Leaderboard

#include <stdint.h> #include <string.h> #include <stdio.h> #ifndef _WIN32 #define __stdcall #endif int __stdcall ted(uint8_t* input_buf, uint8_t* output_buf, uint8_t arg_8) { uint8_t permuted_input[10]; permuted_input[0] = input_buf[6]; // var_10 permuted_input[1] = input_buf[9]; // var_F permuted_input[2] = input_buf[1]; // var_E permuted_input[3] = input_buf[4]; // var_D permuted_input[4] = input_buf[8]; // var_C permuted_input[5] = input_buf[3]; // var_B permuted_input[6] = input_buf[7]; // var_A permuted_input[7] = input_buf[0]; // var_9 permuted_input[8] = input_buf[5]; // var_8 permuted_input[9] = input_buf[2]; // var_7 uint8_t var_24[4] = {0, 0, 0, 0}; uint8_t key_string[] = { 0x6F, 0x6D, 0x65, 0x64, 0x4F, 0x4D, 0x45, 0x44, 0x45, 0x44, 0x4F, 0x4D }; uint8_t var_1D = 0xEA; for (int i = 0; i < 10; i++) { uint8_t val = permuted_input[i]; uint16_t product1 = (i + 1) * val; uint8_t p1_low = (uint8_t)product1; var_24[0] += p1_low; var_24[1] -= p1_low; uint16_t product2 = (i + 0x38) * val; var_24[2] += (uint8_t)product2; } uint8_t al = var_24[0] * permuted_input[0]; uint8_t bl = var_24[1] ^ al; var_24[2] = ((bl + 1) ^ var_24[2]) & 3; uint8_t current_dl = var_1D; for (int i = 0; i < 12; i++) { uint8_t key_char = key_string[i]; - // The original assembly does: mov al, [ebp + key_char + var_10] // This reads outside the 'permuted_input' array. uint8_t magic_byte = *( (&permuted_input[0]) + key_char ); uint8_t calculated = magic_byte ^ current_dl; uint8_t add_val = (uint8_t)(i * 5); calculated += add_val; output_buf[i] = calculated; current_dl = calculated + 0x22; } uint8_t final_byte = ((arg_8 * 4) & 0x0C) | var_24[2]; output_buf[12] = final_byte; return 1; } int main() { uint8_t input[] = {0,1,2,3,4,5,6,7,8,9}; uint8_t output[13]; ted(input, output, 0x10); return 0; }

var_2C= dword ptr -2Ch var_25= byte ptr -25h var_24= dword ptr -24h var_1E= byte ptr -1Eh var_1D= byte ptr -1Dh var_1C= dword ptr -1Ch var_18= dword ptr -18h var_14= dword ptr -14h var_10= byte ptr -10h var_F= byte ptr -0Fh var_E= byte ptr -0Eh var_D= byte ptr -0Dh var_C= byte ptr -0Ch var_B= byte ptr -0Bh var_A= byte ptr -0Ah var_9= byte ptr -9 var_8= byte ptr -8 var_7= byte ptr -7 var_6= byte ptr -6 var_5= byte ptr -5 arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= byte ptr 10h push ebp mov ebp, esp sub esp, 2Ch push ebx push esi push edi mov eax, [ebp+arg_0] movzx ecx, byte ptr [eax] movzx edx, byte ptr [eax+1] mov [ebp+var_9], cl movzx ecx, byte ptr [eax+2] mov [ebp+var_E], dl movzx edx, byte ptr [eax+3] mov [ebp+var_7], cl movzx ecx, byte ptr [eax+4] mov [ebp+var_B], dl movzx edx, byte ptr [eax+5] mov [ebp+var_D], cl movzx ecx, byte ptr [eax+6] mov [ebp+var_8], dl movzx edx, byte ptr [eax+7] mov [ebp+var_10], cl movzx ecx, byte ptr [eax+8] mov [ebp+var_A], dl movzx edx, byte ptr [eax+9] mov al, [ebp+arg_8] mov esi, [ebp+arg_4] add al, al add al, al mov [ebp+var_2C], esi mov [ebp+var_C], cl mov [ebp+var_F], dl mov [ebp+var_25], al mov [ebp+var_1C], 64656D6Fh mov [ebp+var_18], 44454D4Fh mov [ebp+var_14], 4D4F4445h mov [ebp+var_1D], 0EAh mov eax, 0 mov [ebp+var_24], eax xor ecx, ecx lea ecx, [ecx+0] loc_4011D0: mov dl, [ebp+ecx+var_10] mov bl, byte ptr [ebp+var_24+1] lea eax, [ecx+1] imul dl add byte ptr [ebp+var_24], al sub bl, al mov [ebp+var_1E], al lea eax, [ecx+38h] imul dl add byte ptr [ebp+var_24+2], al inc ecx mov byte ptr [ebp+var_24+1], bl cmp ecx, 0Ah jl short loc_4011D0 mov al, byte ptr [ebp+var_24] imul [ebp+var_10] mov dl, [ebp+var_1D] xor bl, al lea edi, [ebp+var_1C] mov [ebp+var_6], al mov [ebp+var_5], bl lea ecx, [ebx+1] xor cl, byte ptr [ebp+var_24+2] and cl, 3 mov byte ptr [ebp+var_24+2], cl xor ecx, ecx sub edi, esi jmp short loc_401223 jmp short loc_401220 align 10h loc_401220: mov esi, [ebp+var_2C] loc_401223: add esi, ecx movzx eax, byte ptr [edi+esi] mov al, [ebp+eax+var_10] xor al, dl mov dl, cl add dl, dl add dl, dl lea ebx, [edx+ecx] add al, bl inc ecx mov [esi], al lea edx, [eax+22h] cmp ecx, 0Ch jl short loc_401220 mov al, [ebp+var_25] mov ecx, [ebp+var_2C] and al, 0Ch or al, byte ptr [ebp+var_24+2] pop edi mov [ecx+0Ch], al pop esi xor ecx, ebp mov eax, 1 pop ebx mov esp, ebp pop ebp retnHi, is it possible this function to be reversed? The function has 2 parameters - (uint8_t* source, uint8_t* output). Would like to convert it to get the source from the output. Thanks in advance.

Just give me the binary

X0rby what ai engine used to get this code? Haven't tried your code yet will try it asap. Looks very clean and simple. Fixed my code from Hex-ray and this is the decompiled working ok code: Obfuscate_Data(uint8_t* input, uint8_t* output) { int v2; uint8_t buffer[12]; uint8_t* output_1; int v5; int i; uint8_t v7; uint8_t v8; uint8_t v9; uint8_t n117_1; int n12; uint8_t* v12; uint8_t v13; uint32_t internal_state; uint8_t state; uint8_t table_var; uint32_t table[11]; buffer[0] = input[1]; HIBYTE(table[4]) = *input; buffer[4] = input[2]; BYTE2(table[3]) = buffer[0]; buffer[0] = input[3]; BYTE1(table[5]) = buffer[4]; buffer[4] = input[4]; BYTE1(table[4]) = buffer[0]; buffer[0] = input[5]; HIBYTE(table[3]) = buffer[4]; buffer[4] = input[6]; LOBYTE(table[5]) = buffer[0]; buffer[0] = input[7]; LOBYTE(table[3]) = buffer[4]; buffer[4] = input[8]; BYTE2(table[4]) = buffer[0]; buffer[0] = input[9]; output_1 = output; LOBYTE(table[4]) = buffer[4]; BYTE1(table[3]) = buffer[0]; table[0] = 0x6F6D6564; table[1] = 0x4F4D4544; table[2] = 0x45444F4D; table_var = 0xEA; internal_state = 0; v2 = 0; for (i = 0; i < 10; ++i) { v7 = *((_BYTE*)&table[3] + i); v8 = v7 * (i + 1); LOBYTE(internal_state) = v8 + internal_state; v9 = BYTE1(internal_state) - v8; BYTE2(internal_state) += v7 * (i + 56); BYTE1(internal_state) -= v8; } n117_1 = table_var; BYTE2(table[5]) = LOBYTE(table[3]) * internal_state; HIBYTE(table[5]) = (LOBYTE(table[3]) * internal_state) ^ v9; state = (BYTE2(internal_state) ^ (HIBYTE(table[5]) + 1)) & 3; n12 = 0; while (1) { v12 = &output_1[n12]; v13 = 5 * n12++ + (n117_1 ^ *((_BYTE*)&table[3] + v12[(char*)table - (char*)output])); *v12 = v13; n117_1 = v13 + 34; if (n12 >= 12) break; output_1 = output; } output[12] = state | (4 * v2) & 0xC; return 1; }But i need function that reverses the output of the function. I mean to get the input if i have the output buffer already. PS. Tried X0rby code but no luck it didn't give good result. Only the first byte is encoded ok with this function.

pay them they will instantly do for you.

@boot please can you again sign your titanhide driver (the certificate is revoked) or if possible can you share the method to load latest vmp in xdbg without titanhide? Thanks in Adv!

Here are the steps to get a completely modified version of x64dbg. Go to https://github.com/x64dbg/x64dbg Press this button in the top-right corner of your screen: You can then change the code to your liking (e.g., to bypass the anti-debug problem).

@fearless Many thanks. I've forgotten the way to use "masm32" assembler. Regards. sean.

Are there anyone who are able to build assembly dll source codes in the SRC folder? I have errors when assembling them. Many thanks in advance. Regards. sean.

@CodeExplorer Can it be feasible to unpack this target with your method? Regards. sean.

@CreateAndInject The same nationalities that you and he is. Oh, coincidence. Thank you @CreateAndInject for notifying the forum of it and him. Regards. sean.

Hello, everyone. Is this enigma x64 one still able to be bypassed? Waiting for your replies as soon as possible. Many thanks in advance. Regards. sean.

In x64 bit OS, the icesword doesn't run. Regards. sean.

Please record the process and post it, so we can get benefit from you. Regards. sean.

I have tried to add Etw Hook's source code to the source code of TitanHide.sys, but it was not effective and I am not considering it for now. I will release newly compiled plugins and drivers, using methods to bypass signatures. They will not need to disable signatures and can be loaded in normal mode.

Refer to this thread. Regards. sean.

After spending three days i m still stuck at 4th challenge now i understand what it mean to be a reverse engineer. May be i will not solve all(or may be even the half of them) the challenge but i still try my best till the last day.

@Rurik: why the kdnet requirement? Why 2 virtual machines? I'm no kernel debugging wizard by any means, but here's a primitive setup that serves me well. WinDbg runs on my main machine, connects to VMWare guest machine via a named pipe. Pretty much everything was taken from this guide: https://www.triplefault.io/2017/07/setting-up-kernel-debugging-using.html 1) Windbg - I have a BAT file with the command-line. It's used only for kernel debugging: windbg -k com:pipe,port=\\.\pipe\com_1,resets=0,reconnect 2) VMWare guest is set up to have virtual com port that uses named pipe: 3) When necessary, I enable kernel debugging in VMWare guest using bcdedit commands from elevated command prompt: bcdedit /debug on bcdedit /dbgsettings serial debugport:1 baudrate:115200 4) Reboot the guest machine, it will freeze for ~30 seconds waiting for WinDbg to attach. 5) Run WinDbg from .BAT file, done. If you insist on running WinDbg in the other VM, you can still link 2 machines via virtual com port and named pipes. I just quickly tried, something like this: 1) set up VMWare with kernel debugging enabled just like before. 2) set up VMWare with Windbg to use com port like this: Notice "this end is the client" setting 3) Start VMWare with WinDbg, run WinDbg like this: windbg -k com:port=COM1,baud=115200 4) (re-)start VMWare with kernel debugging enabled, WinDbg should automagically attach.

char v2; // al char v3; // dl char v4; // cl char v5; // dl char v6; // cl char v7; // dl char v8; // cl char v9; // dl char v10; // cl char v11; // dl int v12; // esi char v13; // al int i; // ecx char v15; // dl char v16; // al char v17; // bl char v18; // dl int v19; // ecx _BYTE *v20; // esi char v21; // al int v23; // [esp+14h] [ebp-24h] char v24; // [esp+16h] [ebp-22h] char v25; // [esp+1Bh] [ebp-1Dh] int v26; // [esp+1Ch] [ebp-1Ch] BYREF int v27; // [esp+20h] [ebp-18h] int v28; // [esp+24h] [ebp-14h] _BYTE v29[11]; // [esp+28h] [ebp-10h] char v30; // [esp+33h] [ebp-5h] v3 = a1[1]; v29[7] = *a1; v4 = a1[2]; v29[2] = v3; v5 = a1[3]; v29[9] = v4; v6 = a1[4]; v29[5] = v5; v7 = a1[5]; v29[3] = v6; v8 = a1[6]; v29[8] = v7; v9 = a1[7]; v29[0] = v8; v10 = a1[8]; v29[6] = v9; v11 = a1[9]; v12 = a2; v13 = 4 * v2; v29[4] = v10; v29[1] = v11; v26 = 1684368751; v27 = 1145392463; v28 = 1297040453; v25 = -22; v23 = 0; for ( i = 0; i < 10; ++i ) { v15 = v29[i]; v16 = v15 * (i + 1); LOBYTE(v23) = v16 + v23; v17 = BYTE1(v23) - v16; BYTE2(v23) += v15 * (i + 56); BYTE1(v23) -= v16; } v18 = v25; v29[10] = v29[0] * v23; v30 = (v29[0] * v23) ^ v17; v24 = (BYTE2(v23) ^ (v30 + 1)) & 3; v19 = 0; while ( 1 ) { v20 = (_BYTE *)(v19 + v12); v21 = 5 * v19++ + (v18 ^ v29[(unsigned __int8)v20[(_DWORD)&v26 - a2]]); *v20 = v21; v18 = v21 + 34; if ( v19 >= 12 ) break; v12 = a2; } *(_BYTE *)(a2 + 12) = v24 | (4 * v2) & 0xC; return 1; }This is what i got from hex-rays but it is very bad and useless decompiled code.

I tried already but hex rays does not produce a usable c code. The problem is that it does not recognize byte arrays but this function uses byte arrays and low byte manipulation.