VSSVC.exe 3648 C:\Windows\system32\vssvc.exe One file lead to many files So what's going on? well, a lot of things. This isn't remcos RAT like in keygens.pro, i don't know what exactly is all of this, my capev2 seem to detect it as Azorult (a know password stealer) I thinks it's a false positive for 'azorult' malware familly but this one is also harvesting credentials from browsers, bitcoin wallets clients, FTP clients, email clients... BTRSetp.exe seem packed with 'Eshelon revolution protector', it have also a mention to lenin. // Module  [module: SuppressIldasm] [module: Glory_to_the_Great_Lenin_and_the_October_Revolution!!!("Eshelon Revolution Protector ")] [module: EF58C16E8C("Discord Link : v1.0.0-custom")] The batch file keygen.bat unpack keygen-step-4.exe with password 83fsase3Ge This archive contain key.exe and JOzWR.dat, when key.exe is executed it will look in the same folder for the file JOzWR.dat, who is later decoded by key.exe and loaded in memory a 'lzma decoder' screenshot here in memory 1060×847 png 60,4 kB dumped JOzWR.dat is detected by 13 engines. ASCII "-txt -scanlocal -file:potato.dat" potato.dat is a file that will be later created in %TEMP% and who contain harvested serial numbers from your applications, including windows license key. exemple of what contain the file in my capev2: Computer: PC-PC - Main scan Microsoft Office Professional Plus 2010 - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED Microsoft Office Professional Plus 2010 - Product ID - REDACTED-REDACTED-REDACTED-REDACTED Microsoft Office Professional Plus 2010 - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED Windows 7 Ultimate - Extra info - Full product name: Windows 7 Ultimate Service Pack 1 Product ID match to CD Key data Product Part No.: REDACTED Installed from 'Full Packaged Product' media. Is OEM: No Windows 7 Ultimate - License Key - REDACTED-REDACTED-REDACTED-REDACTED-REDACTED Windows 7 Ultimate - Product ID - REDACTED-REDACTED-REDACTED-REDACTED Windows 7 Ultimate - User - PC Computer: PC-PC - Deep scan The guy who want free serials get his serials harvested, isn't that a paradox? In conclusion: never open or visit crack sites if you don't have the knowledge to avoid infections, use common sense as some will even try to trick you with fake nfo/fake releases. Maybe buy your softwares (or crack them yourself) to avoid that, and don't trust crack sites at all, even if they was 'legitimate' like keygens.pro, they can go rogue anytime.
    11 points
  3. Went for a keygen instead of a full devirtualization. I don't fancy devirtualizing VMProtect stacked on top of KoiVM, so I went with a fully dynamic analysis approach. Code is clear enough though if you are able to set the right breakpoints at the right places. Personally am not a fan of including anti-VM in challenges, it only makes it annoying rather than interesting, but maybe that's just me. Sample key: Approach: Keygen.cs
    10 points
  4. Hello, I unpacked the file completely (including VM). Here is how I did it (simplified a bit): 1. After a bit of analysis we can notice that Agile.NET hooks into the Just In Time compiler in order to restore the method code. This can be undone by hooking into the JIT before Agile.NET. 2. Update de4dot to be able to remove simple protections like string encryption, control flow, and reference proxy. This just requires you to update some detections. 3. Spend some time analyzing Agile.NET VM, we find out that it's VM is somewhat different to others as it creates "combined" handlers for multiple opcodes. In order to remove the VM we can utilize de4dot devirtualizer. In order to add support we have to track down the original runtime dll that's shipped with the protector to extract the non-merged handler information. After some manual cleanup the result is the following, unpacked file attached. UnpackMe-unpacked.exe
    10 points
  5. No, it really isn't. It stops 10-year olds from running ready made tools, and that's about it. Password is: There are 3 ways to solve it: Easy way (1/10) : open file in hex editor, check the strings and find solution there. Slightly harder (2/10): run crackme under any tracer/profiler, see what functions it calls, see correct string as one of the parameters. "Extremely hard" (3/10): open DnSpy and Visual Studio and fix OldRod source code. You'll need like 5 minutes for that. 1) Compare original KoiVM method handlers with DiamondVM method handlers: KoiVM: DiamondVM: As you can see, DiamondVM has 2 useless string arguments and "id" parameter has been moved from 2nd position to 1st. Side note - DiamondVM author tried to get rid of "id" parameter and use A_3.Length instead. However he/she failed miserably and "id" is still there.. Open OldRod file OldRod.Pipeline\Stages\VMMethodDetection\VMMethodDetectionStage.cs" and change method signatures + parameter count: //..around line 36.. /* private static readonly IList<string> Run1ExpectedTypes = new[] { "System.RuntimeTypeHandle", "System.UInt32", "System.Object[]" }; private static readonly IList<string> Run2ExpectedTypes = new[] { "System.RuntimeTypeHandle", "System.UInt32", "System.Void*[]", "System.Void*", }; */ private static readonly IList<string> Run1ExpectedTypes = new[] { "System.UInt32", // moved "System.String", // useless "System.RuntimeTypeHandle", "System.String", // useless "System.Object[]" }; private static readonly IList<string> Run2ExpectedTypes = new[] { "System.UInt32", // moved "System.String", // useless "System.RuntimeTypeHandle", "System.String", // useless "System.Void*[]", "System.Void*", }; // ...around line 158 ... switch (method.Signature.ParameterTypes.Count) { //case 3: case 5: if (HasParameterTypes(method, Run1ExpectedTypes)) info.RunMethod1 = method; break; //case 4: case 6: if (HasParameterTypes(method, Run2ExpectedTypes)) info.RunMethod2 = method; break; } Build your modified OldRod and run it with parameter "--koi-stream-name #VM " to work around other change in DiamondVM. Done! Devirtualized file attached. UnpackMe.exe_VM-cleaned.zip
    10 points
  6. Tango down for 109.201.133.80 (keygens.pro, serials.be, crack.ms) Meanwhile, 54.36.184.139 (crackinns.com, torrentheap.com, crackheaps.com, cracknets.net, cracksnet.net, cracknet.net, keygenit.net, keygenom.net, cracksgurus.com, keygenninja.com, serialms.com, mackeygens.com, mediagetsite.com, get.ziplink.xyz, get.ziplink.stream) are still spreading malware. Abuse sent too, but nothing followed for the moment, so here is some insight about their infra in the meantime (when all else fails, crowbar the fornicationer) Embedded mini-admin panel to administrate the fake sites, allow them to disable links, blacklist keywords on site, redirect on affil, etc.. Okay cool, you might want to see some numbers now? The site with highest traffic is keygenninja with around 13k visits per day, and they infect/install roughly 10k per day. As mentioned in previous post the end user get a bunch of crap (trojan.miner, password stealer, serial numbers stealer, PUPs..) The exfiltrated passwords are sent to t4p.xyz, domain registered by alelolay[@]protonmail.com, who also own fews other domains (q1f.xyz, crypto-trad1ng.xyz , trading-solutions.xyz) That all, for the moment!
    10 points
  7. I am of the opinion that any solution posted here should be reproducible (hence the name tuts4you). Anyone reading my solution should be able to follow the steps and get to the same conclusion. For the case of a VM, since they are complicated beasts, it means it gives me only two options: I would have to release the source code of any type of devirtualizer that I would've made, or I would have to spend an entire blog post talking about how VMP's VM works and how to reverse it. While I genuinely enjoy doing both, both options take a lot of time, something I have very little of these days. But even if I had the time, it's arguably not really worth it. If I were to make a devirtualizer for VMP and release it, it will not take long for the VMP developers to catch on and update their software. Unless the devirtualizer was made in such a way that it would be resistant towards the kinds of changes (which again, takes more time), it means it is probably only going to be useful for a short period. Just doing this for a single unpackme posted on a forum does not really make it worth it for me. Also, while I generally don't have any problem with publishing articles or source code (unlike other people that post solutions here it seems), I do have a problem with potentially harming other people's businesses. I am not a fan of releasing devirtualizers or unpackers for protectors that are still in business and have customers. From a legal and ethical perspective, that's just not something I would do easily. Generally speaking though, with reverse engineering it is often not required to fully unpack anyways. You extract what you need and leave out the unimportant business. In a lot of cases that does not require a full deobfuscation. Especially not with keygenme's like these. Maybe someone else thinks differently about that, and does pick this up as a challenge though
    9 points
  8. 28,905 downloads

    A collection of tutorials aimed particularly for newbie reverse engineers. 01. Olly + assembler + patching a basic reverseme 02. Keyfiling the reverseme + assembler 03. Basic nag removal + header problems 04. Basic + aesthetic patching 05. Comparing on changes in cond jumps, animate over/in, breakpoints 06. "The plain stupid patching method", searching for textstrings 07. Intermediate level patching, Kanal in PEiD 08. Debugging with W32Dasm, RVA, VA and offset, using LordPE as a hexeditor 09. Explaining the Visual Basic concept, introduction to SmartCheck and configuration 10. Continued reversing techniques in VB, use of decompilers and a basic anti-anti-trick 11. Intermediate patching using Olly's "pane window" 12. Guiding a program by multiple patching. 13. The use of API's in software, avoiding doublechecking tricks 14. More difficult schemes and an introduction to inline patching 15. How to study behaviour in the code, continued inlining using a pointer 16. Reversing using resources 17. Insights and practice in basic (self)keygenning 18. Diversion code, encryption/decryption, selfmodifying code and polymorphism 19. Debugger detected and anti-anti-techniques 20. Packers and protectors : an introduction 21. Imports rebuilding 22. API Redirection 23. Stolen bytes 24. Patching at runtime using loaders from lena151 original 25. Continued patching at runtime & unpacking armadillo standard protection 26. Machine specific loaders, unpacking & debugging armadillo 27. tElock + advanced patching 28. Bypassing & killing server checks 29. Killing & inlining a more difficult server check 30. SFX, Run Trace & more advanced string searching 31. Delphi in Olly & DeDe 32. Author tricks, HIEW & approaches in inline patching 33. The FPU, integrity checks & loader versus patcher 34. Reversing techniques in packed software & a S&R loader for ASProtect 35. Inlining inside polymorphic code 36. Keygenning 37. In-depth unpacking & anti-anti-debugging a combination packer / protector 38. Unpacking continued & debugger detection by DLL's and TLS 39. Inlining a blowfish scheme in a packed & CRC protected dll + unpacking Asprotect SKE 2.2 40. Obfuscation and algorithm hiding
    9 points
  9. Target uses homomorphic encryption of two pieces of code, which are the crucial part of verifying the serial. Not sure if it's keygennable, maybe someone else will make it. If the string that we enter to the input box is passed to these following two methods and both of them return expected result then we get goodboy ("Hooollaaaaa :)") message. Result of this method internal static int check1(string input) { int num = 0; for (int i = 0; i < input.Length; i++) { num += (int)(input[i] + 'P'); } return num; } must be 5214 Result of this method internal static int check2(string input) { int num = 0; for (int i = 0; i < input.Length; i++) { num += i * (int)input[i] % 0x7FFFFFFF; } return num; } must be 40106
    7 points
  10. Necrobit To mess up the old de4dot implementation, the .Net reactor changed the P / Invoke methods, but for the unpack, you can use the SMD from Code Cracker, which will do an excellent job of this. Control Flow To break de4dot.blocks, ezriz added a number of instructions to the flow cases, which de4dot cannot process, it's easy to fix it, just repeat after me) String Encrypt Ezriz changed the resource encryption algorithm for strings, which messed up the old decryptor implementation. This problem is solved by dynamic emulation of the method, with obtaining LDC.I4 values for initializing the decrypt method, I will show an example of getting MethodDef by the Call dnlib operand Hide Methods Calls NEW! New reactor protection, taken half from open source fuser. The bottom line is that system methods are initialized from delegates. It sounds scary, let's try to figure it out)) Well, we won the new reactor, I hope you enjoyed this article, thanks for reading)) All The Credit Goes to Eshelon Mayskih
    7 points
  11. I just published my own write-ups on my GitHub, if anyone is interested https://github.com/Washi1337/ctf-writeups/tree/master/FlareOn/2020
    7 points
  12. Fun challenge. I went for finding just the key algorithm rather than fully devirtualizing, but the code is pretty clear. Here some sample keys: Approach: Keygen.7z
    7 points
  13. Sure, i gonna release a unpacker for net reactor 6x soon.
    7 points
  14. This code and accompanying article is worse than most ConfuserEx mods written by script kiddies... Where do I start? Holy f*ck, have you ever heard of things you should never ever do inside DllMain? Loading another DLL from DllMain is one of the basic ones - it virtually guarantees a deadlock. "DLL hook"... You mean DLL name? Like, I don't know... a string? Not since year 2018... And it's called "Detours" And the cherry on the top! Just 4 problems in 9 lines of code! Must be a world record or something! 1) if CreateRemoteThread fails, child process is left hanging; 2) WaitForSingleObject with 4000ms timeout assumes that remote thread runs immediately and that hook DLL loads and does its stuff immediately. You just created a race condition between hooking thread and main process thread. 3) WaitForSingleObject with timeout + VirtualFreeEx creates another nasty race condition. 4) You should close the thread handle for the process you created: CloseHandle(processInformation.hThread);
    7 points
  15. This is update to my last post, I've decided to continue working on my unpacker and was able to figure out how to decrypt operands, when it comes to callinternal it's operand, when decrypted, tells you which method to execute, the next problem I've gotten was homomorphic encryption, but it wasn't a hard nut to crack all you have to do is bruteforce the key and use it to decrypt method body. With all this I've finally made the devirtualiser and was able to unpack the assembly.Then I ran it through de4dot to clean it up a bit. And then I have manually taken care of debug code(I haven't removed it I've just put if(true)return; at the beginning of each debug method). Here is a video of me unpacking it : https://streamable.com/gynmi9 The file password is superfrog. For some reason I couldn't upload the raw exe so I zipped it ggggg-unpacked-cleaned.zip
    6 points
  16. A Complete Article - https://back.engineering/17/05/2021/ Download Link - https://githacks.org/vmp2 Author - https://githacks.org/_xeroxz
    6 points
  17. 6 points
  18. fixed in v1.7 https://githacks.org/vmp2/vmemu/-/releases/v1.7 (make sure your commandline arguments are also correct)... Also be aware that vmemu currently does NOT support dumped modules as it uses LoadLibraryExA - DONT_RESOLVE_DLL_REFERENCES to load the module... Support for dumped modules will come very shortly, as well as an auto unpacking/drag & drop project.
    6 points
  19. it seems they using a stolen version of DNGuard Enterprise and made a cloud version of it! so it's a DNG 3.9.6.2 Enterprise and almost none of options are true here is the password: approach: unpacked file attached. B.R Unpackme_cleaned.exe
    6 points
  20. Oh I didn't try to be mean. It was just a feeling that I had while solving the challenge. I guess it was late in the night when I wrote this reply, which might made my post seem a little bit aggressive. Don't get me wrong, I really enjoyed reversing this challenge. Bruteforce challenges are just not really my cup of tea Anyway, I just pushed my full write-up with all scripts and dumps to my GitHub: https://github.com/Washi1337/ctf-writeups/tree/master/Miscellaneous/tuts4you/ClumsyVM
    6 points
  21. Are you absolutely sure this is doable without bruteforce? After spending some hours on analyzing and devirtualizing, this crackme feels very much like a "guess-what-the-author-wanted-you-to-do" challenge, rather than an actual reverse engineering challenge where we have to infer the password based on the code. In the spoiler some more detailed info of why I think this is the case. EDIT:
    6 points
  22. @XenocodeRCE: I have a huge respect for you as a RE guy but now you're just being a d*ck. If you have some personal issues with mamo/localhost0/whatever he calls himself this week, please resolve them privately and don't make a huge public drama out of it. No matter how I count, it's 3 months and 2 days max. If you're gonna whine, at least get your facts right. Umm, no. The requirement from law is to react on any reported copyright infringements, not to actively run around and search for any possible issues. See DMCA 512(c). So, if admins ignored a properly reported copyright issue for 3 months, then yes, maybe they could be held responsible. But that's not the case.
    6 points
  23. awesome_msil_Out.exe Approach: 1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker , and it shall be ran on NetBox 2. Code virtualization is a relatively new feature of .net reactor, added in version 6.2.0.0. Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)
    6 points
  24. For those interested, I have installed a new dark theme and deleted the others. Scroll to the bottom of the page to find the option to change themes... Ted.
    5 points
  25. Happy New Year 2021 For All members
    5 points
  26. Happy New Year and welcome to 2021! I hope we have a better year than 2020 and we get back to some normality... Ted.
    5 points
  27. 5 points
  28. Info: https://www.reddit.com/r/windowsxp/comments/iz46du/the_windows_xp_source_code_has_been_leaked_on/ Most of the torrent includes previous leaked data/files. But now claims to include the full source to Windows XP (looks like SP1 based on pics people have posted). If you plan to download this (42gig torrent) I'd seriously recommend a VPN.
    5 points
  29. 5 points
  30. Regexps are not particularly efficient here and simple string operations work much better. Anyways, I made a writeup on my blog (https://lifeinhex.com/deobfuscating-autoit-scripts-part-2/) and made a copy-paste below. Unfortunately, all the hyperlinks are gone and I just can't be bothered to go through each and every one of them. Also - it refers a lot to my old solution of another AutoIt crackme, so I really suggest to check that writeup as well: --------- Almost 4 years ago, I wrote a blogpost about deobfuscating a simple AutoIt obfuscator. Today I have a new target which is using a custom obfuscator. smile Author had a very specific request about the methods used to solve the crackme: In this article I'll show the things I tried, where and how I failed miserably and my final solution for this crackme. I really suggest that you download the crackme from tuts4you and try replicating each step along the way, that way it will be much easier to follow the article. So, let's get started! Required tools MyAutToExe. I'm using my personal modification of myAutToExe but even a standard version should work; C# compiler. I used VS2017 but any version will do; Some library that evaluates math expressions. Just like in my previous article, I used MathExpressions library from LoreSoft.Calculator project; Tool for testing regexes. I'm using Regexr; Some brains. Writing deobfuscators is like 80% thinking, 20% writing the actual code. First steps First steps are easy - unpack UPX, extract tokens and decompile. The process has been described numerous times, so just google for details. Once decompiled, the code looks something like this: Func _LL11LLLL11L() $_LL1L11L1 = $_L1111L1L11L($L($Q(27, $G($1($Q(72, 96), (28 * (10 * 36 / 90) - 96)), 98))) & $L($Q((28 * ((52 * ((11 * 6 - 60) * 11 - 64) / 26) * (12 * ((60 ^ 2 / 45 - 76) * 11 - 40) / 8) - 21) - 78), 110)) & $L($1(99, 66)) & $L($1($G($1($Q(8, 36), $G($G($1(42, 17), 52), $Q(29, 37))), $1((12 * (12 * (((5 * 12 - 51) * 8 - 69) * 24 - 67) - 57) - 33), 38)), 85)) & $L($Q(93, $Q($1(40, (3 * 32 - 88)), 26))) & $L($Q(80, $G($Q($1(9, 32), ((5 * 15 - 70) * 4 - 13)), $1((16 * 13 / 52), $G($Q(68, 97), $Q($1(8, 48), 5)))))) & $L($Q($Q($1(19, 48), 23), (4 * 34 / 34))) & $L($Q($1($Q(37, 14), $Q(3, $Q($1(62, 9), 29))), 69)) & $L($1(97, $1($1(2, 46), $Q(21, $Q(77, 115))))) & $L($1(77, $Q(99, 67))) & $L($1($1(40, $Q($Q(3, 34), 5)), 77)) & $L($1(78, 97)) & $L($1($G($1($1(2, 33), (24 * 4 - 95)), 62), 99)) & $L($Q(36, (6 * 56 / 84))) & $L($1(69, 36)) & $L($Q($1(34, 2), 74)) & $L($1($G($1((6 * (3 * 10 - 22) - 47), 48), $Q(98, 94)), 84)) & $L($Q(36, 4)) & $L($Q(86, $1($Q($1(7, 47), 29), (13 * (22 * 4 - 81) - 72)))) & $L($1(99, 82)) & $L($1(75, 36)) & $L($1(44, 76)) & $L($Q(36, 4)) & $L($1(48, 98)) & $L($Q(80, $1(27, $1($G(50, 58), 13)))) & $L($Q((13 * ((6 * 67 / 67) * (13 * 4 - 44) - 44) - 37), 97)) & $L($Q(36, 4)) & $L($Q($1(50, 22), 27)) & $L($Q(36, 4)) & $L($Q(43, 88)) & $L($1($1($Q(20, 51), 34), 99)) & $L($Q((5 * 11 - 40), 97)) & $L($1($Q(39, (4 * 23 - 78)), 97)) & $L($Q($Q(83, 19), $Q(29, $Q(36, (15 * 7 - 87))))) & $L($Q(36, 4)) & $L($Q($Q((6 * 17 - 85), 34), 91)) & $L($1(96, $G($1($1(48, 21), (12 * (3 * 15 - 41) / 8)), $G($Q(49, 5), $1(53, 35))))) & $L($1(40, 73)) & $L($Q(20, 99)) & $L($Q(36, 4)) & $L($Q(78, 37)) & $L($1(76, $Q((10 * 7 - 64), $1(6, $Q(6, $G($1(62, 20), $1($1(6, 32), 11))))))) & $L($Q($Q(20, 62), 75)) & $L($Q($G($1(33, (3 * 10 - 25)), $Q($G(59, 62), 11)), 86)) & $L($Q(36, 4)) & $L($Q(44, 94)) & $L($Q(((11 * 4 - 41) * 16 - 47), 78)) & $L($Q(36, 4)) & $L($1(36, 40)) & $L($1(68, $G($1(33, 17), 97))) & $L($Q(87, $Q(30, $1((10 * 11 - 98), 60)))) & $L($1(20, 96)) & $L($Q($G(84, 65), $1(48, 2))) & $L($Q(46, 71)) & $L($1($G(52, $1(34, 52)), 82)) & $L($Q(36, 4)) & $L($Q(92, 46)) & $L($1(64, $G($1(28, 47), $1(53, 36)))) & $L($Q(37, 74)) & $L($1(88, 33)) & $L($Q(36, 4)) & $L($Q(63, 79)) & $L($1(97, 4)) & $L($1(33, 69)) & $L($Q(81, $Q(44, 22))) & $L($Q(36, 4)) & $L($1(96, 4)) & $L($Q(99, (19 * ((11 * 4 - 39) * (6 * 11 - 64) / 2) - 82))) & $L($Q($Q(23, $Q(98, 79)), 91)) & $L($Q(36, 4)) & $L($1(83, $Q(25, $1((3 * 25 - 57), 42)))) & $L($Q(92, $1($G(37, 48), 56))) & $L($1($Q(21, 35), 99)) & $L($1($1(46, 43), $G(85, $Q((15 * 7 - 93), 76)))) & $L($Q(39, 85)) & $L($1(99, 99)) & $L($Q(36, 4)) & $L($Q(96, ((13 * 36 / 52) * 10 - 82))) & $L($Q(75, 63)) & $L($1(73, 32)) & $L($1(39, 87)) & $L($Q(36, 4)) & $L($1(35, 73)) & $L($Q(93, $Q(20, 37))) & $L($G(97, 99)) & $L($Q(54, 66)) & $L($Q(36, 4)) & $L($1(44, 78)) & $L($Q(12, 109)) & $L($1(99, 99)) & $L($Q(36, 4)) & $L($Q(50, 71)) & $L($1(76, 99)) & $L($1(88, 33)) & $L($Q(36, 4)) & $L($Q(69, $1($Q(27, 59), 35))) & $L($G(75, 77))) If $_LLLLL11LL == $_LL1L11L1 Then _1L11L111L11() Else $_LLLLLL1L1($_LLL1LLLLL, $_L1111L1L11L($L($Q($G($Q($1(40, 39), 24), $Q(73, 96)), (((((4 * 18 - 68) * 6 - 21) * 34 - 93) * (15 * 5 - 68) - 58) * 13 - 50))) & $L($Q($Q(7, 38), (14 * 7 - 83))) & $L($Q(33, 15)) & $L($1(78, $G($1((3 * 17 - 49), $Q(95, 99)), $Q($1($G($Q(33, 12), 59), 41), (4 * 16 - 52))))) & $L($1($G(81, 76), $Q($Q(88, 98), (14 * 7 - 79)))) & $L($Q($Q(((3 ^ 3 - 19) * (13 * 8 - 96) - 57), $1($1(36, 6), 20)), 80)) & $L($1(69, 98)) & $L($Q($1($Q(7, 39), $Q((((4 * 20 - 71) * 7 - 58) * (60 * (31 * 3 - 84) / 90) - 29), 34)), 66)) & $L($Q((12 * (20 * (15 ^ (3 * 21 - 61) / 3 - 71) - 71) - 94), $1((28 * ((16 * (3 * 33 - 96) - 41) * ((20 * 3 - 52) * 7 - 49) - 46) - 78), $G($G(44, 60), $G($Q(12, 52), 60))))) & $L($1(88, $G($Q(20, 37), $G($Q(32, 15), $1($G($Q($Q(85, 99), (11 * 8 - 77)), 60), (10 * 3 - 13)))))) & $L($1((9 * 7 - 47), 98)) & $L($G(84, 86)))) EndIf $_1LL1LLL111L($_LLL1LLLLL, (31 * (15 * ((14 * 4 - 49) * (14 * 21 / 42) - 46) - 42) - 77)) EndFunc Horrible, isn't it? Cleaning up the math So, let's get rid of the math expressions first! In my previous post, I used the following regex + math library to clean up the stuff: MathEvaluator eval = new MathEvaluator(); Regex regex2 = new Regex(@"(-)?\d+(( )+[-+*/]( )+([-+])?\d+)+"); for (int i = 0; i < lines.Length; i++) { Match m2 = regex2.Match(lines[i]); while (m2.Success) { double d = eval.Evaluate(m2.Value); lines[i] = regex2.Replace(lines[i], d.ToString(), 1); m2 = m2.NextMatch(); } } I tried it here and it failed on floating point numbers like this: $_1111L1LLL = $_1111L1LLL + $_LLL1LLLL111(-(52 * (11 * 3 - 31) / 26) + 0.5) I fixed that and regex started to work. Sort of. There are evil parentheses everywhere and my regex doesn't handle them. So, I added a second regex to support parentheses at beginning and the end of the expression. What could possibly go wrong? bigsmile As I learned few hours later, a lot! See, for example, here: First, regex matched stuff inside parentheses 4 * 21 - 80 and computed it. Then it matched expression 18 - 71 and computed that. Well, it's already f*cked up, because that's not the correct order of operations. Multiplication has a higher precedence than subtraction! At this point managing regexes was becoming so messy that I stopped. This is not going to work, I need a new approach! Matching parentheses If you want to read more about crazy regexes to find matching parentheses, this StackOverflow discussion is a good place to start. But I decided to keep it simple. There are several algorithms, but the simplest one is just counting opening/closing parentheses until you find the correct one. int bracketPos; bracketPos = lines[i].IndexOf('(', 0); while (bracketPos != -1) { // find the closing parenthesis int closingBracketPos = bracketPos + 1; int level = 1; while (level > 0) { switch (lines[i][closingBracketPos]) { case '(': level++; break; case ')': level--; break; } closingBracketPos++; } // extract the expression string expression = lines[i].Substring(bracketPos, closingBracketPos - bracketPos); // do something with expression // find next bracket. bracketPos = lines[i].IndexOf('(', bracketPos + 1); } Now I can take the expression I found, and pass it to the LoreSoft.MathExpressions. Right? Wrong. Parentheses are also used in function definitions or when passing parameters to another function: Func _LLLL1L111L(ByRef $_1111L1LLL) ... Local $_111111LL1L1 = $QG($_1LLLL11111, $_11L1LL11L1, $_1LL11L) ... So, I added another check to see if the extracted expression looks like a math expression. And it seemed to work. Problematic minus signs Next problem I encountered was LoreSoft.MathExpressions complaining about some expressions like these: $_1111L1LLL = $_1111L1LLL + $_LLL1LLLL111(-(52 * (11 * 3 - 31) / 26) + 0.5) Apparently, library can handle negative numbers when they are alone, but combination of negative sign and parentheses like "(-(1 + 2))" just confuses the hell out of it. Since there were only a few cases in the crackme, I manually edited them: $_1111L1LLL = $_1111L1LLL + $_LLL1LLLL111(0-(52 * (11 * 3 - 31) / 26) + 0.5) Another problem solved! Fixing math library To continue my journey of failures, some of the calculated expressions were really, really strange. For example: $_1111L1LLL = $_1111L1LLL + $_11L1L1LL111(2, 3, 0.484222998499551) That doesn't look right! The original line was $_1111L1LLL = $_1111L1LLL + $_11L1L1LL111(((4 * 91 / 91) * 35 / 70), ((16 * 4 - 55) * (9 * 4 - 28) - 69), (77 ^ 1 / 11 - 1)) 77 to the power of 1 equals 77. Divided by 11 equals 7. Minus 1 equals 6. So the result should definitely be 6. Why the hell we have 0.48422...? It turns out that LoreSoft.MathExpressions is buggy and "raise to power" operator doesn't have the correct precedence. See the source: private static int Precedence(string c) { if (c.Length == 1 && (c[0] == '*' || c[0] == '/' || c[0] == '%')) return 2; return 1; } Raise to power doesn't have any special handling, so it's handled after the division or multiplication. Which is terribly wrong but really easy to fix: private static int Precedence(string c) { if (c.Length == 1 && (c[0] == '^')) return 3; if (c.Length == 1 && (c[0] == '*' || c[0] == '/' || c[0] == '%')) return 2; return 1; } Finally, the math problems are solved! Function names After solving math problems, methods are starting to look a bit better: Func _LL11LLLL11L() $_LL1L11L1 = $_L1111L1L11L($L($Q(27, $G($1($Q(72, 96), 16), 98))) & $L($Q(6, 110)) & $L($1(99, 66)) & $L($1($G($1($Q(8, 36), $G($G($1(42, 17), 52), $Q(29, 37))), $1(3, 38)), 85)) & $L($Q(93, $Q($1(40, 8), 26))) & $L($Q(80, $G($Q($1(9, 32), 7), $1(4, $G($Q(68, 97), $Q($1(8, 48), 5)))))) & $L($Q($Q($1(19, 48), 23), 4)) & $L($Q($1($Q(37, 14), $Q(3, $Q($1(62, 9), 29))), 69)) & $L($1(97, $1($1(2, 46), $Q(21, $Q(77, 115))))) & $L($1(77, $Q(99, 67))) & $L($1($1(40, $Q($Q(3, 34), 5)), 77)) & $L($1(78, 97)) & $L($1($G($1($1(2, 33), 1), 62), 99)) & $L($Q(36, 4)) & $L($1(69, 36)) & $L($Q($1(34, 2), 74)) & $L($1($G($1(1, 48), $Q(98, 94)), 84)) & $L($Q(36, 4)) & $L($Q(86, $1($Q($1(7, 47), 29), 19))) & $L($1(99, 82)) & $L($1(75, 36)) & $L($1(44, 76)) & $L($Q(36, 4)) & $L($1(48, 98)) & $L($Q(80, $1(27, $1($G(50, 58), 13)))) & $L($Q(15, 97)) & $L($Q(36, 4)) & $L($Q($1(50, 22), 27)) & $L($Q(36, 4)) & $L($Q(43, 88)) & $L($1($1($Q(20, 51), 34), 99)) & $L($Q(15, 97)) & $L($1($Q(39, 14), 97)) & $L($Q($Q(83, 19), $Q(29, $Q(36, 18)))) & $L($Q(36, 4)) & $L($Q($Q(17, 34), 91)) & $L($1(96, $G($1($1(48, 21), 6), $G($Q(49, 5), $1(53, 35))))) & $L($1(40, 73)) & $L($Q(20, 99)) & $L($Q(36, 4)) & $L($Q(78, 37)) & $L($1(76, $Q(6, $1(6, $Q(6, $G($1(62, 20), $1($1(6, 32), 11))))))) & $L($Q($Q(20, 62), 75)) & $L($Q($G($1(33, 5), $Q($G(59, 62), 11)), 86)) & $L($Q(36, 4)) & $L($Q(44, 94)) & $L($Q(1, 78)) & $L($Q(36, 4)) & $L($1(36, 40)) & $L($1(68, $G($1(33, 17), 97))) & $L($Q(87, $Q(30, $1(12, 60)))) & $L($1(20, 96)) & $L($Q($G(84, 65), $1(48, 2))) & $L($Q(46, 71)) & $L($1($G(52, $1(34, 52)), 82)) & $L($Q(36, 4)) & $L($Q(92, 46)) & $L($1(64, $G($1(28, 47), $1(53, 36)))) & $L($Q(37, 74)) & $L($1(88, 33)) & $L($Q(36, 4)) & $L($Q(63, 79)) & $L($1(97, 4)) & $L($1(33, 69)) & $L($Q(81, $Q(44, 22))) & $L($Q(36, 4)) & $L($1(96, 4)) & $L($Q(99, 13)) & $L($Q($Q(23, $Q(98, 79)), 91)) & $L($Q(36, 4)) & $L($1(83, $Q(25, $1(18, 42)))) & $L($Q(92, $1($G(37, 48), 56))) & $L($1($Q(21, 35), 99)) & $L($1($1(46, 43), $G(85, $Q(12, 76)))) & $L($Q(39, 85)) & $L($1(99, 99)) & $L($Q(36, 4)) & $L($Q(96, 8)) & $L($Q(75, 63)) & $L($1(73, 32)) & $L($1(39, 87)) & $L($Q(36, 4)) & $L($1(35, 73)) & $L($Q(93, $Q(20, 37))) & $L($G(97, 99)) & $L($Q(54, 66)) & $L($Q(36, 4)) & $L($1(44, 78)) & $L($Q(12, 109)) & $L($1(99, 99)) & $L($Q(36, 4)) & $L($Q(50, 71)) & $L($1(76, 99)) & $L($1(88, 33)) & $L($Q(36, 4)) & $L($Q(69, $1($Q(27, 59), 35))) & $L($G(75, 77))) If $_LLLLL11LL == $_LL1L11L1 Then _1L11L111L11() Else $_LLLLLL1L1($_LLL1LLLLL, $_L1111L1L11L($L($Q($G($Q($1(40, 39), 24), $Q(73, 96)), 15)) & $L($Q($Q(7, 38), 15)) & $L($Q(33, 15)) & $L($1(78, $G($1(2, $Q(95, 99)), $Q($1($G($Q(33, 12), 59), 41), 12)))) & $L($1($G(81, 76), $Q($Q(88, 98), 19))) & $L($Q($Q(7, $1($1(36, 6), 20)), 80)) & $L($1(69, 98)) & $L($Q($1($Q(7, 39), $Q(1, 34)), 66)) & $L($Q(14, $1(6, $G($G(44, 60), $G($Q(12, 52), 60))))) & $L($1(88, $G($Q(20, 37), $G($Q(32, 15), $1($G($Q($Q(85, 99), 11), 60), 17))))) & $L($1(16, 98)) & $L($G(84, 86)))) EndIf $_1LL1LLL111L($_LLL1LLLLL, 16) EndFunc Now we need to get rid of those obfuscated variable names like $_L1111L1L11L and replace them with a proper function names. But what exactly is $_L1111L1L11L? I ran a simple grep, and there are 11 references in the code - 1 declaration of variable, 7 uses of variable and 3 assignments: Global ... $_L1111L1L11L ... $_L1111L1L11L = STRINGREVERSE $_11L1LLL1LL1 = $_L1111L1L11L(....) $_L1111L1L11L = STRINGREPLACE $_L1111L1L11L = GUICTRLCREATEBUTTON That's interesting. :/ First of all, AutoIt allows to do this weird thing where you assign a function to a variable. Then you can use this variable to call a function. Crackme that I solved in my previous post used combination of Assign + Execute methods for the same purposes. Second, you can have several assignments to the same variable. But which one is the correct one? First one? Last one? A random one? There is no magic solution here, you just need to go through the script and see the execution flow. In AutoIt, anything that's not inside a function is considered to be main code and will be executed starting from the top. So, I went through the script and left only the interesting parts: Global ... $_11L1LL1 = 1 _LL1111LL1L1L() _LL1LLL1() Switch $_11L1LL1 Case 5 _LL1111LL1L1L() _LL11LLL1111() Case 4 _11111L1LLL1() Case 3 _LL11LLL1111() Case 2 _LL1111LL1L1L() _LL1LLL1() Case 1 _111LL111LL() _11111L1LLL1() EndSwitch _LL1111L1L1() This is the order in which the functions will be called. First _LL1111LL1L1L() and then _LL1LLL1() will be executed. Then inside the Switch we'll take Case 1 because that's the value of global variable $_11L1LL1. So, that will call _111LL111LL() and _11111L1LLL1(). Finally, _LL1111L1L1() will be called. Method _LL1111LL1L1L() does the first assignments: Func _LL1111LL1L1L() $_111L1111L11 = ONAUTOITEXITREGISTER $_1L1LLLLLLLL1 = ASSIGN $_LL1L111LLLL = DRIVEGETDRIVE ... Then _LL1LLL1() reassigns some (or maybe all) of the variables: Func _LL1111LL1L1L() $_111L1111L11 = ONAUTOITEXITREGISTER $_1L1LLLLLLLL1 = ASSIGN $_LL1L111LLLL = DRIVEGETDRIVE ... And so on.. I'm too lazy to analyze all of the assignments, so I just reimplemented all 3 methods in my code. private void UpdateDictionary1() { AddOrUpdate("$_111L1111L11", "ONAUTOITEXITREGISTER"); AddOrUpdate("$_1L1LLLLLLLL1", "ASSIGN"); AddOrUpdate("$_LL1L111LLLL", "DRIVEGETDRIVE"); ... } private void UpdateDictionary2() { AddOrUpdate("$_LLL111L1", "WINLIST"); AddOrUpdate("$_LLLLLLLLL", "SQRT"); AddOrUpdate("$_L1L1L11LL1", "VARGETTYPE"); ... } UpdateDictionary1(); //_LL1111LL1L1L() UpdateDictionary2(); //_LL1LLL1() UpdateDictionary3(); //_111LL111LL() Of course, I did not type all the assignments manually. Simple regex "search and replace" created C# code from the AutoIt code. Now I have a dictionary of variable names and the actual function names. Let's just run a simple search and replace! ...and we'll f*ck up again. See for example here: $_11L1L1 = @LogonDomain $_11L1L1L = SRANDOM $_11L1L1LL11 = DEC ... Func _1111111L111(ByRef $_1111L1LLL) $_1111L1LLL = $_1111L1LLL + $_11L1L1LL11(3966) Return $_1111L1LLL EndFunc If you start from the first string and do dumb search-and-replace, you'll replace a wrong substring and get a result like this: Func _1111111L111(ByRef $_1111L1LLL) $_1111L1LLL = $_1111L1LLL + @LogonDomainLL11(3966) Return $_1111L1LLL EndFunc For the exact same reason, you should avoid touching local variable names. My final search-and-replace solution looked like this: // start with the longest name and work back to the shortest names. // "(" ensures the we replace only function calls, not variables or locals. foreach (KeyValuePair<string, string> kvp in m_dictionary.OrderByDescending(x => x.Key.Length)) { for (int i = 0; i < lines.Length; i++) { lines[i] = lines[i].Replace(kvp.Key + "(", kvp.Value + "("); } } Bit operations All the hard stuff is done, I promise! We're just a few f*ckups away from the solution! smile Our test method now looks like this: Func _LL11LLLL11L() $_LL1L11L1 = STRINGREVERSE(CHR(BITXOR(27, BITAND(BITOR(BITXOR(72, 96), 16), 98))) & CHR(BITXOR(6, 110)) & CHR(BITOR(99, 66)) & CHR(BITOR(BITAND(BITOR(BITXOR(8, 36), BITAND(BITAND(BITOR(42, 17), 52), BITXOR(29, 37))), BITOR(3, 38)), 85)) & CHR(BITXOR(93, BITXOR(BITOR(40, 8), 26))) & CHR(BITXOR(80, BITAND(BITXOR(BITOR(9, 32), 7), BITOR(4, BITAND(BITXOR(68, 97), BITXOR(BITOR(8, 48), 5)))))) & CHR(BITXOR(BITXOR(BITOR(19, 48), 23), 4)) & CHR(BITXOR(BITOR(BITXOR(37, 14), BITXOR(3, BITXOR(BITOR(62, 9), 29))), 69)) & CHR(BITOR(97, BITOR(BITOR(2, 46), BITXOR(21, BITXOR(77, 115))))) & CHR(BITOR(77, BITXOR(99, 67))) & CHR(BITOR(BITOR(40, BITXOR(BITXOR(3, 34), 5)), 77)) & CHR(BITOR(78, 97)) & CHR(BITOR(BITAND(BITOR(BITOR(2, 33), 1), 62), 99)) & CHR(BITXOR(36, 4)) & CHR(BITOR(69, 36)) & CHR(BITXOR(BITOR(34, 2), 74)) & CHR(BITOR(BITAND(BITOR(1, 48), BITXOR(98, 94)), 84)) & CHR(BITXOR(36, 4)) & CHR(BITXOR(86, BITOR(BITXOR(BITOR(7, 47), 29), 19))) & CHR(BITOR(99, 82)) & CHR(BITOR(75, 36)) & CHR(BITOR(44, 76)) & CHR(BITXOR(36, 4)) & CHR(BITOR(48, 98)) & CHR(BITXOR(80, BITOR(27, BITOR(BITAND(50, 58), 13)))) & CHR(BITXOR(15, 97)) & CHR(BITXOR(36, 4)) & CHR(BITXOR(BITOR(50, 22), 27)) & CHR(BITXOR(36, 4)) & CHR(BITXOR(43, 88)) & CHR(BITOR(BITOR(BITXOR(20, 51), 34), 99)) & CHR(BITXOR(15, 97)) & CHR(BITOR(BITXOR(39, 14), 97)) & CHR(BITXOR(BITXOR(83, 19), BITXOR(29, BITXOR(36, 18)))) & CHR(BITXOR(36, 4)) & CHR(BITXOR(BITXOR(17, 34), 91)) & CHR(BITOR(96, BITAND(BITOR(BITOR(48, 21), 6), BITAND(BITXOR(49, 5), BITOR(53, 35))))) & CHR(BITOR(40, 73)) & CHR(BITXOR(20, 99)) & CHR(BITXOR(36, 4)) & CHR(BITXOR(78, 37)) & CHR(BITOR(76, BITXOR(6, BITOR(6, BITXOR(6, BITAND(BITOR(62, 20), BITOR(BITOR(6, 32), 11))))))) & CHR(BITXOR(BITXOR(20, 62), 75)) & CHR(BITXOR(BITAND(BITOR(33, 5), BITXOR(BITAND(59, 62), 11)), 86)) & CHR(BITXOR(36, 4)) & CHR(BITXOR(44, 94)) & CHR(BITXOR(1, 78)) & CHR(BITXOR(36, 4)) & CHR(BITOR(36, 40)) & CHR(BITOR(68, BITAND(BITOR(33, 17), 97))) & CHR(BITXOR(87, BITXOR(30, BITOR(12, 60)))) & CHR(BITOR(20, 96)) & CHR(BITXOR(BITAND(84, 65), BITOR(48, 2))) & CHR(BITXOR(46, 71)) & CHR(BITOR(BITAND(52, BITOR(34, 52)), 82)) & CHR(BITXOR(36, 4)) & CHR(BITXOR(92, 46)) & CHR(BITOR(64, BITAND(BITOR(28, 47), BITOR(53, 36)))) & CHR(BITXOR(37, 74)) & CHR(BITOR(88, 33)) & CHR(BITXOR(36, 4)) & CHR(BITXOR(63, 79)) & CHR(BITOR(97, 4)) & CHR(BITOR(33, 69)) & CHR(BITXOR(81, BITXOR(44, 22))) & CHR(BITXOR(36, 4)) & CHR(BITOR(96, 4)) & CHR(BITXOR(99, 13)) & CHR(BITXOR(BITXOR(23, BITXOR(98, 79)), 91)) & CHR(BITXOR(36, 4)) & CHR(BITOR(83, BITXOR(25, BITOR(18, 42)))) & CHR(BITXOR(92, BITOR(BITAND(37, 48), 56))) & CHR(BITOR(BITXOR(21, 35), 99)) & CHR(BITOR(BITOR(46, 43), BITAND(85, BITXOR(12, 76)))) & CHR(BITXOR(39, 85)) & CHR(BITOR(99, 99)) & CHR(BITXOR(36, 4)) & CHR(BITXOR(96, 8)) & CHR(BITXOR(75, 63)) & CHR(BITOR(73, 32)) & CHR(BITOR(39, 87)) & CHR(BITXOR(36, 4)) & CHR(BITOR(35, 73)) & CHR(BITXOR(93, BITXOR(20, 37))) & CHR(BITAND(97, 99)) & CHR(BITXOR(54, 66)) & CHR(BITXOR(36, 4)) & CHR(BITOR(44, 78)) & CHR(BITXOR(12, 109)) & CHR(BITOR(99, 99)) & CHR(BITXOR(36, 4)) & CHR(BITXOR(50, 71)) & CHR(BITOR(76, 99)) & CHR(BITOR(88, 33)) & CHR(BITXOR(36, 4)) & CHR(BITXOR(69, BITOR(BITXOR(27, 59), 35))) & CHR(BITAND(75, 77))) If $_LLLLL11LL == $_LL1L11L1 Then _1L11L111L11() Else GUICTRLSETDATA($_LLL1LLLLL, STRINGREVERSE(CHR(BITXOR(BITAND(BITXOR(BITOR(40, 39), 24), BITXOR(73, 96)), 15)) & CHR(BITXOR(BITXOR(7, 38), 15)) & CHR(BITXOR(33, 15)) & CHR(BITOR(78, BITAND(BITOR(2, BITXOR(95, 99)), BITXOR(BITOR(BITAND(BITXOR(33, 12), 59), 41), 12)))) & CHR(BITOR(BITAND(81, 76), BITXOR(BITXOR(88, 98), 19))) & CHR(BITXOR(BITXOR(7, BITOR(BITOR(36, 6), 20)), 80)) & CHR(BITOR(69, 98)) & CHR(BITXOR(BITOR(BITXOR(7, 39), BITXOR(1, 34)), 66)) & CHR(BITXOR(14, BITOR(6, BITAND(BITAND(44, 60), BITAND(BITXOR(12, 52), 60))))) & CHR(BITOR(88, BITAND(BITXOR(20, 37), BITAND(BITXOR(32, 15), BITOR(BITAND(BITXOR(BITXOR(85, 99), 11), 60), 17))))) & CHR(BITOR(16, 98)) & CHR(BITAND(84, 86)))) EndIf GUICTRLSETSTATE($_LLL1LLLLL, 16) EndFunc I decided to use regex loops from my old article: Regex regex = new Regex(@"BITAND\((\d+)\, (\d+)\)"); for (int i = 0; i < lines.Length; i++) { Match m1 = regex.Match(lines[i]); while (m1.Success) { UInt32 expr1 = UInt32.Parse(m1.Groups[1].Value); UInt32 expr2 = UInt32.Parse(m1.Groups[2].Value); UInt32 result = expr1 & expr2; lines[i] = regex.Replace(lines[i], result.ToString(), 1); m1 = m1.NextMatch(); } } ...and it failed. Some of the calculated numbers just didn't make any sense. This issue is a little bit tricky. To figure it out, you need to read the documentation for each method used: Can you see a problem here? I couldn't. So, I spent ~20 minutes debugging it in VisualStudio. Here's an image for you: There are several solutions possible, I just got rid of NextMatch and used a big while loop instead. do { changed = false; Regex regex = new Regex(@"BITAND\((\d+)\, (\d+)\)"); for (int i = 0; i < lines.Length; i++) { Match m1 = regex.Match(lines[i]); if (m1.Success) // process only 1st match { UInt32 expr1 = UInt32.Parse(m1.Groups[1].Value); UInt32 expr2 = UInt32.Parse(m1.Groups[2].Value); UInt32 result = expr1 & expr2; lines[i] = regex.Replace(lines[i], result.ToString(), 1); // process only 1st match changed = true; } } } while (changed); // and do so until nothing matches. TL;DR - DO NOT combine Match.NextMatch with Regex.Replace. It will bite you in the butt one day! Chr() and string concatenation Now we're getting somewhere! Code is looking better and better: Func _LL11LLLL11L() $_LL1L11L1 = STRINGREVERSE(CHR(59) & CHR(104) & CHR(99) & CHR(117) & CHR(111) & CHR(116) & CHR(32) & CHR(110) & CHR(111) & CHR(109) & CHR(109) & CHR(111) & CHR(99) & CHR(32) & CHR(101) & CHR(104) & CHR(116) & CHR(32) & CHR(101) & CHR(115) & CHR(111) & CHR(108) & CHR(32) & CHR(114) & CHR(111) & CHR(110) & CHR(32) & CHR(45) & CHR(32) & CHR(115) & CHR(103) & CHR(110) & CHR(105) & CHR(107) & CHR(32) & CHR(104) & CHR(116) & CHR(105) & CHR(119) & CHR(32) & CHR(107) & CHR(108) & CHR(97) & CHR(119) & CHR(32) & CHR(114) & CHR(79) & CHR(32) & CHR(44) & CHR(101) & CHR(117) & CHR(116) & CHR(114) & CHR(105) & CHR(118) & CHR(32) & CHR(114) & CHR(117) & CHR(111) & CHR(121) & CHR(32) & CHR(112) & CHR(101) & CHR(101) & CHR(107) & CHR(32) & CHR(100) & CHR(110) & CHR(97) & CHR(32) & CHR(115) & CHR(100) & CHR(119) & CHR(111) & CHR(114) & CHR(99) & CHR(32) & CHR(104) & CHR(116) & CHR(105) & CHR(119) & CHR(32) & CHR(107) & CHR(108) & CHR(97) & CHR(116) & CHR(32) & CHR(110) & CHR(97) & CHR(99) & CHR(32) & CHR(117) & CHR(111) & CHR(121) & CHR(32) & CHR(102) & CHR(73)) If $_LLLLL11LL == $_LL1L11L1 Then _1L11L111L11() Else GUICTRLSETDATA($_LLL1LLLLL, STRINGREVERSE(CHR(46) & CHR(46) & CHR(46) & CHR(110) & CHR(105) & CHR(97) & CHR(103) & CHR(97) & CHR(32) & CHR(121) & CHR(114) & CHR(84))) EndIf GUICTRLSETSTATE($_LLL1LLLLL, 16) EndFunc Cleaning up the CHR calls and string concatenation was easy. Regex and string replace from my previous article worked without any issues. String reverse We're left with one final problem that is STRINGREVERSE function: Func _LL11LLLL11L() $_LL1L11L1 = STRINGREVERSE(";hcuot nommoc eht esol ron - sgnik htiw klaw rO ,eutriv ruoy peek dna sdworc htiw klat nac uoy fI") If $_LLLLL11LL == $_LL1L11L1 Then _1L11L111L11() Else GUICTRLSETDATA($_LLL1LLLLL, STRINGREVERSE("...niaga yrT")) EndIf GUICTRLSETSTATE($_LLL1LLLLL, 16) EndFunc We can use a simple regex loop to fix those. Just like the one we used for bit operations. The end result And this is how the serial check looks like after deobfuscation: Func _LL11LLLL11L() $_LL1L11L1 = "If you can talk with crowds and keep your virtue, Or walk with kings - nor lose the common touch;" If $_LLLLL11LL == $_LL1L11L1 Then _1L11L111L11() Else GUICTRLSETDATA($_LLL1LLLLL, "Try again...") EndIf GUICTRLSETSTATE($_LLL1LLLLL, 16) EndFunc Sure, there is a lot of useless code left in the crackme. Variables are not renamed. I could spend half-hour more and clean up all that mess. But I wasn't interested in that, I just wanted to solve the crackme. Final thoughts In this post I documented all my mistakes and f*ckups while solving a rather simple crackme, so that others can learn from them. Reverse engineering is not an easy process and making mistakes is a huge part of it.
    5 points
  31. I was unable to unpack this executable but have made some progress in creating a devirtualiser.First thing I've done it debug the program to understand how the vm works.There I've realised that class \u0008\u2008 is the VM class, in which most of the VM code is located.Then I dumped \u0008\u2008.\u0006\u2002 this is a field of type Dictionary<int, \u0008\u2008.\u0002\u2000> where int is vm op code id and \u0008\u2008.\u0002\u2000 is a method associated with that VM opcode.After I had that dumped I ran it through my program and was able to link some of those methods to CIL opcodes.You'll be able to download the map from the file below.Then I linked those CIL opcodes to instruction ids.This allows me to devirualise virtualized code. Now I needed method bodies. Those were pretty easy to obtain.You'll be able to see both virtualised and devirtualised bodies in the file below.Ok so I knew what op code corresponds to what VM op code and had all the virtualised bodies so I should be able to unpack it, but that wasn't the case because of 2 factors.First one is that the operands for certain instruction(call,ldtoken,callvirt,ldfld,stfld...) are encrypted.All eaz assemblies have an encrypted resource from which they get these values.I tried to decrypt these values but failed, but fortunately I was able to semi-circumvent this. Eaz caches all the decrypted operands so I ran the program gave a wrong input and dumped the assembly and obtained these value, unfortunately the values that were not decrypted didn't get cached so I was unable to obtain them.List of decrypted operands are in the file below.Second issue is the eaz opcode callinernal(my nickname).This opcode takes an encrypted operand as the argument and uses it to pretty much create a dynamic method, I wasn't able to get bodies for these methods(I was able to get 3 including anti-dbg code), and from the looks of it they are important.I tried to fix these to issue but couldn't so I gave up.I decided to just devirtualise bodies I had with limited information I had and you can get those unpacked bodies from the file below.I hope this info proves useful to someone so they can make an unpacker.I just wanna be clear on this one <Decrypted></Decrypted> field refers to wheter the operand was decrypted and <BranchTo></BranchTo> refers to command that branch instruction is referencing. Forgot to mention, might be important the method that runs the vm code looks like this: private void \u0008\u2000(bool \u0002) { uint u0005_u = this.\u0005\u2001; for (;;) { try { while (!this.\u000E) { if (this.\u0008\u2003 != null) { this.\u0003\u2001 = this.\u0008\u2003.Value; this.\u0002((long)((ulong)this.\u0003\u2001)); this.\u0008\u2003 = null; } else if (this.\u0003\u2001 >= u0005_u) { break; } this.\u0006(); } } catch (object u) { this.\u0002(u, 0U); if (\u0002) { continue; } this.\u0008\u2000(true); } break; } } the part that executed the vm op code is this.\u0006(); and it looks like this private void \u0006() { this.\u0002\u2002 = this.\u0003\u2001; int key = this.\u000E\u2003.\u0006(); this.\u0003\u2001 += 4U; \u0008\u2008.\u0002\u2000 u0002_u; global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u); u0002_u.\u0003(this, this.\u0002(this.\u000E\u2003, u0002_u.\u0002)); } This like generated vm opcode id int key = this.\u000E\u2003.\u0006(); And this line gets the method associated with that key global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u); and the last line executes it Data.xml
    4 points
  32. In your assembly there is a field Interpreter.zC which contains virtualized version of il code.This is a field of type Dictionary<int,byte[]> and the int in there is an md token of the method so I knew which body corresponds to which method. Then I copy some code from your assembly to my devirtualizer. So then I convert body from byte[] to o(class name) then we have property L2 which contains a list of instructions.Instruction is of type x(also class name).One of the properties of x is p4 which indicates what op command that x is.With that info I can easily convert o to a list of cil instructions and in field xV there is additional info about the instruction if neccessery so if the instruction is ldstr filed xV will contain the string... ,then reconstruct the bodies, remove vm code and fix issues and that's it. There is unpacked assembly below. UnPackMe-ILV -Unpacked-Cleaned.exe
    4 points
  33. @LCF-AT as I know how much you enjoy change, this one is for you... Ted.
    4 points
  34. Very simple example, just to show the idea.. static void Main(string[] args) { using (var module = ModuleDefMD.Load(args[0])) { foreach (var type in module.GetTypes()) { foreach (FieldDef field in type.Fields) { // this will change all string constant values to "kao". Make sure to fix the `if`!!! if (field.HasConstant && field.ElementType == ElementType.String) { field.Constant.Value = "kao"; } } } module.Write(args[1]); } }
    4 points
  35. There's the WinDivert library which allows you do all of this. WinDivert is in C but there are bindings for bindings for Python & C#. You can check the source code of Clumsy which uses utilizes WinDivert to selectively modify the packets. It's in C. There's also the now discontinued flare-fakenet-ng which uses the Python bindings - pydivert. https://reqrypt.org/windivert.html http://jagt.github.io/clumsy/ https://github.com/fireeye/flare-fakenet-ng
    4 points
  36. finally my new effect has arrived and it's called "Crazy Word 0.1" by x0man , although it's ripped (with a little bit of help from KesMezar) to get the gradient color squares on the aboutbox bg , you must cut from a template using Mspaint (or perhaps just use some colored/gradiented image) , save it as JPG , and then you should insert 0Ah on these codes : mov var_4,0 push 0CC0020h; color for solid background i think .. push 0Ah ;0C8h picture height (200) push 0Ah ;190h picture width (400) push 0 and then you should insert the jpg file into resources and load the jpg from resource . however, i wrote some comments on the CrazyWord.asm file to see more about the effect. notice that in the rc file , where you've already loaded the jpg , you may need to disable visual mode and then change the "RCDATA" to "IMAGE" , otherwise the background will go black and then the words will be painted all over. and this should be the background for the aboutbox : 1453 IMAGE DISCARDABLE "poopsie.jpg" 2 variants of sizes for the aboutbox: - 320x200 (like this one) = 140h x 0C8h - 400x200 = 190h x 0C8h by the way the keygen algo is removed as usual. v2m by Soft Maniac. KeygenTemp20.zip
    4 points
  37. 4 points
  38. That is it. Or c:\:$i30:$bitmap inside of a shortcut file would do the job. This will cause immediate corruption in Win10 builds 1803 or later. It will cause prompts to reboot to repair the disk and then chkdsk on boot will be unable to repair. This sounds quite dangerous as it makes downloading zip or rar archives and extracting them potentially harmful if they contain such a shortcut .lnk in them. https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/
    4 points
  39. I will release an update for the tool which allows the skipping of metadata writing errors!
    4 points
  40. I also have to say that i'm impressed by the result. Excellent indeed. Since there is knowledge and maybe tools, sharing the method or the tools (as @SychicBoy did for his control flow deobfuscator) would be great for the community. Personally, in solving the challenge, when dealing with this kind of obfuscators, I hook UnsafeInvokeInternal and get the result, This indeed works. In this case the challenge are simple so reversing the logic is also. However to properly reconstruct the assembly a different approach is obviously needed. About the Necrobit protection, what maybe is already known, and I found out: In the Module constructor, a hashtable is built after the resource containing the real MSIL body has been decrypted. Then each index in the hashtable is passed to another method that natively writes the real MSIL opcodes in memory. What I tried is using Reflection to dump the hashtable after has been populated. I get an offset (relative to method body offset) and the MSIL bytecode. However I am stuck in reversing the process, that is parsing the bytecode, get ILCode back and write it successfully to the assembly.
    4 points
  41. awesome.vmp35_cracked.exe Every other portion of VMP is removed including CRC etc check. But still it will not run until we fix Delegates. It is still left
    4 points
  42. 1,771 downloads

    I want to release a new tutorial about the popular theme Themida - WinLicense. So I see there seems to be still some open questions mostly if my older unpack script does not work anymore and the unpacked files to, etc. So this time I decided to create a little video series on how to unpack and deal with a newer protected Themida target manually where my older public script does fail. A friend of mine did protect unpackme's for this and in the tutorial you will see all steps from A-Z to get this unpackme successfully manually unpacked but this is only one example how you can do it, of course. So the tutorial [videos + text tutorial] is very long and has a run-time of more than three hours and of course it will be necessary that you also read the text parts I made at the same time if possible but if you are already a advanced user then you will have it easier than a newbie. So I hope that you have enough patience to work through the whole tutorial. So the main attention I set on all things which happen after normal unpacking so the unpack process is the simplest part and all what comes after is the most interesting part and how to deal with all problems that happen. It's more or less like a live unpack session. I also wrote some small basic little helper scripts which you can also use for other targets to get valuable information if you need. Short summation: Unpacking Exception analysing VM analysing with UV plugin AntiDump's find & fixing & redirecting "after fix method" Testing on other OS My Special Thanks goes to Lostin who made this unpackme and others + OS's tests. (I want to send a thank you to Deathway again for creating this very handy and helpfully UV plugin). So this is all I have to say about the tutorial so far, just watch and read and then try it by yourself. Oh! and by the way I record ten videos and not only one. If something does not work or you have any problems with this tutorial, etc. then ask in the support topic only. Don't send me tons of PM's, OK! Thank you in advance. PS: Oh! and before someone has again something to complain because of my tutorial style [goes to quickly or is bad or whatever] then I just want to say, maybe you're right so normally I don't like to create and write tutorials. This is really not my thing so keep this in your mind.
    4 points
  43. Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00
    4 points
  44. Here's something similar: Selects the entire text if its' clicked at any position after the text ends Relevant code from Pelles C.: The main idea is to attach a window procedure to the edit control using SetWindowLongPtr. Within there handle WM_LBUTTONDOWN messages and check if the click is within the existing text or outside it. The code is not perfect but it works
    3 points
  45. Unpackers tools - source code C# My source code: https://gitlab.com/CodeCracker https://github.com/CodeCrackerSND https://bitbucket.org/CodeCrackerSND/ I will NOT share (anymore) the rest of my tools!
    3 points
  46. Take my advice... A hard drive is definitely not something to try to save your money upon. You can see how much time you wasted trying to recover the last one? Just not worth it, in my opinion. Avoid seagate drives. They are well known to fail suddenly. Western Digital ones are a lot more reliable. Go for the SERVER versions of the drives if possible (I know, some say that they should not be used for home purposes) but in my experience they last far longer and are more reliable than the usual consumer grade ones. Check out the color codes of Western Digital drives here: https://www.dignited.com/57978/western-digital-drives-color-codes/ I generally go for the RED ones (Pro) as they strike a good balance between cost and lifespan: The Gold ones are the best but very expensive and I reserve them for special storage tasks: So... If you are looking for hard drives, go for the RED Western Digital ones. They are excellent as external or internal drives. You can use an SSD as a boot or OS containing disk for speed if you wish. Greetz
    3 points
  47. After spending three days i m still stuck at 4th challenge now i understand what it mean to be a reverse engineer. May be i will not solve all(or may be even the half of them) the challenge but i still try my best till the last day.
    3 points
  48. Eric S. Raymond is either very naive or has been smoking some strong stuff... Microsoft is not going to abandon the only thing that differentiates them from Ubuntu. Windows kernel is here to stay for a very long time.
    3 points
  49. Comments by a developer inside the Windows Media Player source code pastebin.com/PTLeWhc2
    3 points
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...