Leaderboard

This is a very bad thing to add! Grabbing this personal information from a user without mentioning that is a terrible act to do !! Now you have ip @ of @CodeExplorer did you ask him if he agreed to that or not?? No! So that's why everyone must run any garbage from the internet on an isolated machine!

If you don’t care about “random forum users”, then don’t publish things publicly. You posted it here on purpose, so a public post means public criticism. You don’t get to choose who is allowed to comment... The website example is bullshit. A website logging IPs during an HTTP request is not the same as an executable secretly making outbound connections. The protocol forces one; the other is a decision you coded yourself. Acting like they’re the same is dishonest. Running a program does not mean permission for hidden network activity.

That’s a weak excuse. “Reverse engineering forum” is not a reason to steal personal data. Running unknown binaries in a VM is indeed a good practice, not a license for you to silently collect IPs or any identifying info without disclosure. The problem isn’t whether it’s legal, it’s that you did not inform the user, If your app contacts a license server and logs IPs that must be stated explicitly ! Saying “it only collects minimal data” after the fact doesn’t change anything. Consent is obtained before, not justified after and “statistics” doesn’t magically make undisclosed data collection acceptable. Reverse engineering is about analyzing protections and behavior not normalizing shady practices and then hiding behind assumptions.

We are seeking a skilled reverse engineer for a long-term collaboration with a monthly payment structure. What We're looking for: • Proficiency in C/C++, Delphi, and assembly language • Extensive experience with well-known protectors like VMProtect, Themida, and others • Strong ability to analyze and bypass obfuscation techniques • Determination in problem-solving and the ability to work under pressure Our projects focus on the automotive sector, with a strong emphasis on improving software and firmware. Since we also develop hardware devices, our reverse engineering efforts are solely aimed at gaining a deeper understanding of the underlying systems. Payment is preferred on monthly basis, but per project is also doable. Contact me on telegram: https://t.me/TobeMTV , to get more info about the job.

"automotive" + "VMProtect, Themida" I've been dumping and reverse engineering ECM and BCM firmware since about 2002 and never seen obfuscation. If you need someone to RE challenge/response I probably already have the IDA database and python emulator..

Thanks dude, really appreciate the font but can you tell me where can i get more of these fonts this one doesn't contain the extra light and extra light oblique.

Excuse? I wasn't even going to make excuses, especially to random forum users. I'm not interested in the opinions of random people. It's just amusing how you try to make a problem out of nothing. Every website stores the IP addresses of users who visit it in its access logs without even informing the user about it. Even this forum ;)

This forum is devoted to reverse engineering. This implies by default that all unknown executable files should be run in a virtual environment. Moreover, I clearly positioned the provided sample as an object for researching non-standard Themida settings and in no way encouraged its launch on the host machine. In any case, the application does not do anything illegal, and the license server stores the minimum necessary information, which under no circumstances is transferred to third parties and is not used for anything other than collecting statistics on the use of the application.

Tutorial (Short version): The kgm does the following: 1) Looks for the file "duh!!.syk" in the same directory (folder), if not found, it loads showing one field only (badboy), else: 2) Reads the text line inside the file "duh!!.syk" & by using a simple (xor 0x40) with each character, result should read "TestingOurSync???", else (badboy) 3) Loads the full form showing both text fields (i.e: name & serial) & a check button. Now try: name: Chilling serial: o!h.$kLB[2E{(,YV;+X/]thj}H.(uCFT~1Wx2iWM;4T*)Y$S"1B.$wcS@J Click the check button & the kgm will: 4) Trims both strings, Base91 decodes the serial into: "26734308-=`~<-YAGAIV-2090603021-2C51325133CEA38" Checks to see if it has 5 parts (separated by "-"), else (badboy). More checks follow. 5) part1 must be 8 characters from "0123456789" 6) part2 must be 4 characters from "$+<=>|~" 7) part3 must be 6 characters from "ABCDEFGHIJKLMNOPQRSTUVWXYZ" 8) Build & check part4: a) Uppercase the constant "If I Only Knew" & add a null byte at start then SDBM Hash (Ozan Yigit) it (in reverse order): 0x57454E4B20594C4E4F204920464900 = 0x7D0BFCAF b) math: 0x7D0BFCAF xor 0x46 (a constant) = 0x7D0BFCE9 c) math: 0x7D0BFCE9 xor StrToInt(p1) 0x0197EEE4 = 0x7C9C120D d) IntToStr(0x7C9C120D) = "2090603021" <> p4 = "2090603021" 9) Check if trimmed name is 4 or more characters (kind of late), else bb 10) Let s1 be the result of joining: name + ' ' (space) + constant "Jalolo" ... "Chilling Jalolo" 11) Let s2 be the result of joining: s1 + constant "WhoamI?" ... "Chilling JaloloWhoamI?" 12) Generate a seed by applying same SDBM Hash method on s2 (uppercase, add a null byte at start, ...) to get: 0x3F494D414F48574F4C4F4C414A20474E494C4C49484300 = 0x0BE39B81 ... seed 13) Build & check part5: Using xxHash64 (Yann Collet), perform xxHash64(WideString(s1), Integer(seed)) = "2C51325133CEA38" <> to p5 If all goes well then (goodboy). Let me know if I've missed anything :) Other combinations: name: XorRanger's Go Figure Fixed!!! serial: Rz;aAkGuG3Xtlk>V;+/zV0Tj|H.(~*AShw`EwnLdR2<:9[ZXjDhb|v1X;Lc name: Happy New Year! serial: E2wbCkcMh2E{(v$M)L!cgvY0|HS*SCBSn!IbLm?R$J+BD+gSzwIzml&M7Ia kg.7z

The software performs network time verification by connecting to the internet. It retrieves the time from www.baidu.com and contains no malicious code. Please rest assured. I have no interest in embedding Trojan viruses or backdoors in the software.

Solved it already. Thanks to all for the help.

All protectors can be unpacked, that doesn't means dnguard isn't good.

To avoid blind guessing, I suggest you to get old iLO firmware packages and analyze them. See what conditions must be fulfilled in order to get the "SmartMemory" status. If my google-fu is working, Gen10 servers use iLO5, here is it's general spec: https://www.hpe.com/us/en/collaterals/collateral.c04154343.html, and here are the download links https://support.hpe.com/connect/s/softwaredetails?language=en_US&collectionId=MTX-2dc80c4ae4b943fa. It would appear that older firmware packages didn't use any encryption, just some (trivial) compression, making the job so much easier.

No, the above script won't work due to Themida anti-debug tricks, even if program starts with the debugger. I got to say: Themida is great protector. Too bad about antivirus detections like https://www.malwarebytes.com/blog/detections/riskware-patcher-themida I made some new updates to Unlicense: - fixed winlicense v3 detection for the above https://storage.custos.dev/ResourceCryptor_latest.7z - fixed imports for winlicense v3 x64 OEP still needs to be fixed as currently stops before real OEP; You could try --force_oep: --force_oep=0x0115E 0x0115E = OEP rva; as long as you know OEP rva. unlicenseFixed2.rar

Below are some core code snippets. // process monitoring callback function // disable the creation of specified processes VOID ProcessNotifyExRoutine_call_back( PEPROCESS pEProcess, HANDLE hProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo) { if (NULL == CreateInfo) { return; } PCHAR pszImageFileName = PsGetProcessImageFileName(pEProcess); if (0 == _stricmp(pszImageFileName, "avpui.exe")) // target process name { CreateInfo->CreationStatus = STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY; } }NTSTATUS ZwKillProcess(HANDLE pid)//Kill the process { HANDLE hProcess = NULL; CLIENT_ID ClientId; OBJECT_ATTRIBUTES oa; NTSTATUS status; ClientId.UniqueProcess = pid; ClientId.UniqueThread = 0; oa.Length = sizeof(oa); oa.RootDirectory = 0; oa.ObjectName = 0; oa.Attributes = 0; oa.SecurityDescriptor = 0; oa.SecurityQualityOfService = 0; status = ZwOpenProcess(&hProcess, 1, &oa, &ClientId); if (NT_SUCCESS(status)) { ZwTerminateProcess(hProcess, 0); ZwClose(hProcess); return status; }; return FALSE; }bin.zip e.g. video_2025-09-13_120702.mp4

I do not release the decoder but the code optimizer (not immediately), this is not specific to the oream vm, it is only far more effective than others. What do you say about angr or miasm or optimice or codedoctor ?? do we eliminate them all the tools for binary code analysis ?? I do not issue the decoder code because my hobby is a hobby and I do not want to give anybody a damn but reversing is sharing (I unfortunately belong to the old old reverser school). If I spoke good English I would probably share a lot more info and would not like others who just write for self-celebration. Do you know Scherzo or Softworm ?? I'm an old man who now deals with reversing and my only good luck is that the day they will all program in python or javascript I will not be there anymore..hahahahaha

Hi, I'm beginning not to ask for the program because I will not make it public, I do not want to harm anybody. Instead I will release the source code of the deobfuscator as soon as I have time to fix some points. @miraculix The deobfuser completely rebuilds the CFG (remove fake Jcc, Opaque Predicates etc .. etc ..) apply PeepHole (pattern recognition) remove DeadCode and Constant Folding and call analyzer and more. Thanks to the suggestions of @fvrmatteo I could try different peepHole solutions than the pattern recognition but the result was never as efficient as the use of pattern recognition so I use this solution at the moment (I reverse, not a conference at MIT code needs to work well .. hahahaha). I only use Pascal. As a disassembler engine use Capstone and as Emulator (for small portions of code) use Unicorn Engine.Not use Virtual Machines Symbolic Execution Phyton script etc .. etc .. Place a small video to give an idea. deob.rar

First you say Themida is trashtier, then you pick a far inferior packer and state that it is better..? People need to start realizing, that if you have no clue what you're talking about, you should either start your sentence with "I assume" or you shouldn't say anything at all. Silence is bliss. VMProtect is actually rather bad, as the virtual machine in VMProtect is really easy to crack. If you have to choose between Themida and VMProtect, you should always pick Themida. Why? Because Themidas virtual machines are much more advanced and much harder to crack than VMProtect. Themida was initially known for their CISC VM which was (at the time) very strong. It has since been defeated (by Deathway) and is now considered weak (since it's actually rather simple once you start to understand it). VMProtect's virtual machine is almost an exact replica of the Themida CISC VM featuring stronger obfuscation, and as such it works in the exact same way, which makes it (almost) equally weak. Since then, Themida developed the RISC machine (RISC64 and RISC128), which was against defeated by Deathway. They then proceeded to develop the FISH and TIGER machines, which features very new tricks such as complex combined handlers (FISH) doing multiple operations each instead of a handler for each operation like CISC had, and also internal (yet simple) cryptography. The TIGER VM is very similar to the FISH VM (since it is built on the same engine), but doesn't utilize the cryptographic internal registers, etc. Themida also features hybrid virtual machines, such as SHARK, which is FISH virtualized by TIGER, or PUMA, which is TIGER virtualized by FISH. The newest machine(s) from Themida is the DOLPHIN machine, which is yet another layer of complexity upon the newer FISH/TIGER engine, while also supplying a hybrid VM called EAGLE, which is FISH virtualized by DOLPHIN (if memory serves right). If you want to compare the complexity of the newer Themida VMs (e.g. EAGLE) vs. VMProtect's VM, you're probably looking at a complexity scale saying 15:1 or something like that. TL;DR Don't listen to the guys above, as they are completely clueless on the topic. Pick Themida if you have to choose between the two of them.

Haven't touched this project for a long time. So I worked this weekend on updating the script and catching up with all the changes that they did in the last 1-2 years. Everything works right now except for TIGER. They added a new weird "push" handler, which is very different from any other TIGER handler. (the offset for the push isn't from a parameter, but from a call to another function that return an internal state value, usually that internal state value is used with a parameter to get the wanted real value, but this time it is used just with a constant number... in your binary for example one such handler is at 0x0562AC9). Nothing too bad, but I ran out of time for this weekend. I will do it during this week and update this comment with the devirtualized tiger when it is done. Except for that most of the changes were small. Some of them are fixing bugged handlers, other are adding some small protection templates to the handlers. One change that they did was not reseting the state when re-entering the vm after external instruction execution. (instructions that they don't virtualize). Another change was changing the start of the vm. Until now the start of the vm was something like that: (They push all the registers to the stack before they enter the vm) pop VM_REG_1 pop VM_REG_2 pop VM_REG_3 .. They changed it to: (in a random order) mov VM_REG_1, [esp] mov VM_REG_2, [esp+4] mov VM_REG_3, [esp+8] ... add esp, ... Another change is obfuscating the ending of some of the FISH and TIGER handlers. The FISH(32/64) BLACK is probably the most annoying vm. since the handlers are heavily obfuscated, with fake conditional jumps and all of that shit. One big handler can be 100000+ instructions. So even a small bug when handling it can fornication up everything. It is probably the safest vm because of that but also really really slow. oh, and in 64-bit my compiled devirtualized code isn't the same size as the original code, I am not sure why is that, which of the compiled opcodes take more space than the original . But I still had enough space for the devirtualized code in the original address because of the surrounding macros. devirtualizeme_tmd_2.4.6.0_fish32.devirtualize.clean.exe.7z devirtualizeme_tmd_2.4.6.0_fish64.devirtualize.clean.exe.7z

Chances are that first packet, because your on a TCP/IP network is a broadcast for the MAC address if its not already been found and cached? But you should be able to confirm this by pinging the device and sniffing the packets... Ted.

Well, you found the line where it crashes but the problem is much deeper. It's caused by pointers and memory reallocation. Something like this: Line 117: if FileToBytes(szFilePath, bFile) then // allocates a memory for TByteArray Line 134: IID := @bFile[dwIATPos]; // IID is a pointer into current TByteArray Line 145: SetLength(bFile, Length(bFile) + dwSize); // resizes TByteArray, memory is not reallocated yet Line 148: CopyMemory(@bFile[dwPos], @Imports.szLibName[1], Length(Imports.szLibName)); // first write into resized array, Delphi memory manager reallocates memory. IID is a pointer into garbage now. Line 149: IID.Name := OffsetToRVA(dwPos, ISH.VirtualAddress, ISH.PointerToRawData); // crash! Your code is quite a mess, so it's hard to give a suggestion how to fix it properly. I'd try avoid using pointers into bFile at all costs. Cheers, kao.

The target has a license server that collects minimal, anonymized information about the launch. Information about debugger detections, code integrity violations, launches in virtual environment, etc. is also transmitted to the license server. Most likely, you simply did not reach the point where the application would display a MessageBox with a message about detecting a debugger. The debugger was detected by 3 out of 3 methods, ScyllaHide was unable to deceive any of them. The screenshot shows the log of your last target launch.