Leaderboard

StrongName tools: - added SamePKT tool - added 64 bits support for all tools StrongName2.rar

I wanted to devirtualize it manually so I made a disassembler for it using the new yara-x to locate the handlers and the bytecode. Probably going to turn it into a full devirtualizer from binaryshield bytecode straight to x86_64. I saw these values(the one in the cmp comment) put them as input since it was valid I didn't go further. You can find my work at https://github.com/xlatbx59/Bshld, the file with the disassembly is at https://github.com/xlatbx59/Bshld/blob/master/binshield.txt. It was fun to reverse

And where can we find those tools?

Up!

Here compiled unlicense with codeexplorer's fixes: unlicense compiled With pyton 3.09 and 3.11 versions.

Server is up , woth better uplink !Use webdav client. like WinSCP host : https://eddynet.cz:9865 u: learn p: 4EKS9umUYme3WAZrC

DNGuard HVM IS the strongest so far. PVLOG dotNet Protector although it's a bit old is another beast, at least for me.

The post should be fixed now. I think it was the way it was attached that was the problem... Ted.

@Teddy Rogers I can't watch any video in this thread ! Is the video feature broken?

I need it too. Anyone?

Sir i created those tools. And took some references from JitUnpacker https://github.com/wwh1004/JitUnpacker-Framework

😀😁 UnpackMe.Dumped.exe UnpackMe.Unpacked.exe

Reminds me old days: nelpats/DNGuard-InvalidMD: The easiest way to remove DNGuard Invalid-MD

Maybe you need to update your Python? Python 3.12.4 (tags/v3.12.4:8e8a4ba, Jun 6 2024, 19:30:16) [MSC v.1940 64 bit (AMD64)] on win32 Type "help", "copyright", "credits" or "license" for more information. >>> display_ids = ["first", "second", "third"] >>> print(f'Available audios:\n{"\n".join(f'{i:2}. {j}' for i, j in enumerate(display_ids, 1))}\n') Available audios: 1. first 2. second 3. third

git clone https://github.com/ergrelet/unlicense.git cd unlicense ### Replace the necessary files with your updates pip install --upgrade pip pip install . pip install pyinstaller pyinstaller unlicense.spec

I don't know how to create exe with PyInstaller. Also I didn't finished my updates yet.

Only a moderator or the author can mark as solved. I have removed solved status for this challenge. If there are posts incorrectly marked as solved please report or send me a PM... Ted.

Both options are useless.

Hi unfortunately you can't find correct hwid from license key

Hi guys, I've been working on an Appfuscator string decryptor which I used on a malware called Gremlin Stealer ( https://bazaar.abuse.ch/sample/d21c8a005125a27c49343e7b5b612fc51160b6ae9eefa0a0620f67fa4d0a30f6/ ). I used the AsmResolver library. It still needs two things: replace variables by their value and patch ternary operators to decrypt all the strings. I guess I need to look at the control flow graph for that. You can take a look and even contribute or give suggestions on how to approach the problems. GitHubGitHub - lowlevel01/deGremlin: Decrypt and Patch strings...Decrypt and Patch strings obfuscated with Appfuscator. Tested on Gremlin Stealer. - lowlevel01/deGremlin

No, the above script won't work due to Themida anti-debug tricks, even if program starts with the debugger. I got to say: Themida is great protector. Too bad about antivirus detections like https://www.malwarebytes.com/blog/detections/riskware-patcher-themida I made some new updates to Unlicense: - fixed winlicense v3 detection for the above https://storage.custos.dev/ResourceCryptor_latest.7z - fixed imports for winlicense v3 x64 OEP still needs to be fixed as currently stops before real OEP; You could try --force_oep: --force_oep=0x0115E 0x0115E = OEP rva; as long as you know OEP rva. unlicenseFixed2.rar

"THEMIDA OPTION_ADVANCED_OEP_IAT_SCRAMBLE" refers to a specific, advanced protection option within the Themida software protection tool. It is a setting that scrambles the Import Address Table (IAT) to make it harder for attackers to analyze the application's functions at the Original Entry Point (OEP), a key target for software cracking What it is: It's a Themida protection feature that modifies the Import Address Table (IAT). How it works: By scrambling the IAT, the option makes it significantly more difficult for attackers to identify and analyze the functions the program uses at its Original Entry Point (OEP). Purpose: The goal is to enhance the security of the application by complicating reverse-engineering and cracking attempts that often rely on manipulating the OEP and IAT. OPTION_ADVANCED_OEP_IAT_SCRAMBLE VALUE YES

This setting breaks existing public unpackers

And here is my first fix: fixed jmp dword ptr [import thunk] on old version was wrongly fixed by call dword ptr. imports_fixed1.rar

Reverse Engineering Denuvo in Hogwarts Legacy Slides Sogen Emulator Source Ted.

Dear friends Berkeley Mono Font face is updated to version2. They included ligatures (nerd glyphs) directly in this build. The font face is 75$ for developer use only (no commercial use.) I have included this fontface so you can try them. Enjoy! Homepage hxxps://usgraphics[.]com/products/berkeley-mono Archive Pass: Download tx-02-berkeley-mono-pass=SCT.7z

Why? I don't depend on anyone.

hi, i am new to devirtualization topic and this challenge was very good for beginners and me. first, my goal was not just obtain the keys but devirtualize whole function automatically and recompile back to be able to patch it. i lifted handlers to LLVM IR and recompiled in a new binary to analyze it this is my final output i know its a little difficult to read, but at least you can see the correct keys clearly if you look at if statements. sadly, code crashes at runtime, i dont know why. it will probably take really long time to identify the problem. i dont think i will do that. maybe i might try VTIL instead of LLVM. i would like to see others approaches on fully devirtualizing this vm. great challange again.

Here check by yuorself. I think Lena tutorial and script made by LCF-AT help yuo to learn it deeply during many years(it depends on everyone ) perhaps less 3years.

Although the administrator @Teddy Rogers has already said in this topic: But I don't expect you to provide your ready-made solution. Since the sample provided for this topic happened to be protected by this protector, you released a RAR package for this challenge. Some files in your RAR package are deliberately VM some code snippets. I guess you are worried about others reverse engineering your source code while satisfying your vanity. You can show off, no one limits you. As I mentioned before, I don't mind. What do the viewers of this topic get? It's a joke. In addition, I re-uploaded the RAR package that you deleted. https://forum.tuts4you.com/topic/44125-winlicense-v3130-x86-all-protection-options/page/4/#findComment-224173 WL_3.13_x86_KeyGen.rar

Hey, @lengyue I did not say to you. I just asked a question where the @TRISTAN Pro's tutorial is if it exists. Calm down please. Regards. sean.

Where is the @TRISTAN Pro's tutorial? Regards. sean.

1. get your fasm 2. open .asm in FASMW.EXE and build it (CTRL+F9) we done

Use version.ASM to load your dll. compile with fasm.

Fun and not too difficult challenge. I always like me some VM crackmes Valid keys: Had enough fun reversing this so I made a full writeup with disassembler and devirtualized code: https://blog.washi.dev/posts/binaryshield-vm-crackme/

I have already conducted testing before, and if you compile the 32-bit plugin according to the original source code provided here (https://bbs.kanxue.com/thread-282244.htm). Original 32-bit (Imperfect Version).zip This plugin is effective on Win7 x64 SP1; But it fails in Win10/11 x64. e.g. VMP_3.8.7_x86_32-bit.vmp.exe Win7 x64 SP1 √ Win10 x64 × Win11 x64 × By recompiling the 32-bit plugin according to the modified code provided by karan, the above issue has been resolved. The revised and recompiled complete version is now uploaded as follows, and has been tested to be effective in Win7/10/11 x64. ScyllaHide_2024_x86_x64_v0.002.zip

I tested the original author's code and found that it doesn't seem to bypass the protection properly on x86 systems. VMProtect does not appear to search through the entire Export Table to find the desired function. So, I modified the code to overwrite the last export function of ntdll.dll with wine_get_version and then place the original function right after it. As a result, the bypass worked successfully! void AddWineFunctionName(HANDLE hProcess) { BYTE* remote_ntdll = (BYTE*)GetModuleBaseRemote(hProcess, L"ntdll.dll"); if (!remote_ntdll) return; SIZE_T readed = 0; IMAGE_DOS_HEADER dos_header; ReadProcessMemory(hProcess, remote_ntdll, &dos_header, sizeof(IMAGE_DOS_HEADER), &readed); if (dos_header.e_magic != IMAGE_DOS_SIGNATURE) return; IMAGE_NT_HEADERS pe_header; ReadProcessMemory(hProcess, (BYTE*)remote_ntdll + dos_header.e_lfanew, &pe_header, sizeof(IMAGE_NT_HEADERS), &readed); if (pe_header.Signature != IMAGE_NT_SIGNATURE) return; DWORD export_adress = pe_header.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; if (!export_adress) return; DWORD export_size = pe_header.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; BYTE* new_export_table = (BYTE*)VirtualAllocEx(hProcess, remote_ntdll + 0x1000000, export_size + 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); IMAGE_EXPORT_DIRECTORY export_directory; ReadProcessMemory(hProcess, remote_ntdll + export_adress, &export_directory, sizeof(IMAGE_EXPORT_DIRECTORY), &readed); BYTE* tmp_table = (BYTE*)malloc(export_size + 0x1000); if (tmp_table == nullptr) return; // Copy functions table BYTE* new_functions_table = new_export_table; ReadProcessMemory(hProcess, remote_ntdll + export_directory.AddressOfFunctions, tmp_table, export_directory.NumberOfFunctions * sizeof(DWORD), &readed); WriteProcessMemory(hProcess, new_functions_table, tmp_table, export_directory.NumberOfFunctions * sizeof(DWORD), &readed); g_log.LogInfo(L"[VMPBypass] new_functions_table: %p", new_functions_table); // Copy ordinal table BYTE* new_ordinal_table = new_functions_table + export_directory.NumberOfFunctions * sizeof(DWORD) + 0x100; ReadProcessMemory(hProcess, remote_ntdll + export_directory.AddressOfNameOrdinals, tmp_table, export_directory.NumberOfNames * sizeof(WORD), &readed); WriteProcessMemory(hProcess, new_ordinal_table, tmp_table, export_directory.NumberOfNames * sizeof(WORD), &readed); g_log.LogInfo(L"[VMPBypass] new_ordinal_table: %p", new_ordinal_table); // Copy name table BYTE* new_name_table = new_ordinal_table + export_directory.NumberOfNames * sizeof(WORD) + 0x100; ReadProcessMemory(hProcess, remote_ntdll + export_directory.AddressOfNames, tmp_table, export_directory.NumberOfNames * sizeof(DWORD), &readed); WriteProcessMemory(hProcess, new_name_table, tmp_table, export_directory.NumberOfNames * sizeof(DWORD), &readed); g_log.LogInfo(L"[VMPBypass] new_name_table: %p", new_name_table); free(tmp_table); tmp_table = nullptr; // Setup new name & name offset BYTE* wine_func_addr = new_name_table + export_directory.NumberOfNames * sizeof(DWORD) + 0x100; WriteProcessMemory(hProcess, wine_func_addr, "wine_get_version\x00", 17, &readed); DWORD wine_func_offset = (DWORD)(wine_func_addr - remote_ntdll); WriteProcessMemory(hProcess, new_name_table + export_directory.NumberOfNames * sizeof(DWORD), &wine_func_offset, 4, &readed); // Set fake ordinal WORD last_ordinal = export_directory.NumberOfNames; WriteProcessMemory(hProcess, new_ordinal_table + export_directory.NumberOfNames * sizeof(WORD), &last_ordinal, 2, &readed); // Get address of GetCurrentTeb function to be placed after the new function BYTE* get_current_teb = reinterpret_cast<BYTE*>(GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCurrentTeb")); DWORD get_current_teb_offset = (DWORD)(get_current_teb - remote_ntdll); // Set new function address (wine_get_version) and GetCurrentTeb function address DWORD new_function_offset = get_current_teb_offset; WriteProcessMemory(hProcess, new_functions_table + export_directory.NumberOfFunctions * sizeof(DWORD), &new_function_offset, 4, &readed); // Setup new directory export_directory.NumberOfNames++; export_directory.NumberOfFunctions++; DWORD name_table_offset = (DWORD)(new_name_table - remote_ntdll); export_directory.AddressOfNames = name_table_offset; DWORD function_table_offset = (DWORD)(new_functions_table - remote_ntdll); export_directory.AddressOfFunctions = function_table_offset; DWORD ordinal_table_offset = (DWORD)(new_ordinal_table - remote_ntdll); export_directory.AddressOfNameOrdinals = ordinal_table_offset; // Change the offset of header data DWORD old_prot; VirtualProtectEx(hProcess, remote_ntdll + export_adress, sizeof(IMAGE_EXPORT_DIRECTORY), PAGE_EXECUTE_READWRITE, &old_prot); WriteProcessMemory(hProcess, remote_ntdll + export_adress, &export_directory, sizeof(IMAGE_EXPORT_DIRECTORY), &readed); VirtualProtectEx(hProcess, remote_ntdll + export_adress, sizeof(IMAGE_EXPORT_DIRECTORY), old_prot, &old_prot); } I confirmed that my Windows 10 version works fine. cheers! ScyllaHide_x86.zip

Hi Short tutorial for bypass Safengine 2.4 HWID Regards. Safengine Short Tutorial.rar

@Sh4DoVV Can you bypass it without the license key file? Use this key file. Win64GUI.key Regards. sean.

These Chinese forums are paid and you need to be Chinese to join....Chinese people want to learn from our forums but they don't accept any NO-Chinese to learn from them - using websites like Baidu to upload or video hosters that need Chinese number also.

try learning x64dbg script 👍 DeleteBPX bp VirtualProtect SetBreakpointCommand VirtualProtect, "vtp" erun vtp: rtr 2 step rtu step find cip,"E9EF" cmp $result,0 je ER bp $result erun bc sti sto 8 sti memset cip+19603, EB,1//bypass cmp to jmp log "OEP:{a@cip}" mov 1004A8D64, #62 6F 6E 00#//set caption run exit ER:

.DLL Hijack bypass all protect 😁 bb2018.dll = Patcher version.dll = loader Hook Api = Bypasser First, use x64dbg debug to find patch points. Change from 84 to FE. First, we need to find the module .dll will notice that there.A lot of dlls, but I'm going to use version.dll. Example Code Patch : DWORD64 MR.BB2018 = Module + (DWORD64)0x2F931; // rva Patch PVOID rva1 = reinterpret_cast<PVOID>(MR.BB2018); BYTE rva2[] = { 0xFE }; WriteProcessMemory(hProcess, rva1, rva2, sizeof(rva2), NULL); Tools : X64dbg : https://github.com/x64dbg/x64dbg/releases Visualstudio : https://learn.microsoft.com/en-us/visualstudio/releases/2019/release-notes hijack dll Source Code Generator. support x86/x64 : https://github.com/strivexjun/AheadLib-x86-x64/releases/tag/1.2 I'm still naive about the reverse. If it's a mistake, apologize. 😁

Tell me if it doesn't work . Nice unpackme for this challenge but still unpacked.

Console example x64plgmnrc.exe -G "C:\x64dbg_root" // Set root path for x64dbg x64plgmnrc.exe -U // Update list from server x64plgmnrc.exe -S // Show list of plugins x64plgmnrc.exe -i x64core // Install last version of x64dbg x64plgmnrc.exe -i AdvancedScript // install AdvancedScript https://github.com/horsicq/x64dbg-Plugin-Manager

2022.1 challenges was having only EAZFUSCATOR 2022.1 so after dealing with Strings, Cflow and Resources, VM was the main task. 2022.2 challenge was stacked (not actually but somehow) as the Sample was having ConfuserEx Anti-Dump so after applying EAZ over it, One of the EAZ calls got proxified. So If you are doing Static Unpacking, It probably would cause the issue but not in case of dynamic Unpacking. You can manually fix the proxified methods and can continue the process to unpacking it. I cleaned the Assembly after Unpacking and Devirting so It looks nice. You can guess Symbols from the assembly itself by modifying de4dot Renamer or can do manually. in Case of Stacking (depends on How EAZ is stacked), It is not advisable to clean Assembly as It may break other protectors unpacking. Regards CLQ EAZ_unp_2022.1_cleaned.exe BH_unp_2022.2_cleaned.exe

Hi everyone, Maybe some of you heard it already, but Sigma and I are working on an x32/x64 debugger for Windows for a few months now... The debugger currently has the following features: variables, currently command-based only basic calculations, can be used in the goto window and in the register edit window. Example: var*@401000+(.45^4A) software breakpoints (INT3, LONG INT3, UD2), currently command-only (just type 'bp addr') hardware breakpoints (access, write, execute), also command-only stepping (over, into, out, n instructions), can be done with buttons/shortcuts memory allocation/deallocation inside the debuggee quickly access API adresses (bp GetProcAddress) syntax highlighting, currently not customizable simple memory map (just addr+size+module+protection basically) The debugger has an easy GUI, for which we looked a lot at Olly Debug engine is TitanEngine, disassembler BeaEngine, icons are from various sources (see About dialog). We use QT for the GUI part. If you have a suggestion, a bug report, need more info, want to contribute, just post here or send me a private message. The latest public build + source can always be found on http://x64dbg.com (click 'Source'->'bin_public') to download the latest build. For now, you can also download the first 'alpha' here We would love to hear from you! Greetings, Mr. eXoDia & Sigma

@collins: apparently h4sh3m deleted it. Copy attached. version.rar

Hi, The steps I take for unpack this: 1. Change HWID. I used LCF-AT's script from here 2. VM Fixing and OEP Rebuilding. I used LCF-AT's script from here. 3. File Optimizing. I used SHADOW_UA's method from here. Unpacked files: here Salam.

in no way is this my code at all: simply added/modify 2 lines to make it work correctly for Dev-C++ 1) LONG (NTAPI *NtSystemDebugControl)(int,void*,DWORD,void*,DWORD,DWORD*); 2) *(DWORD*)&NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl"); #define WIN32_LEAN_AND_MEAN #include <windows.h> #include <stdio.h> #include <shlwapi.h> #include <iostream> using namespace std; typedef LONG NTSTATUS; #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) //ivanlef0u's code //xp sp2 ntoskrnl 5.1.2600, les chiffre indiquent la taille de la struct à passer en argument typedef enum _DEBUG_CONTROL_CODE { DebugSysGetTraceInformation=1, DebugSysSetInternalBreakpoint, //0x38 DebugSysSetSpecialCall, //0x4 DebugSysClerSpecialCalls, //no args kill all special calls DebugSysQuerySpecialCalls, DebugSysBreakpointWithStatus, DebugSysGetVersion, //0x28 //sources de reactos écrit par notre alex ionescu préféré ntexapi.h DebugSysReadVirtual = 8, //0x10 DebugSysWriteVirtual = 9, DebugSysReadPhysical = 10, DebugSysWritePhysical = 11, DebugSysReadControlSpace=12, //0x18 DebugSysWriteControlSpace, //0x18 DebugSysReadIoSpace, //0x20 DebugSysSysWriteIoSpace, //0x20 DebugSysReadMsr, //0x10 DebugSysWriteMsr, //0x10 DebugSysReadBusData, //0x18 DebugSysWriteBusData, //0x18 DebugSysCheckLowMemory, } DEBUG_CONTROL_CODE; typedef struct _SYSDBG_VIRTUAL { PVOID Address; PVOID Buffer; ULONG Request; } SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL; extern "C" __declspec(dllimport) ULONG __stdcall RtlNtStatusToDosError( NTSTATUS Status ); #define PKPCR 0xffdff000 // <=> fs:[0] in KeLand //FUNCTIONS: LONG (NTAPI *NtSystemDebugControl)(int,void*,DWORD,void*,DWORD,DWORD*); //Check OS and get the right Offset: int CheckOSVersion( int &Offset ) { //xWeasel's Code for checking OS's and setting the right Offset OSVERSIONINFO osvi; ZeroMemory(&osvi, sizeof(OSVERSIONINFO)); osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&osvi); if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1) { Offset = 0x88; //WinXP return 1; } else if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0) { Offset = 0xA0; //Win2000 return 1; } else if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 0) { Offset = 0xA0; //VISTA return 1; } else { return 0; } return 0; } ULONG EnablePrivilege(char *Privilege) { HANDLE hToken; ULONG Ret=1; TOKEN_PRIVILEGES TP; LUID Luid; if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) { Ret=0; goto bye; } if(!LookupPrivilegeValue(NULL, Privilege, &TP.Privileges[0].Luid)) { Ret=0; goto bye; } TP.PrivilegeCount=1; TP.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; if(!AdjustTokenPrivileges(hToken, false, &TP, NULL, NULL, NULL)) { Ret=0; goto bye; } bye: CloseHandle(hToken); return Ret; } int HideCurrentProcess( int Offset ) { *(DWORD*)&NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl"); ULONG Status, Addr, PrevEPROCESS, NextEPROCESS; SYSDBG_VIRTUAL Mem; if(!EnablePrivilege("SeDebugPrivilege")) { return 0; } /**************** CURRENT ETHREAD ****************/ Mem.Address=(PVOID)(PKPCR+0x124); //KPRRCB-> +0x004 CurrentThread : Ptr32 _KTHREAD Mem.Buffer=&Addr; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } /**************** CURRENT EPROCESS ****************/ Mem.Address=(PVOID)(Addr+0x220); //ETHREAD-> +0x220 ThreadsProcess : Ptr32 _EPROCESS Mem.Buffer=&Addr; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } /**************** PREV EPROCESS ****************/ Mem.Address=(PVOID)(Addr+0x8C); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY Mem.Buffer=&PrevEPROCESS; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } /**************** NEXT EPROCESS ****************/ Mem.Address=(PVOID)(Addr+Offset); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY Mem.Buffer=&NextEPROCESS; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } /**************** PREV EPROCESS TO NEXT EPROCESS ****************/ Mem.Address=(PVOID)(PrevEPROCESS); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY Mem.Buffer=&NextEPROCESS; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysWriteVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } /**************** NEXT EPROCESS TO PREV EPROCESS ****************/ Mem.Address=(PVOID)(NextEPROCESS+0x4); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY Mem.Buffer=&PrevEPROCESS; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysWriteVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } return 1; //SUCCED Stuff is hidden!! } //MAIN FUNCTION int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { MessageBox(NULL,"Starting Main Function","Welcome",MB_OK);//DEBUG int Offset; if ( CheckOSVersion(Offset) == 1) { HideCurrentProcess(Offset);//OK to hide MessageBox(NULL,"Check if I'm hidden now!! Press OK to exit","FOUND!",MB_OK); //DEBUG } return 0; } the original idea was by a bad @ss hacker ivanlef0u http://www.ivanlef0u.tuxfamily.org/ --Currently works under SP3

Double checked your icon and it looks to be head banging... Ted.