Leaderboard
-
CodeExplorer
Team Member11Points4,313Posts -
jackyjask
Full Member+7Points1,643Posts -
MUS3
Junior6Points5Posts -
Stuttered
Full Member6Points91Posts
Popular Content
Showing content with the highest reputation since 09/07/2025 in Posts
-
Nuitka 2.1.5 (Python 3.11)
3 pointsYou can look for HydraDragonAntivirus/AutoNuitkaDecompiler: Get malware payload without dynamic analysis with this auto decompiler or my main project. I did with that. If you want dynamic analysis then Is Nuitka No Longer Secure? A Reverse Engineering Tool for Nuitka/Cython-Packed Applications — pymodhook | by qfcy | Medium (There more advanced special python code for pymodhook but it's closed source for vxnet and not made by me so I can't make it public) If you want both dynamic and static: Siradankullanici/nuitka-helper: Symbol Recovery Tool for Nuitka Binaries I did extract with stage1.py or nuitka-extractor extremecoders-re/nuitka-extractor: Tool to extract nuitka compiled executables (or just do dynamic analysis for extract and sometimes it can't extract or Nuitka compiles executable as dll so you need dll loader It seems like it becoming obsolete · Issue #15 · extremecoders-re/nuitka-extractor) my main project not stable but if he is become stable then he can detect is he nuitka and do auto extract with auto decompile and you get source code. Nuitka is actually hiding data in resources section in specia bytecode format. Actual source code starts from (u)python.exe or /python.exe (generally in broken executables) then you need look for <modulecode part for import recovery and Nuitka compiles with everything for obfuscation. So too many comment lines from file exists. You can detect junks by that line contains no u word. Which means this line is junk because u means go to next line in Nuitka bytecode. Nuitka is not obfuscated if he doesn't compile with everything otherwise it's obfuscated. You can improve my script by looking Nuitka bytecode source code. You can post to ay AI to recover code but Gemini is currently best for very long codes. Compared to other obfuscators you need pyarmor with Nuitka to make him more secure (or guardshield with pip install guardshield), otherwise it's easy task if there no too many imports. Rarely user disables compile everything even if the docs then your task much easier but in default Nuitka compiles everything. Nuitka clearly worser than Rust for some reason. 1) Antiviruses flags as malware because malware analysts can't understand Nuitka (even if they are too experinced they really don't know how to solve Nuitka) so you get false positives. 2) It's not good obfuscator and it's not creating millions of line hello world code via normal cython. I don't recommend python to use for avoid reverse engineering but you can still use it. If you want I can give all details which I know with tutorial or I can release my main project for auto Nuitka decomplication. My last words are don't use pyoxidizer, pyinstaller, cx_freeze if you want obfuscate your code because Nuitka is still best open source option for python. Nuitka can't remove python.h so the code must be pseudo python (Cython like style)3 points
-
kill a process and prevent it from being created again
Below are some core code snippets. // process monitoring callback function // disable the creation of specified processes VOID ProcessNotifyExRoutine_call_back( PEPROCESS pEProcess, HANDLE hProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo) { if (NULL == CreateInfo) { return; } PCHAR pszImageFileName = PsGetProcessImageFileName(pEProcess); if (0 == _stricmp(pszImageFileName, "avpui.exe")) // target process name { CreateInfo->CreationStatus = STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY; } }NTSTATUS ZwKillProcess(HANDLE pid)//Kill the process { HANDLE hProcess = NULL; CLIENT_ID ClientId; OBJECT_ATTRIBUTES oa; NTSTATUS status; ClientId.UniqueProcess = pid; ClientId.UniqueThread = 0; oa.Length = sizeof(oa); oa.RootDirectory = 0; oa.ObjectName = 0; oa.Attributes = 0; oa.SecurityDescriptor = 0; oa.SecurityQualityOfService = 0; status = ZwOpenProcess(&hProcess, 1, &oa, &ClientId); if (NT_SUCCESS(status)) { ZwTerminateProcess(hProcess, 0); ZwClose(hProcess); return status; }; return FALSE; }bin.zip e.g. video_2025-09-13_120702.mp42 points
-
Nuitka 2.1.5 (Python 3.11)
2 pointsNuitka can be easily unpacked and reversed. It doesn't obfuscate your code well. I'm suprised nobody solved this very easily. Also your executable is broken. Here is the full source code: def check_password(): """Check password function""" user_password = input("Enter the password: ") specific_password = "secret110" if user_password specific_password: print("Good boy!") else: print("Bad boy!") if name "__main__": check_password()2 points
-
NSF player DLL for NES music files.
cheers man you made my day now! now i know how to call from DLL's whenever i want to use different chiptunes in other various formats such as YM or FC14 :) thanks a bunch :D i will be using NSF in my future cracks for now on :) p.s.: in case you were wondering, the nsf is from this video converted by me from Famistudio to Famitracker:1 point
-
NSF player DLL for NES music files.
here we go - had some fun of doing low lvl stuff inside masm32 :) note: got rid of relocs/debug inside pe binary just for fun NSF-fixed-jj-v1.ZIP1 point
-
Nuitka 2.1.5 (Python 3.11)
1 pointAwesome job! A tutorial would really help us understand it better1 point
-
Code Blocks Formatting
1 point@Teddy Rogers #include <stdio.h> int main() { puts("Seems to work fine now, thanks!"); return 0; }1 point
-
Nuitka 2.1.5 (Python 3.11)
1 pointCan you tell me how you did it ? Because from what I know Nuitka transpiles python bytecode to C and the compiled program contains very little python bytecode embedded into it and there's nothing else related other than native assembly code, that's where disassemblers come to play but everything disassembled will become pseudo C code instead of python1 point
-
Code Blocks Formatting
1 point@jackyjask I was meant to post this a few days ago, if you have not already noticed, IPS moved the "Code Block", to menu... Ted.1 point
-
ConfuserEx 1.6.0
1 point1.dump 2.fix dump 3.ConfuserEx-Unpacker-v2.0 &Constants Decrypter 4.de4dot ConfuserEx-Unpacker-v2.0 prompts an error [$] Loading Module... [$] Loading References... [$] Detected: Confuser.Core 1.6.0+447341964f [$] Anti Tamper Detected [$] Anti Tamper Removed Successfully [$] Cleaned Control Flow on 272 Methods [$] Fixed proxy calls: 6749 [$] Removed proxy methods: 944 [$] Cleaned Control Flow on 2 Methods [$] Cleaned Control Flow on 2 Methods [$] Patched 5 Anti Invokes [$] Cleaned Control Flow on 2 Methods Error: Could not load file or assembly 'DEMO123456, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'. This assembly was compiled for a different processor. at System.Reflection.RuntimeAssembly.nLoadImage(Byte[] rawAssembly, Byte[] rawSymbolStore, Evidence evidence, StackCrawlMark& stackMark, Boolean fIntrospection, Boolean fSkipIntegrityCheck, SecurityContextSource securityContextSource) at System.Reflection.Assembly.Load(Byte[] rawAssembly) at Unpacker.Core.Deobfuscators.Resource.ResourceDeobfuscator.Deobfuscate(UnpackerContext context) in D:\Documents\Visual Studio 2017\Projects\GitHub\ConfuserEx-Unpacker\Unpacker.Core\Deobfuscators\Resource\ResourceDeobfuscator.cs:line 40 at Unpacker.Core.UnpackerEngine.Run(UnpackerParameters parameters) in D:\Documents\Visual Studio 2017\Projects\GitHub\ConfuserEx-Unpacker\Unpacker.Core\UnpackerEngine.cs:line 38 Error: Object reference not set to an instance of an object. at Unpacker.Core.Utils.FindInstructionsNumber(MethodDef method, OpCode opCode, Object operand) in D:\Documents\Visual Studio 2017\Projects\GitHub\ConfuserEx-Unpacker\Unpacker.Core\Helpers\Utils.cs:line 33 at Unpacker.Core.Deobfuscators.AntiDebugDeobfuscator.Deobfuscate(UnpackerContext context) in D:\Documents\Visual Studio 2017\Projects\GitHub\ConfuserEx-Unpacker\Unpacker.Core\Deobfuscators\AntiDebugDeobfuscator.cs:line 18 at Unpacker.Core.UnpackerEngine.Run(UnpackerParameters parameters) in D:\Documents\Visual Studio 2017\Projects\GitHub\ConfuserEx-Unpacker\Unpacker.Core\UnpackerEngine.cs:line 38 [$] Removed 1 Attributes [$] Cleaning unused methods... [$] Writing Module... [$] Saving Module...1 point
-
BinaryShield (Custom VM)
1 pointhi, i am new to devirtualization topic and this challenge was very good for beginners and me. first, my goal was not just obtain the keys but devirtualize whole function automatically and recompile back to be able to patch it. i lifted handlers to LLVM IR and recompiled in a new binary to analyze it this is my final output i know its a little difficult to read, but at least you can see the correct keys clearly if you look at if statements. sadly, code crashes at runtime, i dont know why. it will probably take really long time to identify the problem. i dont think i will do that. maybe i might try VTIL instead of LLVM. i would like to see others approaches on fully devirtualizing this vm. great challange again.1 point
-
VMProtect v3.5.1
1 pointWindowsFormsApplication4.vmp35.exe: 1. VMUnprotect.Dumper https://github.com/void-stack/VMUnprotect.Dumper/releases/tag/1.1.0.0 2. Unset "IL Only" Flag from .NET Directory with CFF Explorer 3. Demutation Tool https://forum.tuts4you.com/topic/45162-demutation-vmprotect-net https://forum.exetools.com/showthread.php?t=21105 4. de4dot Use --keep-names ntpfg while cleaning the file using de4dot Or use --dont-rename 5. VMP Killer by DarkBullNull Use Option 2 First and Fix CRC and Debug Check https://github.com/DarkBullNull/VMP.NET-Kill https://forum.tuts4you.com/topic/45179-vmpnet-kill/ https://forum.exetools.com/showthread.php?p=131964 6. Unset "IL Only" Flag from .NET Directory with CFF Explorer 7. Use VMProtectNoDelegates to clean delegates https://forum.exetools.com/showthread.php?t=21106 https://forum.tuts4you.com/topic/45163-vmprotectnodelegates-net The only thing left if unvirtualization. WindowsFormsApplication4.vmp35-decrypted-demutate-cleaned.justify_nodel.rar1 point
-
Paul Chin Reverse Engineering 4: Software Protection
The course is free until end of July 4, 2024. https://www.udemy.com/course/reversing-software-protection/?couponCode=JULY2_FREE Personally, I think Paul Chin courses are total crap, but apparently some people still want to watch them. So...1 point
-
Eazfuscator v2021.1
1 pointEazfuscator v2021.1 Unpack and/ or provide a valid serial. Archive password : superfrog File Information Submitter whoknows Submitted 07/14/2021 Category UnPackMe (.NET) View File1 point
-
[unpackme] WinLicense v2.0.1.0
1 point