Leaderboard

Hey guys! I’m iced, a passionate student from Bosnia who’s really into reverse engineering. I decided to join Tuts4You to expand my knowledge and trade insights with people who are way better than me.Im also a friend of @0xret2win and he suggested me to join site and try to tackle couple of nice crackmes posted here. Also i dont think the guy who made this applied full protection settings. Anyways upon investigating this target i found two interesting calls: ( Not entierly sure if i should do step-by-step since if you follow "MessageBoxA" in ret and stack you will eventually get to same place i got ) "vmp-licensing-test.vmp.exe"+A19CAE - E8 B9CB60FF - call "vmp-licensing-test.vmp.exe"+2686C This is upon hitting "VMProtectGetCurrentHWID". RAX => 29 "vmp-licensing-test.vmp.exe"+A19C9C - E8 2550ABFF - call "vmp-licensing-test.vmp.exe"+4CECC6 This is upon hitting on "VMProtectSetSerialNumber". RAX => 20 Using x64dbg : 00007FF665759CAE | E8 B9CB60FF | call vmp-licensing-test.vmp.7FF664D6686C | -> VMProtectGetCurrentHWID 00007FF665759C9C | E8 2550ABFF | call vmp-licensing-test.vmp.7FF66520ECC6 | -> VMProtectSetSerialNumber

I'm trying to learn the bypass technique with shfolder.dll, but I can't find any complete information, can anyone help me?

https://www.techrepublic.com/forums/discussions/here-are-25-reasons-why-windows-is-not-a-virus/

Hi all, this is my analysis of GanDiao.sys, an ancient kernel driver based malware. It only works in WinXP as it is unsigned. This driver was used by various malware families and it allowed any userland application to kill other protected processes. This doc also includes a custom userland app source code to use GanDiao and test its capabilities. ENGLiSH VERSiON: http://lucadamico.dev/papers/malware_analysis/GanDiao.pdf iTALiAN VERSiON: https://www.lucadamico.dev/papers/malware_analysis/GanDiao_ITA.pdf As usual, I'm also attaching both PDF files here, just in case. Enjoy. GanDiao.pdf GanDiao_ITA.pdf

Was the driver itself malware? Also, is there a way to disable all protection by default?

Resolve field with declaring type containing generic parameter FieldDef dnlibfield = instructions[i].Operand as FieldDef; if (!dnlibfield.DeclaringType.ContainsGenericParameter) field = assembly.ManifestModule.ResolveField(dnlibfield.MDToken.ToInt32()); else { // here is the problem: Type declType = assembly.ManifestModule.ResolveType(dnlibfield.DeclaringType.MDToken.ToInt32()); } So how do use dnlib to resolve declaring type containing generic parameter ??? public virtual System.Reflection.FieldInfo? ResolveField(int metadataToken, Type[]? genericTypeArguments, Type[]? genericMethodArguments); https://learn.microsoft.com/en-us/dotnet/api/system.reflection.module.resolvefield?view=net-9.0#system-reflection-module-resolvefield(system-int32-system-type()-system-type())

Just find MrExodia's src he shared some years ago and update it for the new enigma versions.

Fully unpacked V3: So I noticed that the dll and the executable are both protected with .NET Reactor. The dll has 5 virtualized methods. The purpose of that is probably to prevent people from cracking the unpackme. Since this is not a crackme, I have decided to fully unpack cuz I have a lot of free time to do it. I just dragged the files to my deobfuscator so I'll just explain the steps of what my deobfuscator did to deobfuscate the contents of the unpackme. 1. Get rid of the code flow obfuscation. You can use Hussaryn/NET-Reactor-Cflow-Cleaner-6.7.0.0 since this one is updated. I haven't tested this one though so I am not sure. 2. Detect necrobit and read encrypted method bodies in resources. The method bodies are stored in resources and the decryption routine has a part in the code that has a random generated mutation. The trick to that is using a CIL emulator. I use DNEmulator, but the repository is gone. I think De4dot emulator is good enough for this one. 3. Do step 1 again since it might have control flow obfuscation applied to some methods. You could also read this blog and use reflection to get the decrypted method bodies. It is explained where .NET Reactor stores its decrypted method bodies. But I am not a fan of using reflection, so I don't want that. I guess this should work on most unpackmes but not all since it is lacking something. 4. Detect obfuscated ldtokens. The obfuscated token is not really obfuscated. It is just stored as an integer and some function resolves the token and returns the runtimetypehandle of that. 5. Detect and devirtualize virtualized functions. I learned a lot from @TobitoFatito's explanation. The Instruction Set Architecture of .NET Reactor VM is almost the same as .NET CIL. So it should be easy to understand the VM if you already understand .NET CIL. 6. Do step 1 again since it might have control flow obfuscation applied to some devirtualized methods. 7. Detect and decrypt string encryption. The decryption routine is similar to necrobit decryption routine and the encrypted string data is stored in resources. Once the resources data is decrypted, you can find the calls that's using the decryption method and get the string data by acquiring the first argument and using that to go to the offset of the decrypted data and read the first 4 bytes and convert it to int32 to get the string length. Then read string data after the string length data. 8. Detect and decrypt resource encryption. The resources has more than 1 decryption mode and it is also compressed. I think the method that de4dot uses for this one still works. Code: ResourceResolver.cs 9. Use de4dot to clean the rest and fix names. Files: WindowsFormsApplication41-Deobfuscated-cleaned.exe WindowsFormsApplication41yippi-Deobfuscated-cleaned.dll

[unpackme] Agile.NET unpack me Agile.NET 6.2.0.16 AgileNETUnpackMe.zip

It works with the following code, thanks! static int GetRVA(MethodBase mb) { var mdInfo = MetadataInfo.GetMetadataInfo(mb.Module); int table = mb.MetadataToken >> 24; int rid = mb.MetadataToken & 0xffffff; mdInfo.MetaDataTables.GetRow((uint)table, (uint)rid, out var ppRow); return *(int*)ppRow; }