Leaderboard

Apologies for the downtime! There was a broken repo update rolled out over the weekend and hosting stated they were to fix it. In between then and now they said they sent me emails I haven't received, requesting information from me, and chat support repeatedly didn't update the support ticket with the information I provided. It has been a debacle. It did not help being a long weekend here and me being busy. In the end, when I was available, I had to tidy things up and get the last of the issues fixed up. If you experience any problems please let me know so that I can check it out, and get it resolved, thank you... Ted.

There is a new release: https://github.com/x64dbg/x64dbg/releases/tag/2026.04.20 The project is still alive and it was an honor for me to be able to make some small contributions to this wonderful project.

This was fun, I also took the LLVM route. In my case, everything folded after -O1 to essentially just the flags. Uploaded my devirtualizer to github too https://github.com/eversinc33/binaryshield-devirtualizer Will do a writeup later and add to the README.md

All's well that ends well. Welcome back!

Took a quick look, didn’t dive too deep yet. Already managed to expose part of the check (PBKDF2 → AES → "UNPACKED"), so it’s not as opaque as it first looks. This kind of protection layer is also something I’ve been dealing with in my own work: https://forum.tuts4you.com/topic/46002-continuation-fork-krypton-net-reactor-devirtualizer/#comment-229109 No full unpack yet, just a quick peek for now.

Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00

Dear friends Berkeley Mono Font face is updated to version2. They included ligatures (nerd glyphs) directly in this build. The font face is 75$ for developer use only (no commercial use.) I have included this fontface so you can try them. Enjoy! Homepage hxxps://usgraphics[.]com/products/berkeley-mono Archive Pass: Download tx-02-berkeley-mono-pass=SCT.7z

Incredible work. If only I could mark multiple solutions. Thank you for your interest and resource--I'm sure many users will find use in this (myself included lol).

https://github.com/mrfearless/DataConversion A data storage unit conversion application written in win32 assembler FeaturesEnter an integer or float value to convert. Accepts characters 0 to 9, comma , and decimal point ., ignores all other characters. Paste an integer or float value to convert. Accepts characters 0 to 9, comma , and decimal point ., ignores all other characters. Also detects keywords to set the initial from and to combo boxes. Keywords (case insensitive): Bytes, Kilobytes, KB, Megabytes, MB, Gigabytes, GB, Terabytes, TB, Petabytes, PB, Kibibytes, KiB, Mebibytes, MiB, Gibibytes, GiB, Tebibytes, TiB, Pebibytes, PiB Supports drag and drop of a file to display the file size in bytes. ReferencesFile Size Converter Data Units Conversion Scientific Notation Calculator and Converter DataConversion_v1.0.0.2.zip

Seems my security question answer got error, it said wrong, even though it was right, i had to reset

I attached writeup created by claude. namitake_crackme_writeup.pdf

F:\>fsize fsize SIZE IN-UNIT OUT-UNIT Units are B, KB, Ki, MB, Mi, GB, Gi, TB or Ti. F:\>fsize 64.2 MB Mi 61.2 F:\>fsize 64.2 Mi MB 67.3 F:\>fsize 64.2 MB Gi 0.0598 F:\>fsize 64.2 Gi MB 68934

Here's a complete command-line program using fasm (exe attached). format PE console entry start include 'win32wx.inc' .code ; Enter with EAX pointing to the suffix (first two wide characters). ; If the suffix is found its value is put on the FPU stack and carry is cleared, ; otherwise 1 is put and carry is set. get_unit: mov esi, units mov eax, [eax] .repeat .if dword[esi] = eax fld qword[esi+4] clc ret .endif add esi, 12 .until esi = units_end fld1 stc ret start: invoke CommandLineToArgvW, invoke GetCommandLine, args .if [args] <> 4 cinvoke printf, help invoke ExitProcess, 1 .endif lea ebx, [eax+4] cinvoke _wtof, dword[ebx] mov eax, [ebx+4] call get_unit fmulp mov eax, [ebx+8] call get_unit fdivp fld qword[one_thou-8] fcomip st, st1 mov eax, fmtf mov ecx, fmtg cmovae eax, ecx sub esp, 8 fstp qword[esp] cinvoke printf, eax invoke ExitProcess, 0 help db "fsize SIZE IN-UNIT OUT-UNIT", 10 db 10 db "Units are B, KB, Ki, MB, Mi, GB, Gi, TB or Ti.",10 db 0 fmtg db "%.3g", 10, 0 fmtf db "%.0f", 10, 0 struct UNITS suffix du 2 dup (?) value dq ? ends align 4 units UNITS "B", 1.0 UNITS "KB", 1000.0 one_thou: UNITS "Ki", 1024.0 UNITS "MB", 1000000.0 UNITS "Mi", 1048576.0 UNITS "GB", 1000000000.0 UNITS "Gi", 1073741824.0 UNITS "TB", 1000000000000.0 UNITS "Ti", 1099511627776.0 units_end: section '.bss' readable writeable args dd ? section '.idata' import data readable writeable library kernel32,'KERNEL32.DLL',\ msvcrt,'MSVCRT.DLL',\ shell32,'SHELL32.DLL' include 'api\kernel32.inc' import shell32,\ CommandLineToArgvW,'CommandLineToArgvW' import msvcrt,\ printf,'printf',\ _wtof,'_wtof' I've chosen to go with decimal and binary units, rather than an additional number. E.g. "64.2 MB Mi" converts decimal to binary and "64.2 Mi MB" converts binary to decimal. If the unit isn't recognised it will be ignored (it's detected, though, so just add your own test). The output is three significant digits for numbers under 1000, no decimals otherwise. fsize.exe

Hello I do not use Windows primarily, but I hope these fits for you: https://pixeldrain.com/u/S8eo5ZBi

I think he may be company side i think so

Well done :) I can create some more challenges for you if you'd like, I also have Intellilock

Does .NET Reactor 7.5.9.1 exist in the world? Seems the latest is 7.5 : https://www.eziriz.com/reactor_download.htm

Can someone upload it to Google drive or good cloud ?

Can someone reupload it please

Thank you for reporting, will have a look later. Damn, password was a bit long too. Now shortened to two letters... 🤫 Ted.

Hi guys, I was looking for an complete file size calculation / info display GUI tool where I could drag & drop any file/s into (and also manually entering values) to get all size information's of it from bites till petabytes etc. I just can find online tools like this nice one... https://www.superfile.ai/productivity-tools/file-size-calculator ...what does display all. Something like this only as tool not online or better some kind of calculation tool what has another more calc features. Is there any you could recommend? Any tool on Github etc or has Windows already some tool what can do that? greetz

We are a company based in the EU looking for a person who will support our main reverse engineer. Our focus is usual on various less common embedded architectures(rarely ARM). The typical goal is to locate and translate one or more algorithms from a complete firmware or main program image into C. If you enjoy reverse engineering, please contact me directly. A full-time position is preferred, but project-based work is also possible.

of more detail of the work and above all the payment

Hello @adoxa, thanks for the code / exe but as always you don't tell very much about it. What is the CL I have to enter? fsize.exe 24MB etc? Just get that Units into to see. Some tiny details would be welcome. greetz

Thanks so much @bluedevil ! Really appreciate it. I confirm like @Raven , .ttf render better for this font on Windows, as the font author suggested. If it's not too much to ask, when you have time, if it would be possible, like your original upload, to have the "semi-condensed" version 🙏. It's because only a single "regular" file on the website is available for trial. Thank you very much again for sharing these. Note: if you're on Windows, download the .ttf files above (there's no optional widths versions right now but it won't be blurry like the .otf)

I would suggest the FPU Library from Raymond: https://masm32.com/masmcode/rayfil/fpu.html The FpuAtoFL function is probably what you want to convert the ascii string to a REAL4 LOCAL rSize:REAL4 Invoke FpuAtoFL, Addr szFloatString, Addr rSize, DEST_MEM4 ; rSize now contains the float such as 64.2you can then load this into the fpu (or keep it on fpu stack with DEST_FPU flag), load some conversion value into the FPU to multiply by and do the multiplication, then convert the result back to ascii with the FpuFLtoA function

It's a pleasure to read you after all these years.

Brute-Force Polynomial for Coefficients. Here is a keygen challenge I got recently. This one requires to find the coefficients of a 26th degree polynomial that sums up to a specific value. A valid serial is also provided. The challenge is to code a keygen with least / reasonable time complexity without patching anything. Update: Added my initial code that barely works. Please let me have your suggestions to improve the code. File Information Submitter Benten Submitted 11/14/2022 Category KeygenMe View File

rtff

.NET Reactor v7.5.9.1 (Aggressive Settings + Custom Anti-Tamper) Hey everyone, I put together a small challenge for anyone interested in reversing .NET protections. This one is packed using .NET Reactor v7.5.9.1 with some pretty aggressive settings, along with a bit of custom anti-tamper logic on top. Your goal is to unpack the application and recover a clean, working assembly. Protections Enabled NecroBit String Encryption Obfuscation Anti ILDASM Hide Method Calls Code Virtualization Anti Tampering Anti Debug Merge Enums Control Flow Obfuscation (Level 9) Additional Protections Custom runtime anti-debug Anti-injection checks Integrity verification A background watchdog thread 🎯 Objectives 1. Primary: Unpack the application and produce a clean assembly that runs without errors 2. Bonus: Recover the correct password (completely optional) File Information Submitter Visual Studio Submitted 04/13/2026 Category UnPackMe (.NET) View File

Level: 6/10 ? Language : MASM Platform : Windows 32 bit OS Version : Tested on Win10 only, Win 7 and 8 also probably work Packer / Protector : None Description : Mostly simple math algorithms; it includes one relatively small hash part that's mostly isolated, so you can choose to ignore that part and focus on the remainder of the serial. I reckon the number of valid serials will be relatively low. Hopefully I made no big mistakes. Provide a valid pair of name and serial, or better yet write a keygen Good luck. Screenshot : KeyGenMe#1.v1.7z Keygenme template by Ziggy.

It does, just not public.

7.5.9.1 NOT EXIST. https://www.eziriz.com/reactor_history.htm

Okey, it would be nice to share more similar challenges, this one was really interesting.

What do you mean? Can you show some screenshot how do you add custom anti-tamper? The difference I can see is: The anti-tamper method is called by EntryPoint in your target, but it's called by <Module>::.cctor in standard .NET Reactor.

If its not on the build you're using, I am assuming its coming in the near future.

@Visual Studio How do you add custom anti-tamper? Can we add custom anti-tamper on .net reactor 7.5?

ok , I am so sorry to bather you. thank you .

Thanks. Your example works, but in my Visual C++ program RtlGetVersion doesn't work, probability I'm missing some config. I was able to fix this by @boot samples; all works fine now.

Apologies for the late response. Let me know if this was not what you wanted... Ted. RtlGetVersion.zip

There might have been a network issue just now, but it's been fixed.

Why is access denied?

the website aint working !

Unpacked CFF Explorer_protected_unp_cl.7z

Here are the steps to get a completely modified version of x64dbg. Go to https://github.com/x64dbg/x64dbg Press this button in the top-right corner of your screen: You can then change the code to your liking (e.g., to bypass the anti-debug problem).

Hi guys. Any tutorial on how to create a working dump of this target? Not interested on unvirtualization at this moment. OEP: 00007FF7920E1878 <unpack | E9 33124100 | jmp unpacked_themida crackme_protected.7FF7924F2AB | 00007FF7920E1DF848:895C24 20mov qword ptr ss:[rsp+20],rbx

Creating a scrolling starfield effect in Delphi. Starfield.rar

I have made my tool works on x64 in my spare time so tried this challenge. Unpacking concerning this challenge ,OEP is virtualized and IAT is obfuscated. obfuscation scheme has been changed totally since 3.x. Devirtualization decryption algorithm were already posted. I analyzed almost code obfuscated from start to end and recovered code flow while keeping original code. but might have overlooked trivial part. code flow(pseudo code) is as follows. char* yes,no,enter_password,gamer_vision,enter_continue,ans; decrypt(entr_password); print(enter_password); std::widen('.'); std::cin>>buff; ans = no; if(buff.length() == 12) { decrypt(gamer_vision); if(memcmp(buff,gamer_vision) == 0){ ans = yes; } } decrypt(no); decrypt(yes); print(ans); decrypt(enter_continue); print(enter_continue); std::cin.ignore(); return Note that this code is written with focus on virtualized part. attached unpacked & devirtualized binary. Unpacked.exe

Hi, I'm beginning not to ask for the program because I will not make it public, I do not want to harm anybody. Instead I will release the source code of the deobfuscator as soon as I have time to fix some points. @miraculix The deobfuser completely rebuilds the CFG (remove fake Jcc, Opaque Predicates etc .. etc ..) apply PeepHole (pattern recognition) remove DeadCode and Constant Folding and call analyzer and more. Thanks to the suggestions of @fvrmatteo I could try different peepHole solutions than the pattern recognition but the result was never as efficient as the use of pattern recognition so I use this solution at the moment (I reverse, not a conference at MIT code needs to work well .. hahahaha). I only use Pascal. As a disassembler engine use Capstone and as Emulator (for small portions of code) use Unicorn Engine.Not use Virtual Machines Symbolic Execution Phyton script etc .. etc .. Place a small video to give an idea. deob.rar

In my spare time I update my program, Analyzing the Devirtualizeme_2.4.6.0_tiger32 file I saw that the Register, in the portion of code that I highlighted(macro start at address:40C89A) , is Edi instead of Eax.In Original code is Edi or Eax (The program works well in both cases) For other procedures (x86-x64), I've scanned ,the code is the same.