Jump to content
Tuts 4 You


  1. kao


    Full Member+

    • Points


    • Content Count


  2. CodeExplorer



    • Points


    • Content Count


  3. Teddy Rogers

    Teddy Rogers


    • Points


    • Content Count


  4. Kurapica


    Full Member

    • Points


    • Content Count


Popular Content

Showing content with the highest reputation since 08/13/2019 in all areas

  1. 13 points
    awesome_msil_Out.exe Approach: 1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker , and it shall be ran on NetBox 2. Code virtualization is a relatively new feature of .net reactor, added in version Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)
  2. 11 points
    Many years ago I wrote a software protector called MyAppSecured. Somewhere in the middle of porting it from Delphi to C++ I lost my interest in this project. Just found it on my HDD so I thought it might be helpful for someone. In short, the GUI of this protector is written in C++ and the protection stub in written in MASM. The C++ code loads a target in memory and adds 2 PE sections to it. One for the TLS callback code and one for the main code. The MASM stub will be written to those 2 sections. This protector has just 2 protection features: Analyze Immunity (anti-debug) and Memory Shield (anti debug-tools, OEP relocation). Note this is not a download-and-use-right-away protector. The code is written years ago so it's not very well written and also for some unknown reason the MASM stub could not be written into the 2 created sections. It did work very well years ago but I don't have the time to investigate why it doesn't work now. To be clear, the compiled exe file you will find in the package should run nicely but once you try to secure a exe file, that exe file is gonna be corrupted. This project is free for personal and commercial purposes. If you have any questions please ask, but keep in mind I abandoned this project and removed it from my HDD right after posting it here. Even if you are not gonna use this project it might be interesting to check the code. Some interesting stuff you might find there for your own project, such as emulating the CreateThreadW function in pure MASM, adding PE sections & relocation of OEP. MyAppSecured v1.00 Beta source.zip
  3. 10 points
    .NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch. Here is unpacked version of your file unpackme -cleaned.exe
  4. 9 points
  5. 8 points
    What makes you question either of these? Private: There are occasionally some techniques, practices (and tools) kept private to stay ahead of the game. Nothing has changed much over the years in this regard as far as I can tell. Knowledge: As @kao already mentioned most of the core techniques and information is out there to be discovered (in these forums for example). It only needs a willing and proactive individual to expand and develop on this information. As everyone seems to have their own blog (or YouTube channel) these days these generally seem to be the new format for tutorials. One day... when all my children have grown up and left home I can get my life back and get back to RCE and making traditional tutorials. Hopefully the RCE world will be an entirely new and interesting place to explore... 👍 Ted.
  6. 7 points
  7. 7 points
    I used this in my MyAppSecured exe protector project. This code emulates the winAPI CreateThread using ZwCreateThread, in pure MASM, compiled in WinASM studio. Feel free to use it for your own projects. ZwCreateThread example.rar
  8. 6 points
    I am referring to threads and posts like these: If a solution is selectively provided only to the OP by PM then it defeats the whole purpose of the Crackme/Unpackme section. In such cases, the solution provider should not even be acknowledged unless they provide working steps for everyone to learn from. This forum is a learning platform and if solution providers are expected to share the methodologies that they used for the solution. Here is yet another thread where the posts from the solution providers who gave vague steps was approved: Basically another thread containing "show-off" posts by the solution poster. Nothing practical provided and no proper steps were shown. I mean, take this for example (from this post): EXAMPLE 2 Basically useless. It's like saying that to climb the Himalayas one needs will-power, good training, a lof of good mountaineering tools, food packs etc and that one has to read up a lot of good manuals and practice on smaller mountains first... Only posts in the Challenges section which detail proper steps which are actually reproducible should be approved by the mods. OR... ALL POSTS there should be approved from anyone. Why just approve the "show-off" posts? Are we expected to "beg" the solution poster via PM for the steps? I am quite sure that my post may get deleted, since any posts which speak the truth seem to get selective get deleted these days, but nevertheless I wanted to bring up this point! Another example of an approved post where NO STEPS were provided:
  9. 6 points
    Is this a hidden feature of the protection or does the app just not work?
  10. 6 points
    It might have a few weird instructions since i'm new to this Crackme-cleaned-Devirtualized2.zip Info: This is the first version of eaz that i analyze so i can't say how 2019.x is different from 2020.1 but its definitely not uncrackable Steps i took (as i should have included since the beginning): 1 Learn how CIL works / CIL fundamentals (there are some nice ebooks that i can't link here ) 2 Learn how the assembly reader/writer of your choice works (dnlib for example) 3 Learn how a simple VM works ( https://github.com/TobitoFatitoNulled/MemeVM (the original creator of this vm left so this is a fork to keep the project alive)) 4 https://github.com/saneki/eazdevirt See how the previous devirt was made (and you could also check previous eazvm protected executables) 5 Practice your skills trying to make MemeVM Devirt, you can message me if you have any issues with this step (You can always disable renaming on memevm to make the process easier to understand). 6 Start renaming a EazVM test assembly (you can make your own with trial) with all the knowledge you got from the previous steps (and find how crypto streams are initialized, where opcodes are located & how they are connected to the handlers etc etc etc, things that you would find in a vm) Editing saneki's eazdevirt might be a good idea, though i was more comfortable making my own base.
  11. 6 points
    here is my production of face shields, already 200 dispatched around my town to local hospital, liberal nurses, etc...
  12. 6 points
    Hey guys, After a long time I started writing on my blog again. https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-1 Best regards
  13. 5 points
    @XenocodeRCE: I have a huge respect for you as a RE guy but now you're just being a d*ck. If you have some personal issues with mamo/localhost0/whatever he calls himself this week, please resolve them privately and don't make a huge public drama out of it. No matter how I count, it's 3 months and 2 days max. If you're gonna whine, at least get your facts right. Umm, no. The requirement from law is to react on any reported copyright infringements, not to actively run around and search for any possible issues. See DMCA 512(c). So, if admins ignored a properly reported copyright issue for 3 months, then yes, maybe they could be held responsible. But that's not the case.
  14. 5 points
    https://mega.nz/file/xgonHADA#6-giBWOZXfODm7sLFAMzuCH9L2uQz4sL_9NNBlDkLTM - for those who don't want to fill in the stupid questionnaire with company email address, job position and what not. https://mega.nz/file/Nt4xSaoK#jRcuuuM2vS77DM9Y-KuT4UQUKiYIEl0KkKd6Cp9t7hE - code samples that TheHackersNews forgot to include. Book tries to cover very wide area of topics - from Windows to .NET to Linux, IoT, iOS, Android and shellcodes. By doing so, it fails to cover any of the topics in sufficient details. So, it's a "Jack of all trades, master of none".
  15. 5 points
    https://github.com/ribthegreat99OrN0P/Agile.NET-Deobfuscator @GameHackerPM @BlackHat To fix delegates, controlflow, and strings here yous go ive made a tool with many comments to help you understand!
  16. 5 points
    This is really the key point that probably should be the requirement for a post to be accepted. A solution should be reproducible, not a list of private tools that are used. Private tools are, as their name implies, private, and by definition that means it is everything but reproducible (unless this tool is shared with the reader of the solution). The only person benefiting from such a reply is the respondent themselves in the form of an ego boost. Not very productive if you'd ask me.
  17. 5 points
    What's the point of this? You ran my file under de4dot and repost it? i can recognise my file ya know, i intentionally left this out (i haven't finished local types yet but i manually set the third local to int32) + i added 9 locals when only 3 get used
  18. 5 points
  19. 5 points
    Almost unpacked! I was only not able to remove the Delegates and the Control flow. What I removed is: - Anti Tamper (manually; the easiest way consists in finding the call to the anti tamper method (which can be identified by looking at ConfuserEx's source code), setting a breakpoint just after (so that the anti tamper method decrypts the CIL code) and getting the decrypted module in the "Module" section of the dnSpy debugger) - Hide Methods (https://github.com/illuZion9999/Rzy-Protector-V2-unpacker/blob/master/Rzy Protector V2 Unpacker/Protections/Hide Methods.cs (not really reliable, though; a good way would be to get the invalid instructions from the exception handler) - Anti Debug (identify the anti debug method by looking at ConfuserEx's source code and add a ret instruction at its start) - Module Flood & Junk (these are just useless methods & instructions, which can be removed without problems (i removed them manually)) - Native methods (using cawk emulator x86 methods retranslater: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/cawk-Emulator/.NET-Instruction-Emulator-master/CawkEmulatorV4/Instructions/Native/X86MethodToILConverter.cs) - Constants Protection (modded the ConfuserEx Unpacker 2 Constants Decryptor to support 3 parameters: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/ConfuserEx Unpacker/ConfuserEx Unpacker/Protections/Constants/Remover.cs ; you can also invoke the decryption which makes it way easier than emulating it) - Mutations (sizeof (https://github.com/RivaTesu/SizeOf-Fixer), simple operations (de4dot: https://github.com/0xd4d/de4dot) & double.parse (the double.parse method is hidden by a delegate but I recognized the protection ; you can still find a tool for it on GitHub, but you would have to change the parameter check if there are delegates (or, ideally, use an emulator, which should support the double.parse protection with or without delegates): https://github.com/Riziebtw/DoubleParseFixer (note that this tool is not really reliable, and would need some changes)) - Call to calli (https://github.com/Riziebtw/CalliFixer; note that this tool solves the call to calli when the call and its pointer are one after the other, while, in the challenge, the call pointer (an ldftn instruction) is set to an IntPtr field, which is used as a parameter for the calli. You would hence have to grab the fields value (which are assigned in the constructor of the <Module> type) and then solve the callis with these values.) Don't hesitate to get my file and remove the Delegates (and control flow but I consider it not necessary to remove) in order to fully solve the challenge! CrackMe - almost unpacked.exe
  20. 5 points
    Console example x64plgmnrc.exe -G "C:\x64dbg_root" // Set root path for x64dbg x64plgmnrc.exe -U // Update list from server x64plgmnrc.exe -S // Show list of plugins x64plgmnrc.exe -i x64core // Install last version of x64dbg x64plgmnrc.exe -i AdvancedScript // install AdvancedScript https://github.com/horsicq/x64dbg-Plugin-Manager
  21. 5 points
  22. 5 points
    Hello guys, I'm proud to announce the beta release of AMED (an Advanced Machine Decoder). It's extremely fast, lightweight and supports the following architectures : - x86(with all its extensions including xeon instruction set). - aarch32(arm, thumb, neon, ARMv8+). - aarch64(with all its extensions including SVE). I also released the new version (v3) of opcodesDB. https://github.com/MahdiSafsafi/AMED https://github.com/MahdiSafsafi/opcodesDB What do you think guys ?
  23. 5 points
    This forum is overrun by lazy-ass noobs who don't really want to learn. They want to have a youtube video and automagic tool for everything. Ready-made tools are private for this exact reason. People who want to learn will find the necessary information to learn the basics. And once you show you've done your homework, knowledge and techniques are being shared freely. Maybe not 100% public but via PMs and chat.
  24. 5 points
    Posted a write-up about solving the keygenme. https://0xec.blogspot.com/2020/02/finally-solving-weasel-keygenme.html
  25. 5 points
    @Teddy Rogers: from what I was able to gather, this version was still being maintained and improved. Only original repo was taken down, forks are all up. For example, this one is fully up to date: https://github.com/Deteriorator/winrar-keygen.git
  26. 4 points
    Get your tools ready!
  27. 4 points
  28. 4 points
    In my opinion that solution will be acceptable only if the tool used is public.
  29. 4 points
    It's a really good question. The answer really depends. Let me give you few recent examples. Example #1: Extreme Coders names the tools and explains HOW to solve the crackme. A lot of effort is required but all the tools can be found via Google. So I have zero issues with the solution. Example #2: Prab names the tools but no explanation is given. "x86 retranslater" definitely cannot be found not on Google. "Clean control flow" tells the obvious thing but it doesn't explain HOW to do that. What's the point of such solution? The only thing reader will learn from this is that he needs a magic wand that he can't have.
  30. 4 points
    View File Reactor v6.3 Try to unpack or alternatively provide a serial. Protections used: Necrobit Antitampering Antidebug Obfuscation Code Virtualization + Shield with SNK Submitter whoknows Submitted 06/10/2020 Category UnPackMe (.NET)  
  31. 4 points
    https://github.com/DefCon42/op-mutation decided to release the source because it's a neat example of a practical application of linear algebra yes, i know the code does not look great and there's blatant violations of like every standard ever no, i won't change that :^) note: only works with relatively simple operations. add, sub, not, etc will work but higher order operators like multiplication and exponentiation will not
  32. 4 points
    Very mature choice for username and password. 😑 Tutorial:
  33. 4 points
    My personal belief is that the entire world around is fake - just a simulation. Our universe does have a creator and that creator may or may not be God. The pain & and struggles we face means nothing in the greater sense. We are nothing more than a programmed object. Even the pain or happiness is nothing but programmed feelings. For example, we design computer games with their own story-lines. In one such game there may be a person who is put under immense pain. There are many movies in which innocents die due to no fault of theirs. However we are not concerned since we know the pain is virtual. It's how we designed the game or movie. In a similar sense, our creator knows the pain we humans/animals face is also virtual. In the real world (which is not this world) this doesn't matter. Even the concept of life and death is fake. Death is simply a way of putting an expiry date. Is is possible to know the real truth? I guess it is. But once humans try to understand the real truth there will be no wars anywhere. There will be no struggle for wealth, fame and power. After all why run after wealth, fame & power in a fake world. If there is something that needs to be done is to try to find out the real truth and escape from this fake world.
  34. 4 points
    Not necessary to unpack to get the key. Key: Steps :
  35. 4 points
  36. 4 points
    I think that to add to this, many apps worth reversing nowadays tend to use more sophisticated techniques in the past. In older times, things could be cracked often in mere minutes which was a motivating factor. Most people start with a target in mind, and their patience to learn is quite thin. Nowadays, you may have to learn to unpack, advanced cryptography, anti-debugger techniques, details of security permissions, etc. Windows itself has evolved into a much more complicated beast making the learning curve much steeper. I remember the days of SoftIce and what a wonderful tool that was. Nothing even compares to it to this day. Although there are suitable alternatives, it was trivial to install and get started immediately. Now its a lot of complicated details to get going with tools. We had websites like +Fravia which were simply fantastic reading and offering fun challenges designed to make people think more deeply about reversing, not merely reversing of computer code. How to search was emphasized so much, and this is part of the reason that people became independent solvers. But we have tools like IDA Pro and Ghidra that have also made analysis quite a bit easier. We have faster and more powerful computers and an internet even more full of knowledge, if one knows how to find it. Some knowledge has become obscured by certain mainstreaming and politicizing of information designed to bury other information, and it would be nice to have better searching capability again, not just some commercialized nonsense that has decayed. So high learning curve and people with low patience, and usually choosing their initial motivation as an out of reach target that will require learning a variety of reversing disciplines has raised the bar. My prediction is that when the older generation retires, there will eventually be a new generation who will revitalize the whole thing in their own style. There may even be a generation skip here, as a pretty dead and flat generation can often lead to a really good generation after. One generation trying to make up for their mistakes by raising children better. The rapid spread of technology and social media caught the prior generation by surprise, and has led to a correction generation. If they really need YouTube videos and auto-magic tools, then they will make them and get them. We really have a different style and culture from them, and whether we respect this new way or not, supply and demand will eventually work itself out.
  37. 4 points
    I blame high speed internet and HD porn ! << just kidding The knowledge is out there, as my friends already said, you just need the motivation to learn and explore, it's time-consuming and the new generation wants everything ready and they want it quickly.
  38. 4 points
  39. 4 points
    Phew! It has been close to 4 years and after a lot of wandering here and there I can proudly announce that I'm now able to calculate a valid serial for any name. Here are a couple. kao GCZ4B-QTD22 0xec FZNUL-THK22 Time taken to generate a key can vary from 2-5 minutes and takes about 12 GB of Physical RAM running on a Nvidia Tesla T4 GPU (2560 CUDA cores). Providing more RAM and CUDA cores may further reduce the time but I ran it on Google Colab and that's what they offer. I plan to do a write-up on my blog later but here it is in short. Initially, I felt the only way to solve the system of equations within a feasible time frame is through a quantum computer using something like Grover's search but the quantum computers available for public use (IBM Q Experience) at this time do not have enough qubits. So this approach had to be discarded. On deeper analysis, I found the system of equations is nothing but a system of Multivariate Quadratic (MQ) Polynomials. There's a field of Crypto related to this - Multivariate cryptography. Such cryptosystems are considered hard even for a Quantum Computer to attack let alone a classical machine. Luckily, there's an ongoing challenge based on the exact same idea - Fukuoka MQ challenge. It turns out small MQ systems particularly which are under-determined (more unknowns than equations) are solvable by classical machines within an accepting time frame and people have posted tools/algorithms to solve them. One of them is libFES . There's also a GPU implementation of FES which I have used here. So that's how it went. Thanks @kao for the challenge. Really learned a lot!!! Its a silver medal for now. Considering such systems of equation are solvable, generating a key within 1 sec could also be possible given the MQ challenge site posts that this cryptosystem is based on a signature scheme (Type -IV). Once we calculate the private key, generating the signature within 1s should be possible.
  40. 4 points
    Simple Polymorphic Engine (SPE32) is a simple polymorphic engine for encrypting code and data. It is an amateur project that can be used to demonstrate what polymorphic engines are. SPE32 allows you to encrypt any data and generate a unique decryption code for this data. The encryption algorithm uses randomly selected instructions and encryption keys. https://github.com/PELock/Simple-Polymorphic-Engine-SPE32 Sample polymorphic code in x86dbg window: Another polymorphic code mutation, this time with code junks
  41. 4 points
    The password is: Explanation: To apply VMProtect properly, you need to understand how each and every option works. Specifically, packing option just compresses data, it doesn't add any real protection. And if you do not use "VMProtect.SDK.DecryptString", strings are not encrypted. It's enough to run protected software under any debugger and search for strings in memory: As for proper unpack and/or devirtualization, it's something I have on my todo list. But I haven't got a "proper" solution that I could share at the moment.
  42. 4 points
    Actually Winrar was a kind of an earl adopter of ECDSA licensing, but they made a mistake in the implementation, much like level 10 armadillo. I still remember when I first came across this release - i thought, man, not another hardcoded-pseude-keygen ... then I saw "SeVeN/FFF". I was like "ahh shit here we go". Problem for Winrar is that their license is tied to archive signatures - if they change it they will break the signature mechanism.
  43. 4 points
  44. 4 points
    I have unpacked most of the protections just need someone to complete the last part of it, the calls/delegates!! Instructions: 1. Jit-dump the executable with JitDumper3/4 enable the checkbox (Dump MD). 2. Clean the (String And Flow) with SimpleAssemblyExplorer(SAE) checking the checkbox (Delegates} as well. 3. De4dot. Files.rar
  45. 4 points
    I have never used it before, but from the first look - it installs offline, doesn't require any activation or license key, you can create more than one sandbox (which was a limitation in unregistered versions) and "Forced programs" also works. Looks good to me. EDIT 2x: direct download links (REMOVED, as they apparently are time-limited)
  46. 4 points
    If that's the case, that's breakable. For RAR the most efficient attacks are bruteforce, and it's much much faster to bruteforce 6-symbol password than 12... You can try freeware cRARk (http://www.crark.net) or pirated Passware Kit to crack your passwords. Depending on your CPU/GPU, it might take few hours/days but that's certainly doable. EDIT: just to give you an example, my (quite outdated) PC can try 4500 passwords/second using cRARk. For the example, there are 26 capital letters, 26 lowercase letters and 10 numbers. So, 62 different characters. If it's a 4-symbol password, it's 62*62*62*62=14776336 possibilities. To try them all, it would take 3283 seconds, or 54 minutes. If it's a 6-symbol password, it's 62*62*62*62*62*62=56800235584 possibilites. That would be 144 days to try them all. If you know you used a word from dictionary, it's much easier to try all words from dictionary. If you used l33t sp34k, that's also a good information. If you know that you always put first capital letter, that's useful. And so on. Read the manual, make the most efficient rules for bruteforce and just try..
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
  • Create New...