Leaderboard

Since @Washi provided the solution first, you may mark his answer as solved. However, I’d like to share my approach as well for reference. 1) Polynomial Coefficients and Matrix 1. Username - Polynomial Coeffs The code has a function that folds ASCII values into 8 coefficients ( size = 7 ). For "CHESSKING" , we take each character's ASCII and add it to slot in the array. 2. Matrix Build We then build 5 x 5 integer matrix from these 7 coefficients. Each entry is computed via this formula : mat(r,c) = ( coeffs ( r mod 7 ) x ( c + 1)) + ( r + 1 ) ---> All in paranthesses from start has to be to the power of 2. 3. Determinant ( mod 65521 ) We do a row-reduction to find the matrix's determinant, and then take /bmod 65521. 2) Toy Elliptic-Curve Step The code defines a small curve: y2 ≡ x3 +Ax+B (modp), p=1201, A=1,B =1. ( x3 here is actually x to the power of 3 ) We have a base point G = ( 5,116 ) this goes : finalPoint= ECSM (G,detMod) That is, we "add" G to itself ( detMod ) times in elliptic-curve arithmetic. The result is ( X , Y ) . Then we define it with this formula : curveSecret= X+ (Y≪16) 3) LFSR Shuffle We take 64 bits (lowest bits) from curveSecret and feed them into a Linear Feedback Shift Register for 64 rounds, producing a new 64-bit integer lfsrOutput. This step effectively scrambles the bits further. 4) BFS-Based Knight Path The code starts at square E5 on a 10×10 board labeled A..J (files) and 1..10 (ranks). Internally, E5 is (4,4) in 0-based coordinates. For each character in the username, we do: steps= (ASCII of char) mod 5 , then run a BFS for that many expansions. The BFS uses Knight moves (like (2,1), (1,2), etc.) with wrapping if we go off the board. We capture the last enqueued square after those BFS expansions, add that to our path, and repeat for the next character in the username. 5) “Check to the King” There is a King placed on G10 → (6,9) in 0-based coordinates. We look at the final square in our BFS path. If that final square is one knight’s move away from (6,9), we do an extra step: lfsrOutput  =  lfsrOutput⊕0xA5A5A5A5 For "CHESSKING" , the BFS path’s last square does or does not cause this XOR. In our run, it does cause the XOR (i.e., it’s in position to “check the King”). 6) Nibble → Weird SAN Moves We take the final integer (lfsrOutput) and break it into 12 consecutive 4-bit nibbles. For each nibble, we pick a “weird” standard algebraic notation (SAN) chess move from the code’s move table. This yields moves like e2e4, Na3xb5, Qd1h5, etc. 7) Final Serial Part A: The BFS squares (space-separated). A dash ( - ) Part B: The 12 SAN moves from the nibble-based table. Verifying everythin we gathered so far : For "CHESSKING" : E5 I3 C1 A7 G4 C1 C1 I8 E5 G4 After the code determines the King is in check, it XORs the LFSR output with 0xA5A5A5A5 Extract 12 nibbles → map to the weird SAN table. They all turned out to be mostly e2e4, with a couple of different ones in the middle (Bf1c4, d2d4) My final answer which is my Username and Serial Key is :

I can only wish you luck in your search 😄

Among the anti-debug techniques, there's an interesting one worth noting. A dummy thread is created and then it calls Sleep(0x32). (The goal is for the created thread to be detected by tools like x64dbg.) Then, it calls NtQueryObject with the ObjectBasicInformation class using the thread handle. If the returned HandleCount is greater than 1, it determines that debugging is in progress. void dummy() { Sleep(8000); } bool CheckCreateThreadHandleCount() { HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)dummy, NULL, 0, NULL); if (hThread == NULL) { return false; } Sleep(0x32); PUBLIC_OBJECT_BASIC_INFORMATION objInfo; NTSTATUS status = NtQueryObject(hThread, ObjectBasicInformation, &objInfo, sizeof(objInfo), NULL); if (!NT_SUCCESS(status)) { CloseHandle(hThread); return false; } std::cout << "Handle Count: " << objInfo.HandleCount << std::endl; if (objInfo.HandleCount > 1) { CloseHandle(hThread); return true; } CloseHandle(hThread); return false; }

Time spent: 5 minutes from start to typing this message. It's a great example of how a compromised older version of the software (like your crackme v1.0) leads to a complete compromise of the new and improved protection. I hope to find some time on Sunday or early next week to make a writeup. But my spare time is limited these days, I apologize for that in advance.. If someone else wants to make a tutorial, I'd love to see that!

I suggest you think about this long and hard. What could possibly go wrong? I'll take the bonus points..

@Teddy Rogers This is getting out of hand, isn’t it?

View File ByUndefined Protector ByUndefined Protector Anti Debugger Anti Dump Anti Tamper Anti Memory Anti ILDasm Resources Compress String Encrypt ControlFlow Virtualization Submitter Leopar36 Submitted 03/11/2025 Category UnPackMe (.NET)  

oh this is just.. khodam, let me c&paste @lovejoy226 reply is big caps : THERE COULD BE NO FREE SOFTWARES THAT YOU WANT TO GET, SO THAT YOU HAVE TO BUY A SOFTWARE OR GIVE UP.

You could still tell us how you solved it. There's always something to learn..

@LCF-AT If you want window.open() to work, you need to run the code in an unrestricted environment. The web is full of restrictions to prevent security vulnerabilities between the browser and the client because the browser itself acts as a sandbox. In this case, I don’t think there’s a conventional way to solve it, since a malicious JavaScript script using alert() could be used to compromise a machine and steal session cookies from the site where it's executed. For this and other reasons, browsers block pop-up by default. also since you're running the code inside an <iframe> there's another issue you need explicit permission to allow popups in that context To test this, you can inspect and modify the HTML on MDN Play by adding the allow-popups permission inside the <iframe>. If the browser isn’t blocking popups globally your code should work. (If not, then it's another block from the browser itself) You just reminded me of an interesting topic related to this, which is covered on this channel. They have great content: www . youtube.com/watch?v=lG7U3fuNw3A

OK thanks for that info @Kanes. So I did notice another NEW problem today. Somehow the window.open("URL") function does not work always! Why this? Somehow it happens nothing when calling that function but the console log function works inside that function. Could it be that window.open get blocked without to get any error / info about it? let url = "https://forum.tuts4you.com"; var input=document.createElement("input"); input.type="button"; input.value=url; input.onclick = () => showAlert(url); document.body.appendChild(input).style.cursor = "pointer"; function showAlert(text) { window.open(text); console.log(text); } When I try this code above on https://developer.mozilla.org/de/play then it tells me "InvalidAccessError: A parameter or an operation is not supported by the underlying object" error. In my test script it works just partial not for all websites I have test. Somehow strange. How to make it work always? The console.log(text) function inside showAlert function works always but not the window.open function. Do you know what the reason could be? greetz EDIT: By the way, I have test my script in Firefox and its not working / showing any buttons there etc as it does in Brave browser! Uhm! GREAT! Another problem I need to find out what the reason for this is.

@LCF-AT oh you are right >>> input.onclick = copyToClipboard(something); In this case copyToClipboard(something) is executed immediately, and the returned value (undefined) is what gets assigned to onclick >>> input.onclick = () => copyToClipboard(something); Here, instead, you're assigning an anonymous function, a function that doesn't run right away You're assigning the entire function to the onclick event. So, only when the user clicks, copyToClipboard(something) will be executed https://www.javascripttutorial.net/javascript-anonymous-functions/ https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/Arrow_functions

@LCF-AT In that case it's because it's running inside an iframe with restrictions. It should work fine in a regular HTML page or in a browser extension with special permissions, but following your example you can do this in the playground function CopyClipBoard(text) { let tempInput = document.body.appendChild(document.createElement("input")); tempInput.value = text; tempInput.select(); document.execCommand("copy"); tempInput.remove(); } function createCopyButton(text) { let button = document.body.appendChild(document.createElement("button")); button.textContent = `Copy: ${text}`; button.onclick = () => CopyClipBoard(text); } // String example createCopyButton("String example");

Could you upload it to mediafire, mega or google drive? i am not from china and i have not been able to download your examples. If you can upload the plugin and the protected example would be great, thank you.

I have also released a simple demo WL plugin. This is a protected example. _released.zip

again! https://workupload.com/file/rMmVTneRBaP

You may want to revise your keygenme challenge, the challenge is trivial to solve (5 minutes work) Here are some working serials: Explanation:

@mdj friend please make a tutorial for the encrypted .GEM and .EXE file's 'Play Password' revealer it will be great to have in the 'tuts4you.com' site pls be kind and share the knowledge you have

This DLL contains no keys or Asprotect code so does not need to deal with any cryptography or obfuscation and no original source has been released exports are.. The original DLL would contain code in all of these functions to validate All this DLL does is use the same function names with no code other than to return a valid boolean These are the default modes set in this DLL So if you replace the original DLL with this one then when a protected app calls any of these functions it would receive back a valid response without actually doing any checks at all If that doesn't make sense to you then just look at the code and you will see there really isn't much to it

cryptlex.com supports MACOS FREE tier : 10 Activations 200 Trial Activations nothing tested

Do you even read the replies that are written to you?

There's too much junk code and it's located in the wrong places. IDA ignores most of it and the rest can be NOP-ped out in huge blocks. The crackme would be much harder, if the useful VM handler instructions were placed in between the junk code.

I can't remember anything about this, it was so long time ago. From what I could see it has bugs: private static string #l(string A_0, uint A_1, uint A_2) { ... StringBuilder stringBuilder = new StringBuilder { Length = 12 }; for (int j = 0; j < 11; j++) { int num2 = (int)(((long)(10 - j + 1) * (long)((ulong)A_1) * (long)((ulong)A_2) + (long)((ulong)num)) % (long)length); stringBuilder[j] = (char)((byte)((long)((int)(A_0[num2] + A_0[j % length] + A_0[(int)((long)j * (long)((ulong)num) % (long)length)]) + j) + (long)((ulong)num))); } stringBuilder[11] = '\0'; text = stringBuilder.ToString(); num2 = 0xFFFFFFFC so will thrown an error!

View File Eclipse Runtime Obfuscator Hey everyone, I’m sharing an UnpackMe challenge that combines VMProtect packing with runtime function obfuscation using Eclipse Runtime Obfuscator. This should be an interesting challenge for those who enjoy working with dynamic obfuscation and anti-debugging techniques. Protection Details: VMProtect is used for basic packing, with import protection and anti-debug enabled. Eclipse Runtime Obfuscator dynamically obfuscates function execution, making dumped analysis and debugging difficult. Function code is relocated to a new memory region at runtime and accessed through vectored exception handling (VEH) instead of direct execution. Eclipse Runtime Obfuscation Features in this UnpackMe: Exception-Based Execution Handling – Execution is redirected via VEH, preventing direct tracing. Junk Code Injection – Adds meaningless instructions to mislead disassembly and make static analysis harder. Dynamic Function Relocation – Functions are moved at runtime, disrupting predictable memory access. Control Flow Obfuscation – Execution flow is broken up and redirected via exception handling. Anti-Debugging Protection – The binary throws access violations and illegal instructions to interfere with debuggers. Goals: Unpack the binary (remove VMProtect and restore the original imports). Defeat runtime function relocation and deobfuscate the function logic by resorting the original function code. Reconstruct a clean, runnable (optional) version of the executable with original control flow. Explain how you unpacked and fixed the program, detailing the approach to defeating VEH-based execution and restoring the function code. Bonus points if you can crack the password in the console application demo code. Notes: VMProtect is only used for packing, not virtualization. The main challenge comes from Eclipse’s runtime function relocation and exception-based redirections. Dumping the process isn’t enough, as function code is dynamically obfuscated in memory. Would love to see a write-up on defeating the VEH-based execution and restoring the original function code! More information can be found about the Eclipse Runtime Obfuscator project on GitHub. Looking forward to seeing your approaches. Good luck and happy reversing! Submitter C5Hackr Submitted 03/03/2025 Category UnPackMe  

Touché! 😆 While I would have loved to see a full function rebuilder in action, I did basically say/hint at by any means necessary, so fair play on taking the most efficient route. This runtime obfuscation was really just meant to be a cool PoC for runtime-based protection, rather than an impenetrable shield. The idea was to make static analysis a pain and force dynamic reversing, but yeah—if the code exists in a readable state, even for a moment, it’s game over. Still, I appreciate you taking a look at it. If I ever cook up something more annoying, I’ll be sure to let you know. 😈

You actually solved it for me - see the quote in my previous post. The protection is pointless if the original code is present in it's original place even for a short period of time. I just needed to dump the process memory at the right time. Could I make a tool to rebuild relocated functions? Sure, I'd need to find num_ObfuscatedFunctions and ObfuscatedFunctions and then do the reverse of RelocateFunction for each of them. But I'm lazy.

Bravo! 🎉 Impressive work reversing through the layers and pulling out the password check routine so cleanly. I’m curious—how did you approach it? Did you focus on bypassing VEH handling and dumping the relocated functions, or did you go straight for unpacking it statically rather than dumping it? Also, any pain points, or was it a straightforward crack? Really appreciate you taking the time to check it out! Looking forward to your breakdown. 🔥

I want it to be like Enigma or Win License and be free Also, I don't have access to the program source.

I recommand the people to use this protection because it's very good. The protection is advanced like Pelock but very good. Only a real reserver can do it But it needs much times to be able handle it. UnpackMe.Obsidium.1.69b1.x86_unprotect.rar

I want a software protector to programs on Mac, similar to WinLicense or Enigma. i want protect mac OS application with license or key plz help

@CodeExplorer Possible for you to fix it then reupload fixed version here once you are done?

plz help i need for protector for mac OS

View File VSEC Hyper Crackme Brief and useful Find correct license key, don't try to patch file. What comes within this crackme : + Code Virtualization + Unique Junkcode Generation + Control-Flow Obfuscation Submitter Gladiator Submitted 03/06/2025 Category CrackMe  

Good job kao, would you like to share some details about what have you done ?

Damn it! You beat me by 20 minutes!

@CodeExplorerHey is this your work? Seems like a really nice KeygenMe.

plz help i need protector for macOS

The reason for using VMProtect here isn’t to add another layer of security to the challenge itself—it’s because Eclipse's runtime obfuscation relies on the code being packed for the protection to be effective. Without a packer, the original function code would still exist in the .text section before it gets relocated at runtime, making it trivial to extract before the obfuscation even kicks in. By applying VMProtect’s basic packing, the goal is to ensure that the original function never exists in its true form inside the executable from the start, forcing analysis to focus on runtime deobfuscation rather than simple static extraction. I get that VMProtect’s anti-debug and import protection have been solved countless times, and I agree that’s not the interesting part of the challenge. The real focus here is on defeating Eclipse’s VEH-based execution redirection and function relocation, which is what I’d love to see people tackle. Furthermore, I could have made my own custom anti-debugger, packer, and IAT obfuscation, but honestly, I was lazy and didn't have much time to do so, and just decided to use VMProtect instead. It served the purpose of keeping the function code from being analyzed statically, which is all I needed it for. That said, I totally understand if dealing with VMProtect is a dealbreaker for you.

What's the point of applying VMProtect over your supposedly secure protection? I'd love to look at your obfuscator but I have zero interest in wasting my time on bypassing VMProtect anti-debug or import rebuilding - that's been done hundreds of times before and adds absolutely no value to the challenge at hand.

vmpsoft.com/vmprotect/overview supports macOS u want the Ultimate Edition to has the License System.

By the way .... we can reduce the size by removing the SysUtils and resource (no need for that) : SysUtils; {$R *.res}

Hi! I took a look at it and shame that no one tried to solve it,here is my approach. Basic things i pulled: All four keys must differ. If any two keys are the same string, it shows “All keys must be different.” No key can contain "0@0". If you type a key like "0@0@something", it rejects it. “Erjey” can be used at most once, and if it appears, the fourth chunk of that key must be less than 6. That is, if a key has the substring "erjey", its format is X@Y@erjey@W, and W<6W < 6W<6. The third chunk in each key can be one of three strings: erjey kao tuts4you If you use something else, you get badboy error message. 2.2. Internally, a Linear Solver Digging deeper, i discovered a set of classes (d, e, j, etc.) that build a system of linear equations or inequalities. Each key of the form X@Y@{erjey|kao|tuts4you}@W is taken to mean X⋅x+Y⋅yRELWX , where the “relation” REL depends on the keyword: erjey → equality (=). kao → some inequality (≥ or ≤) depending on puzzle logic. tuts4you → the other inequality. From hints in the code and trial tests, we saw that: erjey is effectively “=”. For this puzzle’s code, kao ended up being “≥” and tuts4you was “≤” (the code flips them). Finally, after the solver ensures a feasible solution for (x, y), it calculates an “objective value” from the Name field, which must also be in the format A@B (two doubles). The code uses: objective=A×x+B×y If that objective is exactly 44 000, it shows: MessageBox.Show("Valid combination!"); That is the central condition: Ax+By=44000. 3. Constructing a Solution To guarantee the solver yields 44,000, we needed to pick (x, y) and (A,B) so that: A×x+B×y=44000. Additionally, we had exactly four constraints (the “Keys”) to pin down x and y. 3.1. The Simplest Trick: Set x=y One common approach: force x=y=c for some integer c < 6 (because the puzzle disallows “erjey@W” if W >= 6). Then we just need: (A+B)×c=44000 then this becomes A+B = 44000 / c Hence, pick any c in [1..5], and pick A + B = 44000 / c. 3.3. Example Name Then to satisfy (A+B) c=44000, choose a Name that splits as A@B with A+B=44000/c. For instance: Let c = 4. Then A+B must be 11000. We pick A = 5500 and B = 5500. So Name = "5500@5500". 3.4. Putting It All Together And if im right and if this is the keygen you have asked for : keygen.py

This plugin is much more powerful than the original WinLicense. 80-90% of people can’t get around it!

@HostageOfCode Is this option implemented with the vmp license manager that you linked? Regards. sean.

@StarrySky Can you make this serial locked one run? I have zipped a wrong serial.txt and protected executable to make a challenge. hashgen.vmp.serial.locked.zip If you edit the first character of the serial.txt file, this executable will run. or you have to find the test and conditinal jump instructions which are virtualized after VMProtectSetSerialNumber function. this function returns 2 which means that the serial is invalid, when it returns 0, this executable will run. And I have a question about how to use a vmprotect feature. I protected a procedure called "OnBnClicked..." with the options above. and when I clicked the button when it runs, its shows this message and is terminated. how to use this option properly? Regards. sean.

@boot How to bypass the x64 target like you had done? Regards. sean.

@Sh4DoVV How to bypass x64 version of enigma constant used target? Do we have to change CRCs and then change hwid to the given one like changing x86 version of it's hwid using @CodeExplorer's EnigmaHardwareID Tool and scripts for x86 targets? Many thanks in advance. Regards. sean.

@boot How to bypass the constant using hwid lock? Regards. sean.

StrongName tools - source code C# This include: Assembly_Resigner Minimum_Resign_Calculator PKT_AssemblyRef_Replacer StrongName_Killer StrongNameVerifier Atached or: http://www.multiupload.nl/KF67L0KK1K StrongName.zip

How to write a plugin for ollydbg the last version?