Leaderboard

Your crackme seems to have multiple solutions. Not sure if this was intended: Some example passwords: Approach:

Hey guys! I’m iced, a passionate student from Bosnia who’s really into reverse engineering. I decided to join Tuts4You to expand my knowledge and trade insights with people who are way better than me.Im also a friend of @0xret2win and he suggested me to join site and try to tackle couple of nice crackmes posted here. Also i dont think the guy who made this applied full protection settings. Anyways upon investigating this target i found two interesting calls: ( Not entierly sure if i should do step-by-step since if you follow "MessageBoxA" in ret and stack you will eventually get to same place i got ) "vmp-licensing-test.vmp.exe"+A19CAE - E8 B9CB60FF - call "vmp-licensing-test.vmp.exe"+2686C This is upon hitting "VMProtectGetCurrentHWID". RAX => 29 "vmp-licensing-test.vmp.exe"+A19C9C - E8 2550ABFF - call "vmp-licensing-test.vmp.exe"+4CECC6 This is upon hitting on "VMProtectSetSerialNumber". RAX => 20 Using x64dbg : 00007FF665759CAE | E8 B9CB60FF | call vmp-licensing-test.vmp.7FF664D6686C | -> VMProtectGetCurrentHWID 00007FF665759C9C | E8 2550ABFF | call vmp-licensing-test.vmp.7FF66520ECC6 | -> VMProtectSetSerialNumber

...because cloning git repo, or just clicking on anonfiles.com_d1D7M7q9z4_vmpsrc.zip is so f*ing complicated. You don't need VMProtect sources. What you need is a basic understanding of this magical thing called "the internet".

What? No explanation of what he done?

> WindowsFormsApplication37_Slayed.exe!WindowsFormsApplication37.Internal.PolicyFinalizer.VisualContainerPolicy.CombineTransaction(WindowsFormsApplication37.Internal.PolicyFinalizer.ArgumentViewer instance) (IL=0x2260, Native=0x091A0040+0x6B85) case (PolicyFinalizer.NotificationCall)128: if (PolicyFinalizer.m_PolicySenderList.Count == 0) { Module module = typeof(PolicyFinalizer).Module; this.m_ClientEvaluator.IncludeManager(new PolicyFinalizer.PolicyFinder(module.ResolveString((int)this.m_CustomDecryptorPolicyObj | 1879048192))); return; } 70000000 metadataToken 0x7000174A int - metadataToken of good string: 0x700016DE but it is not easy as replacing a string- it is not working after changing string.

V-S-2-0-1-2

3.9.5 changes protection against unpacking and improved anti debug, from that leak all unpack and critical vulnerability before 3.9.2 allowed change serial vmp license ultimate version in memory

unpacked.exe

This project is mirrored from https://github.com/jmpoep/vmprotect-3.5.1.git. https://huihui.cat/mirrors/vmprotect-3.5.1 https://git.nadeko.net/Fijxu/vmprotect-source (someone is fighting and DMCA-ing (removing) all VMP related repos on github!) and a downloadable copy https://pixeldrain.com/u/fKn1dZqK

I'm trying to learn the bypass technique with shfolder.dll, but I can't find any complete information, can anyone help me?

Greetings, if "YOU" are so "PARANOID" , just run it in a "VM" , i can tell you "1" thing , its completely safe. So, i don't know where your getting this garbage | bullshit , from. And there is "virustotal" for a reason ! The only weird things is , you making these stupid remarks about this challenge.... ! Regarding the false accusations thrown about... Nor does this challenge require internet. No HTTP/s communication | In-between, whatsoever. Greetings !

On the 000000014000838B 0, 1, 2, 3 8, 9, A, B, C, D, 6, 7 - 0000000140008BD4 | 8B4424 20 | mov eax,dword ptr ss:[rsp+20] 0000000140008BD8 | FFC0 | inc eax 0000000140008BDA | 894424 20 | mov dword ptr ss:[rsp+20],eax 0000000140008BDE | E9 07070000 | jmp crackme123.1400092EA 0000000140008A16 | 8B4424 30 | mov eax,dword ptr ss:[rsp+30] | 0000000140008A1A | FFC0 | inc eax | 0000000140008A1C | 894424 30 | mov dword ptr ss:[rsp+30],eax | 0000000140008A20 | 837C24 30 04 | cmp dword ptr ss:[rsp+30],4 | 0000000140008A25 | 0F8D A9010000 | jge crackme123.140008BD4 | 0000000140008A2B | 8B4424 24 | mov eax,dword ptr ss:[rsp+24] | 0000000140008A2F | 99 | cdq | 0000000140008A30 | 83E2 03 | and edx,3 | 0000000140008A33 | 03C2 | add eax,edx | 0000000140008A35 | 83E0 03 | and eax,3 | 0000000140008A38 | 2BC2 | sub eax,edx | 0000000140008A3A | 898424 80000000 | mov dword ptr ss:[rsp+80],eax | 0000000140008A41 | 83BC24 80000000 00 | cmp dword ptr ss:[rsp+80],0 | 0000000140008A49 | 74 2B | je crackme123.140008A76 | 0000000140008A4B | 83BC24 80000000 01 | cmp dword ptr ss:[rsp+80],1 | 0000000140008A53 | 74 60 | je crackme123.140008AB5 | 0000000140008A55 | 83BC24 80000000 02 | cmp dword ptr ss:[rsp+80],2 | 0000000140008A5D | 0F84 90000000 | je crackme123.140008AF3 | 0000000140008A63 | 83BC24 80000000 03 | cmp dword ptr ss:[rsp+80],3 | 0000000140008A6B | 0F84 C3000000 | je crackme123.140008B34 | 0000000140008A71 | E9 0B010000 | jmp crackme123.140008B81 | 0000000140008A76 | 8B4424 30 | mov eax,dword ptr ss:[rsp+30] | 0000000140008A7A | D1E0 | shl eax,1 | 0000000140008A7C | 48:98 | cdqe | 0000000140008A7E | 48:898424 E8010000 | mov qword ptr ss:[rsp+1E8],rax | 0000000140008A86 | 48:8D8C24 98000000 | lea rcx,qword ptr ss:[rsp+98] | 0000000140008A8E | E8 0DEDFFFF | call crackme123.1400077A0 | so I don't any idea where the password test is made...

View File .NET Reactor v7.3 (Embedded DLL's) File protected by .NET Reactor v7.3 having Code Virtualization enabled. By nature the application using Dependency Injection (this time heavily developed), the 3rd party files embedded to main exe (see shot2), in addition System.Data.SQLite.dll lying near application. Find registration combination and reply it with the success message! Custom antidebugger Submitter whoknows Submitted 06/26/2025 Category UnPackMe (.NET)  

congrats @CreateAndInject here is the source incl refs @ --limited time download, expired--

They have fixed the source leak in vmp 3.95 so back to the drawing board Also 3.8 had a memory leaking issue, which I haven’t checked to see if it’s been fixed

wow! someone is cheating with us here! (sneaky snitch) 2nd time https://www.sendspace.com/file/51jvil

copy from pixadrain - https://workupload.com/file/MqvBWJnEM9K

View File crackme123 A "Crack Me" challenge created by lord "Voksi" , a well known person in the "warez" scene. And no, this challenge is not uploaded by "Voksi" himself, it's uploaded via a proxy which is myself, an old friend of "Voksi" . GOAL: Obtain the Correct key Greetings to MasterBootRecord, Voksi, FJLJ, And also a few others, you know who you are ❤️ Submitter casualPerson Submitted 07/04/2025 Category CrackMe  

It is 64 bit file, so I load the file in x64dbg print Incorrect password: 000000014000593E | E8 FDBCFFFF | call crackme123.140001640 | 0000000140005943 | 48:894424 48 | mov qword ptr ss:[rsp+48],rax | 0000000140005948 | 48:8D15 81CFF | lea rdx,qword ptr ds:[1400028D0] | 000000014000594F | 48:8B4C24 48 | mov rcx,qword ptr ss:[rsp+48] | 0000000140005954 | E8 97E4FFFF | call crackme123.140003DF0 | 0000000140005959 | 48:83C4 78 | add rsp,78 | 000000014000595D | C3 | ret | called from here: 000000014000838B | 8B4424 20 | mov eax,dword ptr ss:[rsp+20] | 000000014000838F | 898424 B80000 | mov dword ptr ss:[rsp+B8],eax | 0000000140008396 | 83BC24 B80000 | cmp dword ptr ss:[rsp+B8],31 | 31:'1' 000000014000839E | 0F87 3C0F0000 | ja crackme123.1400092E0 | 00000001400083A4 | 48:638424 B80 | movsxd rax,dword ptr ss:[rsp+B8] | 00000001400083AC | 48:8D0D 4D7CF | lea rcx,qword ptr ds:[140000000] | 00000001400083B3 | 8B8481 B09300 | mov eax,dword ptr ds:[rcx+rax*4+93B0] | 00000001400083BA | 48:03C1 | add rax,rcx | 00000001400083BD | FFE0 | jmp rax | but I don't know which is proper valid value of dword ptr ss:[rsp+B8]

VS2012? Typo for VS2022?

Release.rar VS2012 Community Edition

Which compiler do you use? Can you send it again but with the original compiler output file?

yes crt

pls explain this interesting statement!

#

Is the Charm

This file has been banned

https://github.com/jmpoep/vmprotect-3.5.1.git. DMCA https://huihui.cat/mirrors/vmprotect-3.5.1 - There are download options but they all hang https://git.nadeko.net/Fijxu/vmprotect-source - No options to download https://pixeldrain.com/u/fKn1dZqK - too many connections. I tried few days

there are 3 options above, which one failed for you? how about trying others....

I am not able to download. is there any other way?

Can I have this source code back, my friend?

View File Eazfuscator.NET v2025.1 File protected by Eazfuscator.NET v2025.1 having Code Virtualization enabled. By nature the application using Dependency Injection, the 3rd party files embedded to main exe. Find registration combination and reply it with the success message! Codebase improved a little bit versus reactor73 target. Submitter whoknows Submitted 06/24/2025 Category UnPackMe (.NET)  

@CreateAndInject WindowsFormsApplication37-src.rar

Why the code seems strange? What is Dependency Injection? Which the 3rd party files does the unapckme use? uint num = interface4_0.imethod_0();

View File .NET Reactor v7.3 File protected by .NET Reactor v7.3 having /Code Virtualization/ enabled. By nature the application using /Dependency Injection/, the 3rd party files embedded to main exe (see shot2). Find registration combination and reply it with the success message! Submitter whoknows Submitted 06/22/2025 Category UnPackMe (.NET)  

@CreateAndInject A small tut of how you did it?

its ldstr handler from the virtualization

How did the string "E1CEE6FBE9ACOC" come about?

Any fresh link please ?

Link is down again, please update :'(

Sorry for double post, but sadly this website doesn't allow editing after some time ☹️ I don't know If I'm allowed to post a video or not but heres the stupid video I made to the brand and you can see the crap software, it has poor quality and I translated to Spanish cause they are Spanish and even gave them a good advice for improvement which is to even change all key colors there's no option which is stupid, only allows to chose their own pre-defined colors and to do a full keys same custom color we need to go to custom profile and manually select every single key and apply, its stupid having to click 104 times to have the whole keys in our own color and if we dont like the result have to click 104 times to disable and another 104 times with a new color 🤣 (they should simply have had custom color choosing in the always light option lol). The keyboard has my favorite design, the Gateron opticomechanical switches are soft and pretty fine, but the software and firmware really kills everything 🤬 (Specially on a like 110€ keyboard). PS: I'm not self-promoting, the video is also hidden from youtube public and I'm not a youtuber at all, have 0 advertising active or any affiliations with google...

Among the anti-debug techniques, there's an interesting one worth noting. A dummy thread is created and then it calls Sleep(0x32). (The goal is for the created thread to be detected by tools like x64dbg.) Then, it calls NtQueryObject with the ObjectBasicInformation class using the thread handle. If the returned HandleCount is greater than 1, it determines that debugging is in progress. void dummy() { Sleep(8000); } bool CheckCreateThreadHandleCount() { HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)dummy, NULL, 0, NULL); if (hThread == NULL) { return false; } Sleep(0x32); PUBLIC_OBJECT_BASIC_INFORMATION objInfo; NTSTATUS status = NtQueryObject(hThread, ObjectBasicInformation, &objInfo, sizeof(objInfo), NULL); if (!NT_SUCCESS(status)) { CloseHandle(hThread); return false; } std::cout << "Handle Count: " << objInfo.HandleCount << std::endl; if (objInfo.HandleCount > 1) { CloseHandle(hThread); return true; } CloseHandle(hThread); return false; }

I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies. If you can not understand it, you can reply me. Best wish.

Correct key is The correct key can be obtained at runtime. Not necessary to deal with any of the protection features mentioned. It can be found by hooking and monitoring the arguments passed/return value of any of the push, pop functions defined in guillotine.pyd. These values are all PyObject's, hence interacting with the CPython API is necessary to log these to stdout. Essentially tracing the operations of the VM will reveal the key when it compares the user input with the correct key. Probably will do a mini-write in the future up if I get time.

Hi HuD_HuD ModuleToAssembly 1.0 https://forum.tuts4you.com/topic/30789-moduletoassembly-10 Universal Fixer https://forum.tuts4you.com/topic/25376-universal-fixer ConfuserEx tools: https://forum.tuts4you.com/topic/37076-confuserexswitchkiller/?do=findComment&comment=187480

@HuD_HuD: [.NET]实战UnpackMe.mp4: https://mega.nz/file/l9YSXSiI#NEdJ6JAiFPHeQRdUbdemIG78PrIHGTWhr-A5FfYydGo 使用x64dbg暴打非托管强壳.mp4: https://mega.nz/file/tk4EELiK#H0iIReUyl6RWeURvMEOBlzodzJTW7gerao6Ie8ROPWw Same request as before - please do not abuse those links. It's a free MEGA account and has limited traffic available.

@mdj: 使用x64dbg暴打非托管强壳.mp4 -> https://mega.nz/#!Y5JBTaCS!hJXzN5ssvUyRHW8VgpGxINEVrW1zJ2Up96vqqJVG5co I can upload the second video tomorrow, if you need that too. @all: Please be nice and don't abuse the link, it is a free Mega account and has traffic limitations. 使用x64dbg暴打非托管强壳.mp4

There is a Script of OLLYDBG made by @GIV that also helps to unpack the Anti Dump protected .NET Files and newbie Friendly too. But this method I tested and works well which you described. Very nice Explanation too. Thank you !!!