Tuts 4 You

Moderator

334

2,907

Full Member+

175

2,204

112

7,926

Full Member+

103

4,731

## Popular Content

Showing content with the highest reputation since 09/19/2018 in Posts

1. 14 points

## VMPROTECT vs. LLVM

Hi, I made a tool that interprets a vmp rsi-stream, it records the handlers (or vm instructions) and connects them via their data dependencies. This is how a JCC looks like The edges in this graph represent data dependencies. Sequences of nodes with one input and one output are collapsed into blocks. Green nodes are constant nodes. They do not depend on external values (such as CPU registers), unlike red nodes. The hex number left of a node is a step number, the right number is its result. Only const nodes (green) can have a result. The graph contains all nodes that directly or indirectly contribute to the lower right "loadcc" instruction. CMP/JCC in VMP works by executing an obfuscated version of the original CMP which also results in either zero or one. VMP then pushes 2 adresses to its stack (step 121f and 1209) and computes an address that points to either one, depending on zero/one result of the corresponding CMP (step 1265). It then simply loads from that computed address and uses its value for a JMP. The load that loads either address is represented by the "loadcc" node in the graph. Even though all puzzle pieces are here, it is still hard to figure out what the original CMP was, but luckily we have LLVM and luckily it isn't hard to lower the graph to LLVM IR: Godbolt Left is the graph as LLVM IR, middle is output of the optimizer, right is the optimized LLVM IR lowered to x64. The attachment contains the original x64 input, the complete vmp program as LLVM (not just the loadcc part), the optimized x64 (-O3) and an unoptimized version (-O0). The unopt version is interesting because it shows how vmp looks like after removing the junk but still leaving the handlers intact (RSI access is removed, RBP-stack is pre-baked to make it easier for the optimizer passes) I thought it was pretty impressive how LLVM's optimizer plows through the crap and produces such a beautiful result. That is all. Thanks for reading. testproc.zip
2. 10 points

3. 7 points

## The (Legally) Free PC Games Topic...

At least they made him look cute!
4. 7 points

## Feedback and Ideas

Done! This has been added for your user group. I will see how this progresses. Obviously there is a possibility this could be abused by members however I currently trust persons in this group will use it appropriately. Done! You can now download PM's individually or bulk in HTML. The output HTML template is a bit crude. If you have some suggestions I'll contact the developer and propose the ideas with some of my own. Of the other suggestions proposed here I will reply to you all after I have thought them over and have appropriate time to reply accordingly. Thank you! Ted.
5. 6 points

## [DevirtualizeMe] Themida 3.0.3.0

Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00
6. 5 points

## Rules, Guidelines & Template...

Challenge of Reverse Engineering - Rules and Guidelines All challenges will be reviewed and approved prior to them being made public. You must use and adhere to the above template (when submitting a challenge) and the template in the post below (when submitting an answer/solution). A challenge is regarded as being solved only when a successful solution has been posted containing a tutorial or a detailed explanation. Solutions posted without any information will remain hidden from public view until a tutorial or detailed explanation has been submitted. The challenge will continue to remain unsolved. Please allow up to 48 hours for challenges and solutions to be reviewed.
7. 4 points

## [DevirtualizeMe] ArmDot

And here is the fully deobfuscated file with strings decrypted i havent ran through de4dot since this will simplify your button click method to one messagebox.show Unpacked.exe
8. 4 points

## Obfuscating Operations using Linear Algebra

Hey all! I recently came across this neat paper here: https://tel.archives-ouvertes.fr/tel-01623849/document where they used what they called "Mixed-Boolean Arithmetic" to obfuscate arithmetic expressions, and then showed ways to deobfuscate them. Looking a the deobfuscation methods, they seemed largely either pattern-based or wouldn't work when bigger numbers were involved. So I thought to myself, "How can I mess with this?" Well, first things first, they have no concrete method there for creating these expressions. There are two pages total dedicated to the creation of these expressions, so I had to get creative to make it work. They describe using numpy to solve the matrix equation created and using a hack-y method to circumvent not having a square matrix, but I thought that I could do a bit better... Enter two painstaking days of learning linear algebra and figuring out exactly what I needed to do. They start by computing the truth tables of some expressions, putting them into a matrix as columns, then solving for the vector that, when using the dot product on the vector and the matrix, returned zero. After that, they filtered out various "rewrite rules" from the matrix generated. You can read more about this in the paper, though there's not much to go off of. They use numpy's linalg.solve to do this, but that only works with square matrices and produced results with constants that were a tad small for my taste :^) After a bit of research I found a python module called cvxpy, designed to find values that satisfy an expression under certain constraints. Even cooler was that you could specify matrix equations and integer-only solutions, which is exactly what I needed. After tinkering with it for a bit, I was able to reliably create expressions like these (representing a xor b): -27540 * (~a & b) + 373574 * (~a ^ ~b) + -27541 * (a & ~b) + -27541 * (~a & b) + -11 * (a + b) + -30436 * (~a & ~b) + -30436 * (~a * ~b) + 137712 * (a * ~b) + -27544 * (~a) + 1 * (b) + 3 * (~a + ~b) + -221347 * (~a - ~b) + 13 * (a + b) + -2 * (a) + -30454 * (~a + ~b) + -30454 * (~a + ~b) + -3 * (b) + -30449 * (a | b) + -27546 * (~b) 3672455 * (~a * b) + -362611 * (a ^ b) + 78113 * (a) + -524636 * (~b) + -524636 * (a ^ ~b) + 78113 * (a) + -524636 * (~a | b) + -362611 * (a ^ b) + -959545 * (a | b) + -78113 * (a - b) + -959545 * (~a + ~b) + -524636 * (~a) + 142249 * (a + b) + -959544 * (~a + ~b) + 142249 * (a + b) + -524637 * (a - ~b) + -524637 * (~a) + -524637 * (a & ~b) + 3241246 * (~a ^ ~b) Using truth tables modulo 4 instead of modulo 2 I was also able to compute equivalencies for multiplication, which was pretty neato. However, using the same method of computing the truth table and finding an equivalent expression you can reverse this sort of operation. I'll leave that as an exercise to the reader. EDIT: As a friend of mine pointed out, this will work with any operation that can be reducible to boolean math (i.e. xor, addition, subtraction, multiplication), not just arithmetic operations.
9. 4 points

## slugsnacks reversing series by c0lo

slugsnacks reversing series by c0lo: Link: https://kienmanowar.wordpress.com/slugsnacks-reversing-series-by-c0lo/slugsnacks-reversing-series-5/
10. 4 points

## Scylla Imports Reconstruction Source

Hi, sorry I wasn't online for so long. I am still alive 🙂 but I had a HDD crash and lost almost everything including account information. Today I was able to recover some account information from a forgotten USB stick. At least the forum here + bitbucket/github account. So I may be able to work on the projects again 🙂
11. 4 points

## Congratulations Mr Exodia

Find it funny how the agitator creates the topic to try and bring attention to what he had to post later on Puny schemes. People just have lives; RE isn't going anywhere. Same as there's been one generation of smart, skilled and enthused people, others will follow. Circle of life. What I do find funny is how this "high-level programming" works even with big companies, such as Denuvo. I put quotes because same as Java relies on a ton of shit OTHER people wrote across time, which they now just import, similarly Denuvo relies on VMProtect to shield whatever crap they've got going on. Were it not for it, we'd have gotten ourselves the ol' time SecuROM/SafeDisc fiascos. I digress.. Congrats, ExoD And keep it up, love your work.
12. 4 points

## Congratulations Mr Exodia

@p4r4d0x: enough already! If you can't stop whining about exetools and techlord, please go away - as this behavior is not bringing anything useful to this forum. :@ @mrexodia: I wish you all the best in your new job. You're extremely skillful person and I'm sure you'll enjoy the challenges this line of work will bring. And remember to learn as much new stuff as possible!
13. 3 points

Hi New Update with more features : https://github.com/Ahmadmansoor/AdvancedScript AdvancedScript version 4.3 https://github.com/Ahmadmansoor/AdvancedScript/releases * Add new commands and fix some bugs * fix error load of the Auto Commands when there is no ; * Fix AutoRun and stepson ( wait command to finish). * Fix color variable name. * Add ReadFile , Write2Mem , ReadMem * Add GoToByBase Form ( https://www.youtube.com/watch?v=gQxlbC8RnRg ) * Assigne variable directly no need to Setx Command. Sample : Varx str,memory // var will hold the hex value Varx int,rax_,0 // read rax value +1 Varx str,ourStr // read test string ReadMem $memory,{rax},5$rax_={rax} +1 $rax_=ads.exebase ReadStr$ourStr,{rdx}
14. 3 points

## Crackme Baby

That is most likely not your crackme. But what the hell.. Load it in IDA, decompile serial check and it will look like this: if ( ++idx >= 29 ) { if ( count_of_sevens == 1 && String[6] == '7' ) { v5 = (unsigned __int8)entered_key[0]; if ( entered_key[0] ) { LOBYTE(v5) = entered_key[4]; if ( v5 ) { LOBYTE(v5) = entered_key[8]; if ( v5 ) { LOBYTE(v5) = entered_key[12]; if ( v5 ) { LOBYTE(v5) = entered_key[16]; if ( v5 ) { LOBYTE(v5) = entered_key[21]; if ( v5 ) { part1 = getintfromkey(0, 4, 0); part2 = getintfromkey(0, 4, v6); part3 = getintfromkey(0, 4, v7); part4 = getintfromkey(0, 4, v8); part5 = getintfromkey(0, 5, v9); part6 = getintfromkey(0, 8, v10); v11 = part1 * (unsigned __int8)entered_key[7]; v12 = part1 * (unsigned __int8)entered_key[6]; v13 = part1 * (unsigned __int8)entered_key[4]; if ( v11 == part5 && v12 == part3 && !(part1 * (unsigned __int8)entered_key[5]) && v13 == part4 && 1000 * v13 + 10 * v12 + v11 == part6 ) { ...show good boy message... There are some checks for specific character values: * char 6 must be "7", there may not be any other "7" in the key; * char 5 must be "0"; * chars 4,8,12,16,21 may not be "0"; Key is split into in several parts: part1 = first 4 chars part3 = chars 8..11 part4 = chars12..15 part5 = chars16..20 part6 = chars21..28 Then it does some simple multiplication and checks the result. At this point you have 2 options: - make a tool that will randomly choose part1 and chars 4 and 7, do the multiplication to calculate parts 3, 4, 5, 6 and see if it passes all checks. - remember math lessons from school and figure out the only possible combination that will pass all checks. First one is much faster, second one will be .. challenging. Either way, you should arrive at the only possible solution: Well, in fact, there is infinite number of valid keys. You can append random characters to the key above, they are not checked..
15. 3 points

16. 3 points

## Millions using 123456 as password...

I really, really disagree. Not all websites are valuable. And not all passwords should chosen to be secure. In fact, this was something I wanted to write about for a long time already, so here it goes: https://lifeinhex.com/my-password-is-password/ (shameless self-promo, I know! )
17. 3 points

## Obsidium v1.6.1.9

Used protector (I've forget to specify): https://www.52pojie.cn/thread-652274-1-1.html http://distro.crack.vc/index.php?dir=RceTools/Packers/ Finally made scripts and a tutorial on how to restore stolen bytes: https://forum.tuts4you.com/topic/41211-obsidium-olly-scripts/ BR.
18. 3 points

## Feedback and Ideas

I have my own take on why this is, there are a number of different reasons. I only have to look at my own interests in RCE over the last few years to partly understand the reason. A full answer to this requires a topic of its own that I will save replying to in full for another day. A number of members now have to have their posts reviewed and approved before it is visible to everyone. I am hoping this will help to reduce things like this from going on in the future. This has been a bone of contention with other members too. I'll have to take in all the suggestions and issues raised and try to come up with workable solutions. One of the problems is reviewing the submissions, currently it is often taken on good faith that the difficulty and content is accurate. I also don't want to restrict too heavily which user groups can submit crackme's as new members have come and made okay entries in the past. You guys fortunately don't see just how many actually do end up getting trashed. Possibly I will have to split the sections up to filter out ConfuserEx trash or stop them altogether. I am open to further suggestions and ideas on this, if you have some keep firing them at me... Ted.
19. 3 points

Lets assume we have this code: test_proc proc VM_EAGLE_BLACK_START add rax, rcx add rax, rdx add rax, rsi add rax, rdi ret VM_EAGLE_BLACK_END test_proc endp So we have a single basicblock with multiple inputs: RAX, RCX, RDX, RSI, RDI and a single output: RAX. The protected version of that has about 10.000.000 instructions (Themida 2.4.6.0 demo). Lets run it through Unicorn and connect instructions via their sideeffects. While we are at it, lets assume we have an unlimited number of registers so we can remove memory indirections and connect instructions directly. Out of the initial 10mio instructions, how many contribute directly or indirectly to the output in RAX? About 300.000 (log_ins.txt). Thats a little better, but still too much. An instruction is considered constant when all its inputs are constant, because they are either literal constant values or they were produced by instructions that are constant themself. A memory read that wasnt written by ourself is also considered constant (it might be written by pre-OEP program, but this is irrelevant). Using this definition of constant, out of the 300k instructions that contribute to the result, how many instructions are constant and thus can be const-folded? A lot: themida.svg. This graph contains everything that contributes to the final value of RAX, but is not constant. The left number is a step number which corresponds to log_ins.txt, the right number is the result of the instruction. You can already kind of see the original program, but its still a bit obfuscated. You can also kind of see what Themida does most of the time: modifying values. Again and again. And every modification relies on thousands of instructions to produce the values that are used for the modification. And they manage somehow that everything depends on everything else, which is kind of impressive. It certainly makes it hard to identify opcode handlers or eliminate dead stores. Now the final question: can this graph be optimized? Yes. (I have created the IR program out of the initial 300k instructions without dropping the consts or any other optimization. LLVM's IR api does const folding itself, otherwise it would be the full 300k instructions) Using unicorn to extract the instructiondependencies obviously works only for basicblocks, it doesn't work for controlflows without additional work. But this is another topic. themida.svg, log_ins.txt and ir.ll are attached. tuts4you_themida.rar
20. 3 points

## Congratulations Mr Exodia

Good Luck @mrexodia but we are patiently waiting for the source leaks << Just kidding and check that private message I sent you long ago if you have a minute
21. 3 points

## Congratulations Mr Exodia

I've been reporting all the posts made here about all the nonsense going on there that they are trying to bleed into this site as well. Just ignore him as well mrexodia, it's not the real p4r4d0x. It's one of Tech's groupies, if not Tech himself, looking to stir drama up on this site as well. Congrats on the job, perhaps you can steer them into a better direction from being so anti-consumer.
22. 2 points

## [C#] Modded KoiVM

Well it was a lil harder than normal koivm but not that hard. 1) Made a quick tool that will change #Strings koi heap name to #Koi (Had to modify dnlib) 2) Run oldrod with "-rt 72b51d4140ae7ec413ebad02f2d22f9e.dll UnPackMe.exe" as arguments. 3) File devirted Edit: Tool to change heap name wasn't needed i just realised u can change through dnspy
23. 2 points

## Triton - Dynamic Binary Analysis framework for Delphi

I created this experimental project. I hope someone can be useful. any collaboration and improvement is welcome thank you https://github.com/Pigrecos/Triton4Delphi
24. 2 points

## How to get base of new created process?

Hi, hmmm,long time ago already.Dont remember anymore about that.I just checked my codes and seen that I was using the PEB reading method like this... local STARTUP:STARTUPINFO local PI:PROCESS_INFORMATION local PIS:PROCESS_BASIC_INFORMATION local BASEADDRESS:DWORD invoke RtlZeroMemory,addr STARTUP,sizeof STARTUP invoke RtlZeroMemory,addr PI,sizeof PI invoke RtlZeroMemory,addr PIS,sizeof PIS mov STARTUP.STARTUPINFO.cb ,sizeof STARTUPINFO invoke CreateProcess,addr TARGETNAMEPATHBUF,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,addr STARTUP,addr PI .if eax == 0h ; fails ret .endif invoke NtQueryInformationProcess,PI.PROCESS_INFORMATION.hProcess,ProcessBasicInformation,addr PIS,sizeof PIS,NULL .if eax != 0h ; fails @@: invoke TerminateProcess,PI.PROCESS_INFORMATION.hProcess,0 .if eax != 1 ; fails .endif mov eax, 0h ret .endif mov esi,PIS.PROCESS_BASIC_INFORMATION.PebBaseAddress add esi,8 invoke ReadProcessMemory,PI.PROCESS_INFORMATION.hProcess,esi,addr BASEADDRESS,sizeof BASEADDRESS,NULL .if eax != 1 ; fails jmp @B .endif mov esi, BASEADDRESS greetz
25. 2 points

26. 2 points

## .ICO to Bitmap...

Load icon Create a compatible bitmap same size as icon Use DrawIcon / DrawIconEx to draw the icon into the hdc's bitmap return the hBitmap and free any resources not required - dc's, icon (if not needed anymore) Use the SetMenuItemBitmaps Might need to include a few other steps but the basics outlined should convert the icon to a bitmap.
27. 2 points

## ConfuserEx Mod

login pass: steps to unpack: 1. removed anti tamper and some junk calls 2. cleaned cflow (Thanks to Tesla for cflow cleaning) 2. removed proxy calls 3. removed proxy calls again 4. converted x86 methods to IL 5. decrypted all constants 6. cleaned cflow again (Thanks to Tesla for cflow cleaning) 7. cleaned some small stuff with de4dot. UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe
28. 2 points

## Debugging in Turbo Pascal like it's 1994

Best days of programming before all this Java and Android chaos
29. 2 points

Here is the hotfix for anyone who wants to install without turning on Data Collection and Use... hotfix-update-xpi-intermediate@mozilla.com-1.0.2-signed.xpi
30. 2 points

31. 2 points

## How to set diffrent colors in a single menu string?

Check Ted's answer again: So if you want colors (any at all) or mix normal/bold then you will need to draw the items yourself using the GDI api SetTextColor and TextOut and those functions after responding to the draw item event by setting the owner draw flag.
32. 2 points

33. 2 points

## A new disassembler coming soon?

9.0.2 released with the source which notes can be found on their site: https://ghidra-sre.org/releaseNotes.html With the source, they did include the decompiler's source code which some were concerned with being released. It's there and is coded in C/C++ so there is potential for things to get better as time goes on with community help/support. Would love to see it become on par with IDA's and better in the long run. Given how Ghidra is setup too, if it does start to become on par/better of a decompiler someone could essentially turn it into an IDA plugin if they wanted.
34. 2 points

## z3 SMT solver for Pascal

https://github.com/Pigrecos/Z34Delphi My new repository for using Z3 in delphi(porting z3 c api to delphi). I tried and there were no tools for symbolic execution in delphi
35. 2 points

## Feedback and Ideas

I see that Teddy has already implemented certain changes in "Crackmes" section. One small request to consider - since all solutions will be moderated and hidden by default, it would be nice to see something like "Post by XYZ is awaiting moderation" or at least "X posts are awaiting moderation". Reason for the request - it's no fun to reinvent the wheel and solve a crackme that's already been solved. So, if I see that someone-I-know-as-a-good-reverser has already posted a solution that is awaiting moderation, I'll probably spend my time on something else. Other thing - what will happen to comments like "Crackme is not working on Windows 7" and similar? Will they go through moderation queue as well?
36. 2 points

## Feedback and Ideas

Going to leave some suggestions for going into 2019. Will break this into a few posts to make it easier to read/respond to if people want to discuss it. Challenge Section Issues One of the main sections that sees traffic still on this forum is the challenge sections. However, that isn't to say there aren't issues with these sections and the rules that are attached to them. Over the last few years, these sections have undergone some changes, focusing on bettering them but it feels like while the changes were made, they weren't enforced or continued with. These sections have degraded a lot over the last few years for a few reasons, in my opinion. Lack of Real Solutions - One of the biggest issues we still see is a lack of solutions. This became a big enough issue that newer rules and reorganization was done last year to try and help with it, but I feel we are just slipping right back to where we started with that. People post more for their ego and less for the community. Solutions are supposed to include details or a tutorial in how the solution was figured out but instead, that is back to not happening or is extremely lacking in actual info. People just post "unpacked manually" type posts that explain nothing with a solution and that is being accepted which is not what the rules say is a valid solution. Lack of Discussions - Another huge issue is that there is no encouragement to talk and discuss the challenge. Instead, it is actually quite the opposite. Newer members that have questions or request for a tutorial on how a solution was obtained are generally responded to with insults or some other ego-driven response belittling the person asking for help. So many new members land up leaving this forum because there is no real community anymore. Questions are met with ego-driven responses, requests for tutorials/solutions are met with "figure it out yourself" type responses, any type of attempt to learn is seen as leeching anymore. There are a few public and semi-public forums that focus on reverse engineering similar to this site that have grown a lot in the last few years because of how toxic this site has become. Challenge Types/Restrictions - While this isn't something that is at the fault of the staff, there is an issue with the constant reposting of ConfuserEx challenges that make up the majority of whats posted lately. I think we should start enforcing some type of system or rule that limits posting a new challenge that is nothing more than a minor-altered version of ConfuserEx. These are most commonly posted by new members with little to no posts. So also perhaps adding a post limit before being allowed to create a challenge. Along with that, ensuring in some manner that the user has read the rules. (I'm sure there is a forum plugin to force people to read the rules page or at least force it to load and they have to click OK or similar.) In nearly all the reposts of ConfuserEx, it's generally the same thing where people alter the name, edit 1-2 hardcoded values that do nothing, and in return the challenge is still fully unpackable by automated tools. Challenge Rankings - As kao pointed out, having the submitter of the challenge be the one that rates the difficulty is a bit of a skewed value. Most of these new posters always rate their protection 10/10 when they edit two lines in ConfuserEx and upload a sample. Most of these people posting these things are not even able to unpack it themselves, let alone unpack even basic things like UPX. There is really no reason to have the person posting the challenge be required to include a rank. Instead, this should be optional and a suggestion. The people solving the challenge should give a rating instead. Along with this, I think we should, as a community, create a guideline on how to rank a challenge. Be it a 1 to 10 type system or something else, I think there should be some kind of guideline as to what the value means so that others can look at a challenge, see a number and understand that it could be something they are interested in. A challenge that I personally feel is 2/10 may be an 8/10 to someone else that's new, or similar. Instead, perhaps ranking the numbers in terms of what's involved and if automation works/is available for parts of it. For example: 1/10 = An automated solution exists that works for this challenge. (ie. Running upx's unpack switch from the command line, de4dot works entirely, the ConfuserEx tools work, etc.) 2/10 = Automated solutions work but some minor manual work is required. 3/10 = Automated solutions may/may not work. Manual work is required, seen as basic/entry level understanding. 4/10 = Automated solutions may/may not work. Manual work is required, seen as higher than basic but still easy. ... 10/10 = Automated solutions do not exist. Manual work is required. Includes VMs and other difficult processing. and so on. This is something that could help let users gauge things easier. This could also be used to allow the poster of the challenge to better gauge their challenge.
37. 2 points

## Bulletproof.NET BETA 3 | Get the Source Code

1. String: Crawling in my skin These wounds they will not heal Fear is how I fall Confusing what is real ... 2. String I'll take everything from the inside and throw it all away Cuz I swear for the last time I won t trust myself with you Everything from the inside and just throw it all away Cuz I swear for the last time I won't trust myself with you Source code of "Launcher": I hate XAML and BAML and these things, i had problems with extracting the form, so i will give there only .exe https://mega.nz/#!X1t3AACL!AtGVdCnQ_acasocB_ytRTywAbeISsQQM3NgvVVL02SY
38. 2 points

I use a Pintool to run the executable to OEP, then dump all modules and heap memory to file. Then I load everything into Unicorn and jump to the protected function. In UC_HOOK_CODE handler, I then inspect the current instruction and create/connect corresponding nodes. When the protected function returns, I'll grab the node(s) that wrote RAX last (or any other register) and walk backwards to generate dotgraph or IR. Theres a bunch of different node implementations, each one knows how to generate itself as IR and tries to const-evaluate itself (given its inputs are const themself). I prefer Unicorn because its so much easier to debug than a Pintool. My tool needs about 35seconds to run the protected function from above and generate opimized IR.
39. 2 points

## Best Protection for .net Exe

2019 ... These questions and similar topics should be a crime and directly sent to the trash bin, please people use the search functionality !
40. 2 points

## L0rdix becomes the new Swiss Army knife of Windows hacking

Zdnet has a history of letting morons write about security. Catalin Cimpanu has produced some extremely dumb articles but this Charlie Osborne brings it to a whole new level of stupidity.
41. 2 points

## Speed optimization question comparing

And that behavior is perfectly normal and expected. You really should not try to be smarter than compiler. You aren't. 99% of programmers aren't. So just let compiler do its job. There is so much more to optimize in your code - in the logic and algorithm. It's much wiser to spend your time on that..
42. 1 point

## Harmony Injector Help

For Harmony You need to load Target executable to the current domain in other words you need to create application loader. The Step: 1. Create new WinForms (loader) - Add reference to 0Harmony.dll and Target.exe - Add button, name it btnOpenApp with click handler private void btnOpenApp_Click(object sender, EventArgs e) { AssemblyName assemblyName = AssemblyName.GetAssemblyName(@"c:\path\to\Target.exe"); var assembly = Assembly.Load(assemblyName); var methodBase = assembly.ManifestModule.ResolveMethod(assembly.EntryPoint.MetadataToken); // do the patch Harmony.Patch(); // Open the Target new Thread(() => { // assume method entry point is static and doesn't have parameter methodBase.Invoke(null, null); }).Start(); } 2. Create class Harmony.cs using Harmony; using System; using System.Reflection; using System.Windows.Forms; namespace YourWinformsNameSpace { internal static class Harmony { public static void Patch() { HarmonyInstance h = HarmonyInstance.Create("test.patch.by.ewwink"); h.PatchAll(Assembly.GetExecutingAssembly()); } [HarmonyPatch(typeof(Target.FormClass), "calculate")] [HarmonyPatch(new Type[] { typeof(int), typeof(int) })] public class Patchcalculate { static void Prefix(int num1, ref int num2) { MessageBox.Show(string.Format("Second param {0} will be patched to 7", num2)); num2 = 7; } } } } The above will patch second parameter for calculate method to 7. make sure target Framework and CPU is match.
43. 1 point

## Black Hat Lucifer (Anti Dump + IL Protection + Enigma Protector)

Run original exe with NETBox 4.0 forget to specify version 4.0: https://forum.tuts4you.com/topic/39321-netbox/ Dump .NET exe main module with MegaDumper: https://forum.tuts4you.com/topic/24087-dotnet-dumper-10/page/3/?tab=comments#comment-177260 You should load original exe with dllsaver: https://forum.tuts4you.com/topic/39871-dllsaver/ As for ILProtector unpacking I've used a private tool I won't share!
44. 1 point

## UnpackMe 01 Eddy^Protector

native stub, managed file : he needed to drop the file on disk somewhere hidden ; i doubt there is anything malicious about that file, but it worth a look !
45. 1 point

## How to apply patches from diff in MinGW?

There are many tools to apply a *.diff file TortoiseSvn etc.... but my favorite is Winmerge a good tool to compare files and make patches.
46. 1 point

47. 1 point

## Denuvo - In The News

saw this earlier..makes no sense to me but im sure some of ya know what it all means.. cheers Injustice 2 Legendary Edition-CODEX Notes: This release contains the latest update from August 21st and all additional content of the Legendary Edition. For the reason explained below, we noticed that two of the 38 included fighters (Gorilla and Robin) can have some small delays/micro freezes when executing certain attacks. The slower your cpu, the more noticeable the lags are on these two. Even though the game isnt exactly new anymore, there are still a lot of bugs left in the legit version. Some Denuvo Techtalk : For example when Robin does one of his special attacks, throwing a smoke bomb on the ground, Denuvo starts writing a private key to the memory from 000000014C113692: 000000014C113692 | 44 88 07 | mov byte ptr ds:[rdi],r8b 000000014C113695 | 5F | pop rdi 000000014C113696 | 50 | push rax 000000014C113697 | 21 C0 | and eax,eax 000000014C113699 | 9C | pushfq 000000014C11369A | 44 01 C1 | add ecx,r8d 000000014C11369D | 4C 89 F0 | mov rax,r14 000000014C1136A0 | 48 89 C1 | mov rcx,rax 000000014C1136A3 | 48 C7 C0 00 00 00 00 | mov rax,0 000000014C1136AA | 48 09 D0 | or rax,rdx 000000014C1136AD | 48 83 C1 01 | add rcx,1 000000014C1136B1 | 49 89 CE | mov r14,rcx 000000014C1136B4 | C1 C1 08 | rol ecx,8 000000014C1136B7 | 9D | popfq 000000014C1136B8 | 58 | pop rax Then it fills the buffer at: 000000014779F593. When everything is filled and the key is obtained by Denuvo itself, it starts executing anti-tamper checks from 000000014774C37E: 000000014774C37E | 41 89 7D 00 | mov dword ptr ds:[r13],edi 000000014774C382 | 48 29 F3 | sub rbx,rsi 000000014774C385 | 41 54 | push r12 000000014774C387 | C1 CB 0D | ror ebx,D 000000014774C38A | BE D4 72 4D 3E | mov esi,3E4D72D4 000000014774C38F | 4C 8D 25 4F B5 06 FE | lea r12,qword ptr ds:[1457B78E5] 000000014774C396 | 4C 33 24 24 | xor r12,qword ptr ss:[rsp] 000000014774C39A | 48 8B 1C 24 | mov rbx,qword ptr ss:[rsp] 000000014774C39E | 4C 21 E3 | and rbx,r12 000000014774C3A1 | 4C 09 24 24 | or qword ptr ss:[rsp],r12 000000014774C3A5 | 0F BA F8 06 | btc eax,6 000000014774C3A9 | 0F BA F6 0D | btr esi,D 000000014774C3AD | 48 29 1C 24 | sub qword ptr ss:[rsp],rbx 000000014774C3B1 | 4C 89 E3 | mov rbx,r12 000000014774C3B4 | 48 23 1C 24 | and rbx,qword ptr ss:[rsp] 000000014774C3B8 | 4C 0B 24 24 | or r12,qword ptr ss:[rsp] 000000014774C3BC | 49 29 DC | sub r12,rbx 000000014774C3BF | C3 | ret Here it gets the addresses of the various functions inside the Denuvo code from r13 register and forces the original bytes, a single DWORD per cycle, essentially overwriting any potential patches that were applied to these functions before. The way our crack works is that it reads a huge amount of encrypted code, (including the code that the anti-tamper tries to overwrite) and therefore patching the required place causes some slowdowns thanks to Denuvo and the devs.
48. 1 point

## Denuvo - In The News

Sounds like it did it's job
49. 1 point

## VMProtect vs Themida

Both are good protections if used properly. Both protections can be unpacked rather easily, the difficult part is the virtualized code. So virtualizing vital functions and sub functions is very important.