Leaderboard
Popular Content
Showing content with the highest reputation since 07/12/2025 in all areas
-
Hey guys! I’m iced, a passionate student from Bosnia who’s really into reverse engineering. I decided to join Tuts4You to expand my knowledge and trade insights with people who are way better than me.Im also a friend of @0xret2win and he suggested me to join site and try to tackle couple of nice crackmes posted here. Also i dont think the guy who made this applied full protection settings. Anyways upon investigating this target i found two interesting calls: ( Not entierly sure if i should do step-by-step since if you follow "MessageBoxA" in ret and stack you will eventually get to same place i got ) "vmp-licensing-test.vmp.exe"+A19CAE - E8 B9CB60FF - call "vmp-licensing-test.vmp.exe"+2686C This is upon hitting "VMProtectGetCurrentHWID". RAX => 29 "vmp-licensing-test.vmp.exe"+A19C9C - E8 2550ABFF - call "vmp-licensing-test.vmp.exe"+4CECC6 This is upon hitting on "VMProtectSetSerialNumber". RAX => 20 Using x64dbg : 00007FF665759CAE | E8 B9CB60FF | call vmp-licensing-test.vmp.7FF664D6686C | -> VMProtectGetCurrentHWID 00007FF665759C9C | E8 2550ABFF | call vmp-licensing-test.vmp.7FF66520ECC6 | -> VMProtectSetSerialNumber5 points
-
I'm trying to learn the bypass technique with shfolder.dll, but I can't find any complete information, can anyone help me?2 points
-
83,475 downloads
A collection of tutorials aimed particularly for newbie reverse engineers. 01. Olly + assembler + patching a basic reverseme 02. Keyfiling the reverseme + assembler 03. Basic nag removal + header problems 04. Basic + aesthetic patching 05. Comparing on changes in cond jumps, animate over/in, breakpoints 06. "The plain stupid patching method", searching for textstrings 07. Intermediate level patching, Kanal in PEiD 08. Debugging with W32Dasm, RVA, VA and offset, using LordPE as a hexeditor 09. Explaining the Visual Basic concept, introduction to SmartCheck and configuration 10. Continued reversing techniques in VB, use of decompilers and a basic anti-anti-trick 11. Intermediate patching using Olly's "pane window" 12. Guiding a program by multiple patching. 13. The use of API's in software, avoiding doublechecking tricks 14. More difficult schemes and an introduction to inline patching 15. How to study behaviour in the code, continued inlining using a pointer 16. Reversing using resources 17. Insights and practice in basic (self)keygenning 18. Diversion code, encryption/decryption, selfmodifying code and polymorphism 19. Debugger detected and anti-anti-techniques 20. Packers and protectors : an introduction 21. Imports rebuilding 22. API Redirection 23. Stolen bytes 24. Patching at runtime using loaders from lena151 original 25. Continued patching at runtime & unpacking armadillo standard protection 26. Machine specific loaders, unpacking & debugging armadillo 27. tElock + advanced patching 28. Bypassing & killing server checks 29. Killing & inlining a more difficult server check 30. SFX, Run Trace & more advanced string searching 31. Delphi in Olly & DeDe 32. Author tricks, HIEW & approaches in inline patching 33. The FPU, integrity checks & loader versus patcher 34. Reversing techniques in packed software & a S&R loader for ASProtect 35. Inlining inside polymorphic code 36. Keygenning 37. In-depth unpacking & anti-anti-debugging a combination packer / protector 38. Unpacking continued & debugger detection by DLL's and TLS 39. Inlining a blowfish scheme in a packed & CRC protected dll + unpacking Asprotect SKE 2.2 40. Obfuscation and algorithm hiding2 points -
https://www.techrepublic.com/forums/discussions/here-are-25-reasons-why-windows-is-not-a-virus/1 point
-
Hi all, this is my analysis of GanDiao.sys, an ancient kernel driver based malware. It only works in WinXP as it is unsigned. This driver was used by various malware families and it allowed any userland application to kill other protected processes. This doc also includes a custom userland app source code to use GanDiao and test its capabilities. ENGLiSH VERSiON: http://lucadamico.dev/papers/malware_analysis/GanDiao.pdf iTALiAN VERSiON: https://www.lucadamico.dev/papers/malware_analysis/GanDiao_ITA.pdf As usual, I'm also attaching both PDF files here, just in case. Enjoy. GanDiao.pdf GanDiao_ITA.pdf1 point
-
Was the driver itself malware? Also, is there a way to disable all protection by default?1 point
-
Resolve field with declaring type containing generic parameter FieldDef dnlibfield = instructions[i].Operand as FieldDef; if (!dnlibfield.DeclaringType.ContainsGenericParameter) field = assembly.ManifestModule.ResolveField(dnlibfield.MDToken.ToInt32()); else { // here is the problem: Type declType = assembly.ManifestModule.ResolveType(dnlibfield.DeclaringType.MDToken.ToInt32()); } So how do use dnlib to resolve declaring type containing generic parameter ??? public virtual System.Reflection.FieldInfo? ResolveField(int metadataToken, Type[]? genericTypeArguments, Type[]? genericMethodArguments); https://learn.microsoft.com/en-us/dotnet/api/system.reflection.module.resolvefield?view=net-9.0#system-reflection-module-resolvefield(system-int32-system-type()-system-type())1 point
-
Just find MrExodia's src he shared some years ago and update it for the new enigma versions.1 point
-
1 point
-
Fully unpacked V3: So I noticed that the dll and the executable are both protected with .NET Reactor. The dll has 5 virtualized methods. The purpose of that is probably to prevent people from cracking the unpackme. Since this is not a crackme, I have decided to fully unpack cuz I have a lot of free time to do it. I just dragged the files to my deobfuscator so I'll just explain the steps of what my deobfuscator did to deobfuscate the contents of the unpackme. 1. Get rid of the code flow obfuscation. You can use Hussaryn/NET-Reactor-Cflow-Cleaner-6.7.0.0 since this one is updated. I haven't tested this one though so I am not sure. 2. Detect necrobit and read encrypted method bodies in resources. The method bodies are stored in resources and the decryption routine has a part in the code that has a random generated mutation. The trick to that is using a CIL emulator. I use DNEmulator, but the repository is gone. I think De4dot emulator is good enough for this one. 3. Do step 1 again since it might have control flow obfuscation applied to some methods. You could also read this blog and use reflection to get the decrypted method bodies. It is explained where .NET Reactor stores its decrypted method bodies. But I am not a fan of using reflection, so I don't want that. I guess this should work on most unpackmes but not all since it is lacking something. 4. Detect obfuscated ldtokens. The obfuscated token is not really obfuscated. It is just stored as an integer and some function resolves the token and returns the runtimetypehandle of that. 5. Detect and devirtualize virtualized functions. I learned a lot from @TobitoFatito's explanation. The Instruction Set Architecture of .NET Reactor VM is almost the same as .NET CIL. So it should be easy to understand the VM if you already understand .NET CIL. 6. Do step 1 again since it might have control flow obfuscation applied to some devirtualized methods. 7. Detect and decrypt string encryption. The decryption routine is similar to necrobit decryption routine and the encrypted string data is stored in resources. Once the resources data is decrypted, you can find the calls that's using the decryption method and get the string data by acquiring the first argument and using that to go to the offset of the decrypted data and read the first 4 bytes and convert it to int32 to get the string length. Then read string data after the string length data. 8. Detect and decrypt resource encryption. The resources has more than 1 decryption mode and it is also compressed. I think the method that de4dot uses for this one still works. Code: ResourceResolver.cs 9. Use de4dot to clean the rest and fix names. Files: WindowsFormsApplication41-Deobfuscated-cleaned.exe WindowsFormsApplication41yippi-Deobfuscated-cleaned.dll1 point
-
230 downloads
Hooking is the practice of re-directing the flow of a program causing it to execute a code-cave or function in an injected module in place of another piece of code. In this tutorial, I will cover a method of hooking known as IAT (Import Address Table) Hooking. IAT Hooking is a 4 step process (I assume you are able to manage to inject the attacking DLL on your own).1 point -
[unpackme] Agile.NET unpack me Agile.NET 6.2.0.16 AgileNETUnpackMe.zip1 point
-
It works with the following code, thanks! static int GetRVA(MethodBase mb) { var mdInfo = MetadataInfo.GetMetadataInfo(mb.Module); int table = mb.MetadataToken >> 24; int rid = mb.MetadataToken & 0xffffff; mdInfo.MetaDataTables.GetRow((uint)table, (uint)rid, out var ppRow); return *(int*)ppRow; }1 point