Leaderboard
Popular Content
Showing content with the highest reputation since 06/29/2025 in all areas
-
...because cloning git repo, or just clicking on anonfiles.com_d1D7M7q9z4_vmpsrc.zip is so f*ing complicated. You don't need VMProtect sources. What you need is a basic understanding of this magical thing called "the internet".5 points
-
4 points
-
3.9.5 changes protection against unpacking and improved anti debug, from that leak all unpack and critical vulnerability before 3.9.2 allowed change serial vmp license ultimate version in memory3 points
-
3 points
-
On the 000000014000838B 0, 1, 2, 3 8, 9, A, B, C, D, 6, 7 - 0000000140008BD4 | 8B4424 20 | mov eax,dword ptr ss:[rsp+20] 0000000140008BD8 | FFC0 | inc eax 0000000140008BDA | 894424 20 | mov dword ptr ss:[rsp+20],eax 0000000140008BDE | E9 07070000 | jmp crackme123.1400092EA 0000000140008A16 | 8B4424 30 | mov eax,dword ptr ss:[rsp+30] | 0000000140008A1A | FFC0 | inc eax | 0000000140008A1C | 894424 30 | mov dword ptr ss:[rsp+30],eax | 0000000140008A20 | 837C24 30 04 | cmp dword ptr ss:[rsp+30],4 | 0000000140008A25 | 0F8D A9010000 | jge crackme123.140008BD4 | 0000000140008A2B | 8B4424 24 | mov eax,dword ptr ss:[rsp+24] | 0000000140008A2F | 99 | cdq | 0000000140008A30 | 83E2 03 | and edx,3 | 0000000140008A33 | 03C2 | add eax,edx | 0000000140008A35 | 83E0 03 | and eax,3 | 0000000140008A38 | 2BC2 | sub eax,edx | 0000000140008A3A | 898424 80000000 | mov dword ptr ss:[rsp+80],eax | 0000000140008A41 | 83BC24 80000000 00 | cmp dword ptr ss:[rsp+80],0 | 0000000140008A49 | 74 2B | je crackme123.140008A76 | 0000000140008A4B | 83BC24 80000000 01 | cmp dword ptr ss:[rsp+80],1 | 0000000140008A53 | 74 60 | je crackme123.140008AB5 | 0000000140008A55 | 83BC24 80000000 02 | cmp dword ptr ss:[rsp+80],2 | 0000000140008A5D | 0F84 90000000 | je crackme123.140008AF3 | 0000000140008A63 | 83BC24 80000000 03 | cmp dword ptr ss:[rsp+80],3 | 0000000140008A6B | 0F84 C3000000 | je crackme123.140008B34 | 0000000140008A71 | E9 0B010000 | jmp crackme123.140008B81 | 0000000140008A76 | 8B4424 30 | mov eax,dword ptr ss:[rsp+30] | 0000000140008A7A | D1E0 | shl eax,1 | 0000000140008A7C | 48:98 | cdqe | 0000000140008A7E | 48:898424 E8010000 | mov qword ptr ss:[rsp+1E8],rax | 0000000140008A86 | 48:8D8C24 98000000 | lea rcx,qword ptr ss:[rsp+98] | 0000000140008A8E | E8 0DEDFFFF | call crackme123.1400077A0 | so I don't any idea where the password test is made...2 points
-
2 points
-
congrats @CreateAndInject here is the source incl refs @ --limited time download, expired--2 points
-
They have fixed the source leak in vmp 3.95 so back to the drawing board Also 3.8 had a memory leaking issue, which I haven’t checked to see if it’s been fixed2 points
-
wow! someone is cheating with us here! (sneaky snitch) 2nd time https://www.sendspace.com/file/51jvil2 points
-
2 points
-
1 point
-
1 point
-
View File crackme123 A "Crack Me" challenge created by lord "Voksi" , a well known person in the "warez" scene. And no, this challenge is not uploaded by "Voksi" himself, it's uploaded via a proxy which is myself, an old friend of "Voksi" . GOAL: Obtain the Correct key Greetings to MasterBootRecord, Voksi, FJLJ, And also a few others, you know who you are ❤️ Submitter casualPerson Submitted 07/04/2025 Category CrackMe1 point
-
It is 64 bit file, so I load the file in x64dbg print Incorrect password: 000000014000593E | E8 FDBCFFFF | call crackme123.140001640 | 0000000140005943 | 48:894424 48 | mov qword ptr ss:[rsp+48],rax | 0000000140005948 | 48:8D15 81CFF | lea rdx,qword ptr ds:[1400028D0] | 000000014000594F | 48:8B4C24 48 | mov rcx,qword ptr ss:[rsp+48] | 0000000140005954 | E8 97E4FFFF | call crackme123.140003DF0 | 0000000140005959 | 48:83C4 78 | add rsp,78 | 000000014000595D | C3 | ret | called from here: 000000014000838B | 8B4424 20 | mov eax,dword ptr ss:[rsp+20] | 000000014000838F | 898424 B80000 | mov dword ptr ss:[rsp+B8],eax | 0000000140008396 | 83BC24 B80000 | cmp dword ptr ss:[rsp+B8],31 | 31:'1' 000000014000839E | 0F87 3C0F0000 | ja crackme123.1400092E0 | 00000001400083A4 | 48:638424 B80 | movsxd rax,dword ptr ss:[rsp+B8] | 00000001400083AC | 48:8D0D 4D7CF | lea rcx,qword ptr ds:[140000000] | 00000001400083B3 | 8B8481 B09300 | mov eax,dword ptr ds:[rcx+rax*4+93B0] | 00000001400083BA | 48:03C1 | add rax,rcx | 00000001400083BD | FFE0 | jmp rax | but I don't know which is proper valid value of dword ptr ss:[rsp+B8]1 point
-
Version v0.7 FIXED FINAL
274 downloads
============================ AT4RE Power Loader v0.1 (Release Date: 26/03/2025) ============================ [+] Console interface [+] Loader Coded in C++ with CRT (big Size: 85 KB when compressed about 190 KB uncompressed). [+] Supports patching single or multiple Relative Virtual Addresses (RVAs). Root Folder Contents: [+] ATPL.EXE (AT4RE Power Loader) [+] Version History.txt ============================ AT4RE Power Loader v0.2 (Release Date: 16/04/2025) ============================ The most powerful loader against strong and hard protectors. It also works with medium-level protectors, packers, compressors, and even unprotected executable files. Main Features: [+] GUI Coded in Borland Delphi 7 [+] From the GUI, you can browse to select the target file (maximum filename length is 255 characters). [+] You can also copy and paste the file name into the input field. [+] Choose between x32 and x64 loader versions. [+] Loader data can be entered only in the format shown in filed or in the screenshot. [+] Set a base timeout in milliseconds (Minimum: 00, Maximum: 9999 — i.e., 9.99 seconds). [+] Set 1-byte opcodes in the Opcode field using HEX characters (Opcode is the Original First Byte of RVA1). [+] Configure Opcode Timeout in milliseconds (Minimum: 00, Maximum: 9999 — i.e., 9.99 seconds). [+] Set the Loader Timer Delay in microseconds (Min: 00, Max: 9,999,999 — i.e., 9.99 seconds). [+] Configure the loader to start as Administrator. [+] Directly pack the loader with UPX. [+] Generate Loader.exe [+] Save or open projects for future use from File menu. [+] Set the GUI to "most on top" from the View menu. [+] Access the official website, report bugs, and find more information via about in the Help menu. Loader Details: [+] Coded in C++ using the Windows Pure API. [+] Loader size is 10 KB uncompressed, and 5 KB when compressed. [+] Supports Windows 7, 8, 10, and 11 (both x32 and x64). Features include: [+] Anti-ASLR [+] Anti-Anti-Debug [+] Anti-CRC Check [+] Automatically detects the base address. [+] Detects when the protector unpacks code into memory. [+] Can apply temporary patches after a specified delay in microseconds (Patch and restor original bytes). [+] Can apply permanent patches only with 00 Flag [+] Supports patching single or multiple Relative Virtual Addresses (RVAs). [+] Capable of patching up to 2048 bytes. [+] Can run as Administrator or Normal user mode. Root Folder Contents: [+] Project folder (Save or open projects for future use) [+] UPX folder (includes upx32.exe and upx64.exe) [+] ATPL.EXE (AT4RE Power Loader) [+] Version History.txt ============================ AT4RE Power Loader v0.3 (Release Date: 10/05/2025) ============================ The most powerful loader against strong and hard protectors. It also works with medium-level protectors, packers, compressors, and even unprotected executable files. Main Features: [+] Added Support Patching DLLs (Only DLLs Loaded by Target.exe). [+] Added Drag Drop Feature: For .EXE, .REG, .ICO Files. [+] Added Insert Loader Data feature (For Respect the Correct Format). [+] Added Registry Keys Manager (Max size: 1 KB / 1024 characters). [+] Added Delete Files feature (Max size: 1 KB / 1024 characters). [+] Added Icon Changer. [+] Added New Project option from File menu (Clears all fields). [+] Added Commands Shortcut Ctrl+N, Ctrl+O, Ctrl+S in File menu. [+] Added Contact Us section from Help menu. [+] Updated About from Help menu from box to a form. [+] Updated display fonts for Loader Data, Registry, and Files. [-] Removed "My Target run as admin". Loader Details: [+] Size is now 17 KB uncompressed, 7 KB when compressed. [+] Loader now Support Patching DLLs (Only DLLs Loaded by Target.exe). [+] Loader can now add or delete registry keys. [+] Loader can delete files. [+] Automatically requests Run as Administrator when needed (e.g.,Target need administrator privilege, modifying registry or deleting files from protected folders). [+] Icon support added. Root Folder Contents: [+] Icons folder (includes 5 icons). [+] Lib folder (includes bass.dll). [+] Project folder (Save or open projects for future use). [+] ResH folder (includes ResHacker.exe). [+] UPX folder (includes upx32.exe and upx64.exe). [+] ATPL.EXE (AT4RE Power Loader). [+] Version History.txt ============================ AT4RE Power Loader v0.4 (Release Date: 16/05/2025) ============================ The most powerful loader against strong and hard protectors. It also works with medium-level protectors, packers, compressors, and even unprotected executable files. Main Features: [+] Added Import menu. [+] Added Support .1337 patch files exported by x64dbg. [+] Set Opcode automatically when Load .1337 file. [+] Added OpenDialog when Double Click on: - Target Name field. - Loader Data field. - Registry field. - Custom icon field. Loader Details: [+] Fixed bug with registry feature. [+] Default icon changed. [+] Compressed Loader with Default icon 8 KB. Root Folder Contents: [+] Icons folder (includes 5 icons). [+] Lib folder (includes bass.dll). [+] Project folder (Save or open projects for future use). [+] ResH folder (includes ResHacker.exe). [+] UPX folder (includes upx32.exe and upx64.exe). [+] ATPL.EXE (AT4RE Power Loader). [+] Version History.txt1 point -
1 point
-
View File .NET Reactor v7.3 (Embedded DLL's) File protected by .NET Reactor v7.3 having Code Virtualization enabled. By nature the application using Dependency Injection (this time heavily developed), the 3rd party files embedded to main exe (see shot2), in addition System.Data.SQLite.dll lying near application. Find registration combination and reply it with the success message! Custom antidebugger Submitter whoknows Submitted 06/26/2025 Category UnPackMe (.NET)1 point
-
1 point
-
17 downloads
A "Crack Me" challenge created by lord "Voksi" , a well known person in the "warez" scene. And no, this challenge is not uploaded by "Voksi" himself, it's uploaded via a proxy which is myself, an old friend of "Voksi" . GOAL: Obtain the Correct key Greetings to MasterBootRecord, Voksi, FJLJ, And also a few others, you know who you are ❤️1 point -
1 point
-
Which compiler do you use? Can you send it again but with the original compiler output file?1 point
-
1 point
-
1 point
-
1 point
-
1 point
-
1 point
-
https://github.com/jmpoep/vmprotect-3.5.1.git. DMCA https://huihui.cat/mirrors/vmprotect-3.5.1 - There are download options but they all hang https://git.nadeko.net/Fijxu/vmprotect-source - No options to download https://pixeldrain.com/u/fKn1dZqK - too many connections. I tried few days1 point
-
there are 3 options above, which one failed for you? how about trying others....1 point
-
1 point
-
This project is mirrored from https://github.com/jmpoep/vmprotect-3.5.1.git. https://huihui.cat/mirrors/vmprotect-3.5.1 https://git.nadeko.net/Fijxu/vmprotect-source (someone is fighting and DMCA-ing (removing) all VMP related repos on github!) and a downloadable copy https://pixeldrain.com/u/fKn1dZqK1 point
-
Version 0.0.9.1
1,041 downloads
If you need to view information about various EXE files, Exeinfo PE is a small toll that does exactly that. It can analyse EXE files and acquires detailed information about their properties, offering you the possibility to save overlays and create backups. The application is portable so you don’t need to install it, plus your Windows registry will remain unchanged. The simple interface has a plain window where you can drag and drop an EXE or DLL file, or load it via the built-in file browser. Then the application will display the file size, file offset, entry point, linker information, EP section, sub-system and overlay. Furthermore, you can also insert HEX data to analyse BIN information. A section viewer can be opened, where users can see every virtual offset and size, flags, name, RAW data offset and size, first bytes and section status. Header information is also available such as security, debug, exception, T:S table, size of headers, number of directories and so on. The application can be set to perform a fast scan from the Options menu. Moreover, from the same place, you can configure Exeinfo PE to ignore EXE errors, set it to be always on top, choose the big interface or integrate it into the shell. Plugins: https://github.com/ExeinfoASL/plugins Support Topic: https://forum.tuts4you.com/topic/8412-exeinfo-pe/1 point -
1 point
-
1 point
-
1 point
-
Among the anti-debug techniques, there's an interesting one worth noting. A dummy thread is created and then it calls Sleep(0x32). (The goal is for the created thread to be detected by tools like x64dbg.) Then, it calls NtQueryObject with the ObjectBasicInformation class using the thread handle. If the returned HandleCount is greater than 1, it determines that debugging is in progress. void dummy() { Sleep(8000); } bool CheckCreateThreadHandleCount() { HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)dummy, NULL, 0, NULL); if (hThread == NULL) { return false; } Sleep(0x32); PUBLIC_OBJECT_BASIC_INFORMATION objInfo; NTSTATUS status = NtQueryObject(hThread, ObjectBasicInformation, &objInfo, sizeof(objInfo), NULL); if (!NT_SUCCESS(status)) { CloseHandle(hThread); return false; } std::cout << "Handle Count: " << objInfo.HandleCount << std::endl; if (objInfo.HandleCount > 1) { CloseHandle(hThread); return true; } CloseHandle(hThread); return false; }1 point
-
I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator I try my best to introduce it using English 1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5) 2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run 3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod" 4.fix pe header and maybe you shoud also fix .net header This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies. If you can not understand it, you can reply me. Best wish.1 point
-
4n4lDetector 3.0.0 Download: https://github.com/4n0nym0us/4n4lDetector/releases/tag/v3.0 [+] The function search code for "Import Table" and "Call Api By Name" has been optimized. [+] A general optimization has been performed with one of the largest buffers in memory, this positively affects the stability and speed of the general analysis. [+] The size of the file to be analyzed has been increased by default to 50MB. [+] An optimization has been made in the search engine for the "Show Offsets" option and in the handling of buffers. [+] Searches for generic malware terms, different types of exploitation, APTs and terminologies that may affect the State in "4n4l.Rules" have been included. [+] A cleaning of null bytes 0x00 is performed in the variable where the report is stored to avoid bugs in the output of the text box of the main form. [+] The tool interface takes on a darker base tone. [+] A donation button via (PAYPAL) has been included since I have finally decided to continue with the project publicly for everyone. [+] A bug was fixed in which false functions could be included in the "Export Table" list by carving. [+] The Interest's Words module includes new internal words for the tool, for ansi and unicode. [+] A bug in the web view was fixed that could aesthetically affect the view of the Interest's Words module statement. [+] Optimizations were made in the Known IP/Domains module for ansi and unicode. [+] New search syntaxes were included in the "Intelligent Strings" module to increase interesting results. -> Internal cleanup syntaxes were added to show more stylized results. -> An optimization has been made with a direct impact on the variables used in this module. [+] A more selective cleaning of the extracted URLs is performed: -> URLs with extensions in the context of PKI digital certificates are reconstructed. -> Htm extensions are reconstructed. -> ".com" domain endings are cleaned. -> Possible HTML code cleaning is performed. [+] A progression system based on medals has been included. -> Brown Padawan Medal, Bronze Medal, Silver Medal, Gold Medal and Platinum Medal. -> The process can be slow, don't despair... because it's worth it. -> These medals will be earned as you use the tool over the course of days, weeks, months and consequently their functionality will also increase progressively. -> The medals will only work on the work machine on which they have been earned, if you want to make it work on another machine of yours try it yourself (You're a hacker, right?). -> The features or surprises that come with leveling up are not included in this file, although you can review them in the "Settings" section of the tool.1 point
-
Correct key is The correct key can be obtained at runtime. Not necessary to deal with any of the protection features mentioned. It can be found by hooking and monitoring the arguments passed/return value of any of the push, pop functions defined in guillotine.pyd. These values are all PyObject's, hence interacting with the CPython API is necessary to log these to stdout. Essentially tracing the operations of the VM will reveal the key when it compares the user input with the correct key. Probably will do a mini-write in the future up if I get time.1 point
-
Hi HuD_HuD ModuleToAssembly 1.0 https://forum.tuts4you.com/topic/30789-moduletoassembly-10 Universal Fixer https://forum.tuts4you.com/topic/25376-universal-fixer ConfuserEx tools: https://forum.tuts4you.com/topic/37076-confuserexswitchkiller/?do=findComment&comment=1874801 point
-
@HuD_HuD: [.NET]实战UnpackMe.mp4: https://mega.nz/file/l9YSXSiI#NEdJ6JAiFPHeQRdUbdemIG78PrIHGTWhr-A5FfYydGo 使用x64dbg暴打非托管强壳.mp4: https://mega.nz/file/tk4EELiK#H0iIReUyl6RWeURvMEOBlzodzJTW7gerao6Ie8ROPWw Same request as before - please do not abuse those links. It's a free MEGA account and has limited traffic available.1 point
-
The KeygenMe or more appropriately a CrackMe (since it accepts just a single key) is protected with virtualization based obfuscation. This mini writeup describes a way to obtain the correct key without devirtualization. I - First Steps There are two files - main.py & LicenseChecker.py of which the latter is additionally minified. To improve readability we can run the file through a beautifier like black to get the following code. https://gist.github.com/extremecoders-re/35cb06674676afdcf85bd19d0793d6cc II - Overview The list variable C holds the bytecode for the VM. C=[82,26,95,26,95,26,105, .... snip.... ,571,84,572,84,393,129,3,101,84,103,84,573,76,1,134] The dictionary variable W near the end contains the mappings from the instruction opcode to the corresponding handlers. There are 70 handlers which imply there are the same number of instructions. W = { 10: A0, 179: f, 36: AT, 168: g, # ... snip ... 162: A9, 113: A6, 197: c, 215: AI, } The while loop at the end is the VM fetch-decode-execute loop. while B.a < L(C): try: W[C[B.a]]() except Z as X: A = [X] if not G: raise X P, Ag = G.pop() while F: Ah, Ai, Aj = F and F[-1] or (0, 0, 0) if Ah <= P: break F.pop() B.a = P + Ag B.a += 1 There is a similar loop in one of the handlers AW which implies this must be implementing function calls. III - Simplifying the VM The VM supports 70 instructions but not all of them are used. Hence we can remove the unused handlers to simplify the code. This can be done manually in a trial and error way or we can also automate it by logging which handler executes and remove the others. Eventually we are left with 18 handlers which after renaming are as follows. W = { 2: h2, 19: h19, 26: h26, 33: h33, 41: h41, 76: h76, 82: h82, 84: h84, 88: h88, 101: h101, 109: h109, 112: h112, 113: h113, 117: h117, 129: h129, 131: h131, 134: h134, 139: h139, } Full simplified code: https://gist.github.com/extremecoders-re/8962f5faefcd714ce5336461fe670c06 IV - Tracing the VMCALL instruction With 18 handlers left we can now trace the VM. An important thing to note is the obfuscator must have a way to call non-obfuscated external functions such as those from the standard library. If we log the external function it calls, the logic of the crackme would be clear. The instruction with opcode 76 implements the VMCALL instruction. def h76(): vmctx.pc += 1 E = G.copy() D = bc[vmctx.pc] F = A.pop() if D & 1 else () H = A.pop() if D & 2 else {} I = A.pop()(*(F), **H) J = G.copy() E == J and A.append(I) We can introduce a logging statement just before the call as shown. below. def h76(): vmctx.pc += 1 E = G.copy() D = bc[vmctx.pc] F = A.pop() if D & 1 else () H = A.pop() if D & 2 else {} # Logging the external function name and arguments print(A[-1].__name__, F, H) I = A.pop()(*(F), **H) J = G.copy() E == J and A.append(I) V - Retrieving the correct key Running with the serial and the VMCALL logging in place verify("ABCDE-FGHIJ-KLMNO-PQRST-UVWXY") we get a trace, of which the important parts are shown below. getitem (['ABCDE', 'FGHIJ', 'KLMNO', 'PQRST', 'UVWXY'], 0) {} getattr ('ABCDE', 'encode') {} encode () {} getattr (<module 'hashlib' from '/usr/lib/python3.10/hashlib.py'>, 'md5') {} openssl_md5 (b'ABCDE',) {} getattr (<md5 _hashlib.HASH object @ 0x7f335f0850f0>, 'digest') {} digest () {} list ((253, 101, 190, 39, 10, 139, 237, 181, 248, 22, 251, 138, 86, 113, 116, 52),) {} bytes ([253, 101, 190, 39, 10, 139, 237, 181, 248, 22, 251, 138, 86, 113, 116, 52],) {} eq (b'.\xcd\xde9Y\x05\x1d\x91?a\xb1Ey\xea\x13m', b"\xfde\xbe'\n\x8b\xed\xb5\xf8\x16\xfb\x8aVqt4") {} not_ (False,) {} It calculates the md5 of the first word -> openssl_md5("ABCDE") which is then compared to b"\xfde\xbe'\n\x8b\xed\xb5\xf8\x16\xfb\x8aVqt4". This can be converted to hex representation. >>> print(b"\xfde\xbe'\n\x8b\xed\xb5\xf8\x16\xfb\x8aVqt4".hex()) fd65be270a8bedb5f816fb8a56717434 The MD5 hash can be reversed with any online tool such as https://hashes.com/en/decrypt/hash & https://crackstation.net/ The first word is thus CONGR. Re-running with the following key we get another trace. verify("CONGR-FGHIJ-KLMNO-PQRST-UVWXY") getitem (['CONGR', 'FGHIJ', 'KLMNO', 'PQRST', 'UVWXY'], 1) {} getitem ('FGHIJ', 1) {} eq ('G', 'T') {} Here we see it taking the second word in the key viz FGHIJ and comparing the second character in the word G with T. Thus the correct character at that place is T. Since it stops comparing further letters as soon as a mismatch is found we can only recover the key character by character. However there is a quicker way. We can override the result of the comparison to true such that all the checks are revealed at once. This can be done by a slight modification to the logging logic. def h76(): vmctx.pc += 1 E = G.copy() D = bc[vmctx.pc] F = A.pop() if D & 1 else () H = A.pop() if D & 2 else {} # Logging the external function name and arguments if A[-1].__name__ == "eq": print(A[-1].__name__, F, H) I = True else: I = A.pop()(*(F), **H) J = G.copy() E == J and A.append(I) Running once more with the same key as last time we get the full trace as below. eq (29, 29) {} eq (5, 5) {} eq (5, 5) {} eq (5, 5) {} eq (5, 5) {} eq (5, 5) {} eq (5, 5) {} eq (b"\xfde\xbe'\n\x8b\xed\xb5\xf8\x16\xfb\x8aVqt4", b"\xfde\xbe'\n\x8b\xed\xb5\xf8\x16\xfb\x8aVqt4") {} eq ('G', 'T') {} eq ('O', 'S') {} eq ('Q', 'O') {} eq ('J', 'A') {} eq ('H', 'U') {} eq ('R', 'H') {} eq ('K', 'T') {} eq ('S', 'F') {} eq ('F', 'A') {} eq ('L', 'I') {} eq ('T', 'A') {} eq ('M', 'O') {} eq ('I', 'L') {} eq ('N', 'N') {} eq ('P', 'Q') {} eq ('UYXWV', 'BHZQB') {} From the equality checks we can retrieve the 2nd, 3rd and 4th words in the key. The 1st word has already been retrieved before from the MD5 reversing. CONGR-ATULA-TIONS-QOHFA-UVWXY The fifth word is however checked in a different way. The fifth word in the entered key was UVWXY. However it is checking UYXWV with BHZQB. U -> B Y -> H X -> Z W -> Q V -> B UYXWV is a permutation of the original letters UVWXY. Thus we can simply undo the above mapping in the proper order to get the correct word as shown below. U -> B V -> B W -> Q X -> Z Y -> H The correct last word is BBQZH and thus the complete key: CONGR-ATULA-TIONS-QOHFA-BBQZH1 point
-
145 downloads
Code obfuscation techniques are increasingly being used in software for such reasons as protecting trade secret algorithms from competitors and deterring license tampering by those wishing to use the software for free. However, these techniques have also grown in popularity in less legitimate areas, such as protecting malware from detection and reverse engineering. This work examines two such techniques “packing and virtualization-obfuscation“ and presents new behavioral approaches to analysis that may be relevant to security analysts whose job it is to defend against malicious code. These approaches are robust against variations in obfuscation algorithms, such as changing encryption keys or virtual instruction byte code. Packing refers to the process of encrypting or compressing an executable file. This process scrambles the bytes of the executable so that byte-signature matching algorithms commonly used by anti-virus programs are ineffective. Standard static analysis techniques are similarly ineffective since the actual byte code of the program is hidden until after the program is executed. Dynamic analysis approaches exist, but are vulnerable to dynamic defenses. We detail a static analysis technique that starts by identifying the code used to "unpack" the executable, then uses this unpacker to generate the unpacked code in a form suitable for static analysis. Results show we are able to correctly unpack several encrypted and compressed malware, while still handling several dynamic defenses. Virtualization-obfuscation is a technique that translates the original program into virtual instructions, then builds a customized virtual machine for these instructions. As with packing, the byte-signature of the original program is destroyed. Furthermore, static analysis of the obfuscated program reveals only the structure of the virtual machine, and dynamic analysis produces a dynamic trace where original program instructions are intermixed, and often indistinguishable from, virtual machine instructions. We present a dynamic analysis approach whereby all instructions that affect the external behavior of the program are identified, thus building an approximation of the original program that is observationally equivalent. We achieve good results at both identifying instructions from the original program, as well as eliminating instructions known to be part of the virtual machine.1 point -
@mdj: 使用x64dbg暴打非托管强壳.mp4 -> https://mega.nz/#!Y5JBTaCS!hJXzN5ssvUyRHW8VgpGxINEVrW1zJ2Up96vqqJVG5co I can upload the second video tomorrow, if you need that too. @all: Please be nice and don't abuse the link, it is a free Mega account and has traffic limitations. 使用x64dbg暴打非托管强壳.mp41 point
-
There is a Script of OLLYDBG made by @GIV that also helps to unpack the Anti Dump protected .NET Files and newbie Friendly too. But this method I tested and works well which you described. Very nice Explanation too. Thank you !!!1 point
-
Version 1.12
2,197 downloads
This is a professional PE file explorer that lets you dig into all data directories available in the PE/PE64 file and edit them. Export, Import, Resource, Exception, Certificate(Relies on Windows API), Base Relocation, Debug, TLS, Load Config, Bound Import, IAT, Delay Import and CLR are supported. Two companion plugins are also provided. FileInfo, to query the file in the well-known malware repositories and take one-click technical information about the file such as its size, entropy, attributes, hashes, version info and so on. YaraPlugin, to test Yara rules against opened file. Puppy is robust against malformed and crafted PE files which makes it handy for reversers, malware researchers and those who want to inspect PE files in more details. Puppy is free and tries to be small, fast, nimble and friendly as your puppy! Website: https://www.mzrst.com/1 point