Jump to content
Tuts 4 You


  1. CodeExplorer



    • Points


    • Content Count


  2. kao


    Full Member+

    • Points


    • Content Count


  3. Teddy Rogers

    Teddy Rogers


    • Points


    • Content Count


  4. Kurapica


    Full Member

    • Points


    • Content Count


Popular Content

Showing content with the highest reputation since 07/09/2019 in all areas

  1. 13 points
    awesome_msil_Out.exe Approach: 1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker , and it shall be ran on NetBox 2. Code virtualization is a relatively new feature of .net reactor, added in version Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)
  2. 11 points
    Many years ago I wrote a software protector called MyAppSecured. Somewhere in the middle of porting it from Delphi to C++ I lost my interest in this project. Just found it on my HDD so I thought it might be helpful for someone. In short, the GUI of this protector is written in C++ and the protection stub in written in MASM. The C++ code loads a target in memory and adds 2 PE sections to it. One for the TLS callback code and one for the main code. The MASM stub will be written to those 2 sections. This protector has just 2 protection features: Analyze Immunity (anti-debug) and Memory Shield (anti debug-tools, OEP relocation). Note this is not a download-and-use-right-away protector. The code is written years ago so it's not very well written and also for some unknown reason the MASM stub could not be written into the 2 created sections. It did work very well years ago but I don't have the time to investigate why it doesn't work now. To be clear, the compiled exe file you will find in the package should run nicely but once you try to secure a exe file, that exe file is gonna be corrupted. This project is free for personal and commercial purposes. If you have any questions please ask, but keep in mind I abandoned this project and removed it from my HDD right after posting it here. Even if you are not gonna use this project it might be interesting to check the code. Some interesting stuff you might find there for your own project, such as emulating the CreateThreadW function in pure MASM, adding PE sections & relocation of OEP. MyAppSecured v1.00 Beta source.zip
  3. 10 points
    .NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch. Here is unpacked version of your file unpackme -cleaned.exe
  4. 9 points
  5. 8 points
    What makes you question either of these? Private: There are occasionally some techniques, practices (and tools) kept private to stay ahead of the game. Nothing has changed much over the years in this regard as far as I can tell. Knowledge: As @kao already mentioned most of the core techniques and information is out there to be discovered (in these forums for example). It only needs a willing and proactive individual to expand and develop on this information. As everyone seems to have their own blog (or YouTube channel) these days these generally seem to be the new format for tutorials. One day... when all my children have grown up and left home I can get my life back and get back to RCE and making traditional tutorials. Hopefully the RCE world will be an entirely new and interesting place to explore... 👍 Ted.
  6. 7 points
  7. 7 points
    I used this in my MyAppSecured exe protector project. This code emulates the winAPI CreateThread using ZwCreateThread, in pure MASM, compiled in WinASM studio. Feel free to use it for your own projects. ZwCreateThread example.rar
  8. 7 points
    Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00
  9. 6 points
    I am referring to threads and posts like these: If a solution is selectively provided only to the OP by PM then it defeats the whole purpose of the Crackme/Unpackme section. In such cases, the solution provider should not even be acknowledged unless they provide working steps for everyone to learn from. This forum is a learning platform and if solution providers are expected to share the methodologies that they used for the solution. Here is yet another thread where the posts from the solution providers who gave vague steps was approved: Basically another thread containing "show-off" posts by the solution poster. Nothing practical provided and no proper steps were shown. I mean, take this for example (from this post): EXAMPLE 2 Basically useless. It's like saying that to climb the Himalayas one needs will-power, good training, a lof of good mountaineering tools, food packs etc and that one has to read up a lot of good manuals and practice on smaller mountains first... Only posts in the Challenges section which detail proper steps which are actually reproducible should be approved by the mods. OR... ALL POSTS there should be approved from anyone. Why just approve the "show-off" posts? Are we expected to "beg" the solution poster via PM for the steps? I am quite sure that my post may get deleted, since any posts which speak the truth seem to get selective get deleted these days, but nevertheless I wanted to bring up this point! Another example of an approved post where NO STEPS were provided:
  10. 6 points
    Is this a hidden feature of the protection or does the app just not work?
  11. 6 points
    It might have a few weird instructions since i'm new to this Crackme-cleaned-Devirtualized2.zip Info: This is the first version of eaz that i analyze so i can't say how 2019.x is different from 2020.1 but its definitely not uncrackable Steps i took (as i should have included since the beginning): 1 Learn how CIL works / CIL fundamentals (there are some nice ebooks that i can't link here ) 2 Learn how the assembly reader/writer of your choice works (dnlib for example) 3 Learn how a simple VM works ( https://github.com/TobitoFatitoNulled/MemeVM (the original creator of this vm left so this is a fork to keep the project alive)) 4 https://github.com/saneki/eazdevirt See how the previous devirt was made (and you could also check previous eazvm protected executables) 5 Practice your skills trying to make MemeVM Devirt, you can message me if you have any issues with this step (You can always disable renaming on memevm to make the process easier to understand). 6 Start renaming a EazVM test assembly (you can make your own with trial) with all the knowledge you got from the previous steps (and find how crypto streams are initialized, where opcodes are located & how they are connected to the handlers etc etc etc, things that you would find in a vm) Editing saneki's eazdevirt might be a good idea, though i was more comfortable making my own base.
  12. 6 points
    here is my production of face shields, already 200 dispatched around my town to local hospital, liberal nurses, etc...
  13. 6 points
    Hey guys, After a long time I started writing on my blog again. https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-1 Best regards
  14. 5 points
    https://github.com/ribthegreat99OrN0P/Agile.NET-Deobfuscator @GameHackerPM @BlackHat To fix delegates, controlflow, and strings here yous go ive made a tool with many comments to help you understand!
  15. 5 points
    What's the point of this? You ran my file under de4dot and repost it? i can recognise my file ya know, i intentionally left this out (i haven't finished local types yet but i manually set the third local to int32) + i added 9 locals when only 3 get used
  16. 5 points
  17. 5 points
    Console example x64plgmnrc.exe -G "C:\x64dbg_root" // Set root path for x64dbg x64plgmnrc.exe -U // Update list from server x64plgmnrc.exe -S // Show list of plugins x64plgmnrc.exe -i x64core // Install last version of x64dbg x64plgmnrc.exe -i AdvancedScript // install AdvancedScript https://github.com/horsicq/x64dbg-Plugin-Manager
  18. 5 points
  19. 5 points
    Hello guys, I'm proud to announce the beta release of AMED (an Advanced Machine Decoder). It's extremely fast, lightweight and supports the following architectures : - x86(with all its extensions including xeon instruction set). - aarch32(arm, thumb, neon, ARMv8+). - aarch64(with all its extensions including SVE). I also released the new version (v3) of opcodesDB. https://github.com/MahdiSafsafi/AMED https://github.com/MahdiSafsafi/opcodesDB What do you think guys ?
  20. 5 points
    This forum is overrun by lazy-ass noobs who don't really want to learn. They want to have a youtube video and automagic tool for everything. Ready-made tools are private for this exact reason. People who want to learn will find the necessary information to learn the basics. And once you show you've done your homework, knowledge and techniques are being shared freely. Maybe not 100% public but via PMs and chat.
  21. 5 points
    Posted a write-up about solving the keygenme. https://0xec.blogspot.com/2020/02/finally-solving-weasel-keygenme.html
  22. 5 points
    @Teddy Rogers: from what I was able to gather, this version was still being maintained and improved. Only original repo was taken down, forks are all up. For example, this one is fully up to date: https://github.com/Deteriorator/winrar-keygen.git
  23. 4 points
    In my opinion that solution will be acceptable only if the tool used is public.
  24. 4 points
    This is really the key point that probably should be the requirement for a post to be accepted. A solution should be reproducible, not a list of private tools that are used. Private tools are, as their name implies, private, and by definition that means it is everything but reproducible (unless this tool is shared with the reader of the solution). The only person benefiting from such a reply is the respondent themselves in the form of an ego boost. Not very productive if you'd ask me.
  25. 4 points
    It's a really good question. The answer really depends. Let me give you few recent examples. Example #1: Extreme Coders names the tools and explains HOW to solve the crackme. A lot of effort is required but all the tools can be found via Google. So I have zero issues with the solution. Example #2: Prab names the tools but no explanation is given. "x86 retranslater" definitely cannot be found not on Google. "Clean control flow" tells the obvious thing but it doesn't explain HOW to do that. What's the point of such solution? The only thing reader will learn from this is that he needs a magic wand that he can't have.
  26. 4 points
    View File Reactor v6.3 Try to unpack or alternatively provide a serial. Protections used: Necrobit Antitampering Antidebug Obfuscation Code Virtualization + Shield with SNK Submitter whoknows Submitted 06/10/2020 Category UnPackMe (.NET)  
  27. 4 points
    I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies. If you can not understand it, you can reply me. Best wish.
  28. 4 points
  29. 4 points
    Very mature choice for username and password. 😑 Tutorial:
  30. 4 points
    Almost unpacked! I was only not able to remove the Delegates and the Control flow. What I removed is: - Anti Tamper (manually; the easiest way consists in finding the call to the anti tamper method (which can be identified by looking at ConfuserEx's source code), setting a breakpoint just after (so that the anti tamper method decrypts the CIL code) and getting the decrypted module in the "Module" section of the dnSpy debugger) - Hide Methods (https://github.com/illuZion9999/Rzy-Protector-V2-unpacker/blob/master/Rzy Protector V2 Unpacker/Protections/Hide Methods.cs (not really reliable, though; a good way would be to get the invalid instructions from the exception handler) - Anti Debug (identify the anti debug method by looking at ConfuserEx's source code and add a ret instruction at its start) - Module Flood & Junk (these are just useless methods & instructions, which can be removed without problems (i removed them manually)) - Native methods (using cawk emulator x86 methods retranslater: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/cawk-Emulator/.NET-Instruction-Emulator-master/CawkEmulatorV4/Instructions/Native/X86MethodToILConverter.cs) - Constants Protection (modded the ConfuserEx Unpacker 2 Constants Decryptor to support 3 parameters: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/ConfuserEx Unpacker/ConfuserEx Unpacker/Protections/Constants/Remover.cs ; you can also invoke the decryption which makes it way easier than emulating it) - Mutations (sizeof (https://github.com/RivaTesu/SizeOf-Fixer), simple operations (de4dot: https://github.com/0xd4d/de4dot) & double.parse (the double.parse method is hidden by a delegate but I recognized the protection ; you can still find a tool for it on GitHub, but you would have to change the parameter check if there are delegates (or, ideally, use an emulator, which should support the double.parse protection with or without delegates): https://github.com/Riziebtw/DoubleParseFixer (note that this tool is not really reliable, and would need some changes)) - Call to calli (https://github.com/Riziebtw/CalliFixer; note that this tool solves the call to calli when the call and its pointer are one after the other, while, in the challenge, the call pointer (an ldftn instruction) is set to an IntPtr field, which is used as a parameter for the calli. You would hence have to grab the fields value (which are assigned in the constructor of the <Module> type) and then solve the callis with these values.) Don't hesitate to get my file and remove the Delegates (and control flow but I consider it not necessary to remove) in order to fully solve the challenge! CrackMe - almost unpacked.exe
  31. 4 points
    My personal belief is that the entire world around is fake - just a simulation. Our universe does have a creator and that creator may or may not be God. The pain & and struggles we face means nothing in the greater sense. We are nothing more than a programmed object. Even the pain or happiness is nothing but programmed feelings. For example, we design computer games with their own story-lines. In one such game there may be a person who is put under immense pain. There are many movies in which innocents die due to no fault of theirs. However we are not concerned since we know the pain is virtual. It's how we designed the game or movie. In a similar sense, our creator knows the pain we humans/animals face is also virtual. In the real world (which is not this world) this doesn't matter. Even the concept of life and death is fake. Death is simply a way of putting an expiry date. Is is possible to know the real truth? I guess it is. But once humans try to understand the real truth there will be no wars anywhere. There will be no struggle for wealth, fame and power. After all why run after wealth, fame & power in a fake world. If there is something that needs to be done is to try to find out the real truth and escape from this fake world.
  32. 4 points
    Not necessary to unpack to get the key. Key: Steps :
  33. 4 points
  34. 4 points
    I think a lot of public knowledge sharing is going on, especially in the field of malware analysis with many good YouTube channels and blogs covering basics. It just looks like people move to social media (Twitter/Reddit/Discord) to discuss things and traditional forums start to show their age. There is also a very active CTF scene with many techniques and tools being shared (tools on GitHub) and it appears that the cheating scene is also still very active. If you look at more academic sources there are a lot of techniques published (frameworks like miasm/angr/triton or LLVM-based techniques) and there are still many things to be learned, you just have to be willing to put in the time. Obviously nobody is sharing tools for VMProtect/Themida/whatever, in my view simply because there is a lot of money to be made there, but a very similar thing has been going on in the dongle scene for years and that's nothing new.
  35. 4 points
    I think that to add to this, many apps worth reversing nowadays tend to use more sophisticated techniques in the past. In older times, things could be cracked often in mere minutes which was a motivating factor. Most people start with a target in mind, and their patience to learn is quite thin. Nowadays, you may have to learn to unpack, advanced cryptography, anti-debugger techniques, details of security permissions, etc. Windows itself has evolved into a much more complicated beast making the learning curve much steeper. I remember the days of SoftIce and what a wonderful tool that was. Nothing even compares to it to this day. Although there are suitable alternatives, it was trivial to install and get started immediately. Now its a lot of complicated details to get going with tools. We had websites like +Fravia which were simply fantastic reading and offering fun challenges designed to make people think more deeply about reversing, not merely reversing of computer code. How to search was emphasized so much, and this is part of the reason that people became independent solvers. But we have tools like IDA Pro and Ghidra that have also made analysis quite a bit easier. We have faster and more powerful computers and an internet even more full of knowledge, if one knows how to find it. Some knowledge has become obscured by certain mainstreaming and politicizing of information designed to bury other information, and it would be nice to have better searching capability again, not just some commercialized nonsense that has decayed. So high learning curve and people with low patience, and usually choosing their initial motivation as an out of reach target that will require learning a variety of reversing disciplines has raised the bar. My prediction is that when the older generation retires, there will eventually be a new generation who will revitalize the whole thing in their own style. There may even be a generation skip here, as a pretty dead and flat generation can often lead to a really good generation after. One generation trying to make up for their mistakes by raising children better. The rapid spread of technology and social media caught the prior generation by surprise, and has led to a correction generation. If they really need YouTube videos and auto-magic tools, then they will make them and get them. We really have a different style and culture from them, and whether we respect this new way or not, supply and demand will eventually work itself out.
  36. 4 points
    I blame high speed internet and HD porn ! << just kidding The knowledge is out there, as my friends already said, you just need the motivation to learn and explore, it's time-consuming and the new generation wants everything ready and they want it quickly.
  37. 4 points
  38. 4 points
    Phew! It has been close to 4 years and after a lot of wandering here and there I can proudly announce that I'm now able to calculate a valid serial for any name. Here are a couple. kao GCZ4B-QTD22 0xec FZNUL-THK22 Time taken to generate a key can vary from 2-5 minutes and takes about 12 GB of Physical RAM running on a Nvidia Tesla T4 GPU (2560 CUDA cores). Providing more RAM and CUDA cores may further reduce the time but I ran it on Google Colab and that's what they offer. I plan to do a write-up on my blog later but here it is in short. Initially, I felt the only way to solve the system of equations within a feasible time frame is through a quantum computer using something like Grover's search but the quantum computers available for public use (IBM Q Experience) at this time do not have enough qubits. So this approach had to be discarded. On deeper analysis, I found the system of equations is nothing but a system of Multivariate Quadratic (MQ) Polynomials. There's a field of Crypto related to this - Multivariate cryptography. Such cryptosystems are considered hard even for a Quantum Computer to attack let alone a classical machine. Luckily, there's an ongoing challenge based on the exact same idea - Fukuoka MQ challenge. It turns out small MQ systems particularly which are under-determined (more unknowns than equations) are solvable by classical machines within an accepting time frame and people have posted tools/algorithms to solve them. One of them is libFES . There's also a GPU implementation of FES which I have used here. So that's how it went. Thanks @kao for the challenge. Really learned a lot!!! Its a silver medal for now. Considering such systems of equation are solvable, generating a key within 1 sec could also be possible given the MQ challenge site posts that this cryptosystem is based on a signature scheme (Type -IV). Once we calculate the private key, generating the signature within 1s should be possible.
  39. 4 points
    Simple Polymorphic Engine (SPE32) is a simple polymorphic engine for encrypting code and data. It is an amateur project that can be used to demonstrate what polymorphic engines are. SPE32 allows you to encrypt any data and generate a unique decryption code for this data. The encryption algorithm uses randomly selected instructions and encryption keys. https://github.com/PELock/Simple-Polymorphic-Engine-SPE32 Sample polymorphic code in x86dbg window: Another polymorphic code mutation, this time with code junks
  40. 4 points
    The password is: Explanation: To apply VMProtect properly, you need to understand how each and every option works. Specifically, packing option just compresses data, it doesn't add any real protection. And if you do not use "VMProtect.SDK.DecryptString", strings are not encrypted. It's enough to run protected software under any debugger and search for strings in memory: As for proper unpack and/or devirtualization, it's something I have on my todo list. But I haven't got a "proper" solution that I could share at the moment.
  41. 4 points
    Actually Winrar was a kind of an earl adopter of ECDSA licensing, but they made a mistake in the implementation, much like level 10 armadillo. I still remember when I first came across this release - i thought, man, not another hardcoded-pseude-keygen ... then I saw "SeVeN/FFF". I was like "ahh shit here we go". Problem for Winrar is that their license is tied to archive signatures - if they change it they will break the signature mechanism.
  42. 4 points
  43. 4 points
    I have unpacked most of the protections just need someone to complete the last part of it, the calls/delegates!! Instructions: 1. Jit-dump the executable with JitDumper3/4 enable the checkbox (Dump MD). 2. Clean the (String And Flow) with SimpleAssemblyExplorer(SAE) checking the checkbox (Delegates} as well. 3. De4dot. Files.rar
  44. 4 points
    There is definitely room for a good modification of ConfuserEx to eventually happen and be posted here. ConfuserEx itself was the successor/fork of Confuser itself, which has greatly improved the original. ConfuserEx has completely changed how the .NET protection field has worked as well, with it completely influencing every other obfuscator on the market. Especially the ones made from people in the RE scene all using ConfuserEx as a base to work from. (Whether they want to admit to it or not.) Since ConfuserEx and now KoiVM are open source, they tend to be the most used and modified. No other real protection system for .NET is open source let alone offers the kind of features that they do. While it does mean a lot of terrible rebrands and mods will happen, it doesn't mean every single one is going to be trash in the future. Given that KoiVM is open source, it leaves a lot of room for others to take that concept and run with it to make their own VMs with much more in depth features, better C# language support for newer features, and so on. I don't think out-right banning it from existing on the site is a good idea either. There shouldn't be a reason to further divide what little of the RE scene is left. Some thoughts of mine on how to approach this going forward: 1. Make a new section/sub-forum specifically for ConfuserEx mods. This way the general .NET unpack section can focus on other non-ConfuserEx related challenges and not be drowned out with the various customizations/mods people want to post. 2. In the new section, have some type of guidelines/rules on what is considered a valid challenge. Mods to ConfuserEx that do nothing to the actual core and just add 1-2 new things should be rejected because the base/core has not been touched, therefore all the existing tools will work against said mod. Simply renaming the ConfuserEx attribute is not a valid means to try and deter tools from working etc. Focus on making sure people have actually put time/effort into their mods vs. just renaming the project and adding 1 thing to it. 3. Avoid belittling people that are coming here to learn and making an effort to work on modifications. Rather than people just shitting on someone or leaving a few word replies telling the person they suck, their mod is shit, etc. encourage people responding to the threads to actually give feedback in a friendly manner. Everyone started somewhere, knowing nothing, so putting egos aside and encouraging new comers to go back and learn certain things, showing them why a certain protection/mod doesn't work/help, etc. goes a long way. (Simply put, if your objective is just to be a dick when responding, just don't respond.) 4. If moderators are added, would really suggest making sure that there is some rules/guidelines on how they should moderate the new section/topics. Basically to avoid power-tripping, egos, and other nonsense that doesn't need to exist here. Another thing is to understand everyone has different skill levels when it comes to unpacking/cracking things, and while person A may think a given mod is weak/easy/crap, person B who is just learning may see the given challenge as a great learning experience and a way to enhance their skills. So avoiding skill sets being the end-all judgement of how something is moderated. Of course there are situations where things like this will have trolls or people posting challenges that have their own issues with pride/ego as well. Which is something seen already with a few people posting ConfuserEx mods that do not really understand the base project, how .NET operates, etc. For example, there is someone on a specific Discord community that keeps making 1-2 line edits to ConfuserEx and deeming it uncrackable. Every time, someone will use the existing tools, unpack his app and prove him wrong, but he refuses to be wrong and keeps spamming the Discord with modifications constantly. In a case like this I would say preventing them from posting new challenges for a given period of time may be warranted to avoid them from posting 100 different mods in a day. All in all though, I wouldn't recommend banning it altogether. The RE scene is so small anymore as it is, banning discussions on given topics at all is just going to further divide things than they already are. As it is, there are people on this site that land up driving new comers away already which most land up joining one of the various Discord communities instead that are focused on RE/.NET RE etc.
  45. 4 points
    You don't need to know correct key to get the flag: Is that what you're looking for? How-to: 1) Run and dump from memory; 2) (optional) Fix imports with Scylla; 3) Load dump in IDA; 4) Find WndProc and see how WM_COMMAND is handled; 5) The key check is very convoluted but it all ends up here: ... lots of horrible operations with entered key .. strncpy(buffer, encryptedFlag, 25); for ( n = 0; n < 25; ++n ) { v3 = buffer[n]; v4 = HIDWORD(v3) ^ HIDWORD(v20) ^ HIDWORD(v21) ^ HIDWORD(v22) ^ HIDWORD(v23) ^ HIDWORD(v11); v8[2 * n] = v3 ^ v20 ^ v21 ^ v22 ^ v23 ^ v11; v8[2 * n + 1] = v4; decryptedFlag[n] = v8[2 * n]; } // check last 2 bytes of decrypted flag result = 24; if ( decryptedFlag[24] == 'Z' ) { result = 23; if ( decryptedFlag[23] == 'C' ) ... Xor key for all bytes is the same. You know encrypted flag. You know last 2 bytes of decrypted flag. So, you can deduce XOR key and decrypt the flag.
  46. 4 points
    I have never used it before, but from the first look - it installs offline, doesn't require any activation or license key, you can create more than one sandbox (which was a limitation in unregistered versions) and "Forced programs" also works. Looks good to me. EDIT 2x: direct download links (REMOVED, as they apparently are time-limited)
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
  • Create New...