Leaderboard

Your crackme seems to have multiple solutions. Not sure if this was intended: Some example passwords: Approach:

I'm trying to learn the bypass technique with shfolder.dll, but I can't find any complete information, can anyone help me?

Greetings, if "YOU" are so "PARANOID" , just run it in a "VM" , i can tell you "1" thing , its completely safe. So, i don't know where your getting this garbage | bullshit , from. And there is "virustotal" for a reason ! The only weird things is , you making these stupid remarks about this challenge.... ! Regarding the false accusations thrown about... Nor does this challenge require internet. No HTTP/s communication | In-between, whatsoever. Greetings !

https://www.techrepublic.com/forums/discussions/here-are-25-reasons-why-windows-is-not-a-virus/

Hi all, this is my analysis of GanDiao.sys, an ancient kernel driver based malware. It only works in WinXP as it is unsigned. This driver was used by various malware families and it allowed any userland application to kill other protected processes. This doc also includes a custom userland app source code to use GanDiao and test its capabilities. ENGLiSH VERSiON: http://lucadamico.dev/papers/malware_analysis/GanDiao.pdf iTALiAN VERSiON: https://www.lucadamico.dev/papers/malware_analysis/GanDiao_ITA.pdf As usual, I'm also attaching both PDF files here, just in case. Enjoy. GanDiao.pdf GanDiao_ITA.pdf

Was the driver itself malware? Also, is there a way to disable all protection by default?

Resolve field with declaring type containing generic parameter FieldDef dnlibfield = instructions[i].Operand as FieldDef; if (!dnlibfield.DeclaringType.ContainsGenericParameter) field = assembly.ManifestModule.ResolveField(dnlibfield.MDToken.ToInt32()); else { // here is the problem: Type declType = assembly.ManifestModule.ResolveType(dnlibfield.DeclaringType.MDToken.ToInt32()); } So how do use dnlib to resolve declaring type containing generic parameter ??? public virtual System.Reflection.FieldInfo? ResolveField(int metadataToken, Type[]? genericTypeArguments, Type[]? genericMethodArguments); https://learn.microsoft.com/en-us/dotnet/api/system.reflection.module.resolvefield?view=net-9.0#system-reflection-module-resolvefield(system-int32-system-type()-system-type())

Just find MrExodia's src he shared some years ago and update it for the new enigma versions.

Amazing work @Washi ! Explained it nice and clear (from start to finish), and regarding the multiple "solutions" it is intended, yes Great work , quite impressive to see solutions well "versed" like yours , good job ! Greetings !

The answer to my security question is "The Magic Words are Squeamish Ossifrage". Why do you ask?

Yeah something aint right about this crackme. Also once you get into here you will find quite more interesting things like hostname checking and so on. Not 100% sure but be aware of where you are executing "new" crackmes by "V0KsISsSs" friend.

I didn't run in VM, but on real machine.

@CodeExplorer Hey Code,did you run this in VM?

V-S-2-0-1-2

Refer to this post. Firstly, searching for the "RegQueryValueExA" ASCII. After that, scrolling up a little and setting a breakpoint at a "jmp" up ---> "EB ??" Then running the application. Secondly, you can search for these byte array. It is this. xchg bl, dil Setting a breakpoint at the command. Lastly, Seaching for your hardware id string's base64 hex values in the memory. then changing them to the working hardware id string's base64 hex values. After all, It will run bypassing HWID lock of the Safengine Shielden x64 v2.4. Regards. sean.

Fully unpacked V3: So I noticed that the dll and the executable are both protected with .NET Reactor. The dll has 5 virtualized methods. The purpose of that is probably to prevent people from cracking the unpackme. Since this is not a crackme, I have decided to fully unpack cuz I have a lot of free time to do it. I just dragged the files to my deobfuscator so I'll just explain the steps of what my deobfuscator did to deobfuscate the contents of the unpackme. 1. Get rid of the code flow obfuscation. You can use Hussaryn/NET-Reactor-Cflow-Cleaner-6.7.0.0 since this one is updated. I haven't tested this one though so I am not sure. 2. Detect necrobit and read encrypted method bodies in resources. The method bodies are stored in resources and the decryption routine has a part in the code that has a random generated mutation. The trick to that is using a CIL emulator. I use DNEmulator, but the repository is gone. I think De4dot emulator is good enough for this one. 3. Do step 1 again since it might have control flow obfuscation applied to some methods. You could also read this blog and use reflection to get the decrypted method bodies. It is explained where .NET Reactor stores its decrypted method bodies. But I am not a fan of using reflection, so I don't want that. I guess this should work on most unpackmes but not all since it is lacking something. 4. Detect obfuscated ldtokens. The obfuscated token is not really obfuscated. It is just stored as an integer and some function resolves the token and returns the runtimetypehandle of that. 5. Detect and devirtualize virtualized functions. I learned a lot from @TobitoFatito's explanation. The Instruction Set Architecture of .NET Reactor VM is almost the same as .NET CIL. So it should be easy to understand the VM if you already understand .NET CIL. 6. Do step 1 again since it might have control flow obfuscation applied to some devirtualized methods. 7. Detect and decrypt string encryption. The decryption routine is similar to necrobit decryption routine and the encrypted string data is stored in resources. Once the resources data is decrypted, you can find the calls that's using the decryption method and get the string data by acquiring the first argument and using that to go to the offset of the decrypted data and read the first 4 bytes and convert it to int32 to get the string length. Then read string data after the string length data. 8. Detect and decrypt resource encryption. The resources has more than 1 decryption mode and it is also compressed. I think the method that de4dot uses for this one still works. Code: ResourceResolver.cs 9. Use de4dot to clean the rest and fix names. Files: WindowsFormsApplication41-Deobfuscated-cleaned.exe WindowsFormsApplication41yippi-Deobfuscated-cleaned.dll

g'Morning all! Is there a tool or is it generally possible to ripp functions out of a dll and use them seperatly? Thanx in advance! hmi222