Leaderboard

Uploaded :)

Tutorial (Short version): The kgm does the following: 1) Looks for the file "duh!!.syk" in the same directory (folder), if not found, it loads showing one field only (badboy), else: 2) Reads the text line inside the file "duh!!.syk" & by using a simple (xor 0x40) with each character, result should read "TestingOurSync???", else (badboy) 3) Loads the full form showing both text fields (i.e: name & serial) & a check button. Now try: name: Chilling serial: o!h.$kLB[2E{(,YV;+X/]thj}H.(uCFT~1Wx2iWM;4T*)Y$S"1B.$wcS@J Click the check button & the kgm will: 4) Trims both strings, Base91 decodes the serial into: "26734308-=`~<-YAGAIV-2090603021-2C51325133CEA38" Checks to see if it has 5 parts (separated by "-"), else (badboy). More checks follow. 5) part1 must be 8 characters from "0123456789" 6) part2 must be 4 characters from "$+<=>|~" 7) part3 must be 6 characters from "ABCDEFGHIJKLMNOPQRSTUVWXYZ" 8) Build & check part4: a) Uppercase the constant "If I Only Knew" & add a null byte at start then SDBM Hash (Ozan Yigit) it (in reverse order): 0x57454E4B20594C4E4F204920464900 = 0x7D0BFCAF b) math: 0x7D0BFCAF xor 0x46 (a constant) = 0x7D0BFCE9 c) math: 0x7D0BFCE9 xor StrToInt(p1) 0x0197EEE4 = 0x7C9C120D d) IntToStr(0x7C9C120D) = "2090603021" <> p4 = "2090603021" 9) Check if trimmed name is 4 or more characters (kind of late), else bb 10) Let s1 be the result of joining: name + ' ' (space) + constant "Jalolo" ... "Chilling Jalolo" 11) Let s2 be the result of joining: s1 + constant "WhoamI?" ... "Chilling JaloloWhoamI?" 12) Generate a seed by applying same SDBM Hash method on s2 (uppercase, add a null byte at start, ...) to get: 0x3F494D414F48574F4C4F4C414A20474E494C4C49484300 = 0x0BE39B81 ... seed 13) Build & check part5: Using xxHash64 (Yann Collet), perform xxHash64(WideString(s1), Integer(seed)) = "2C51325133CEA38" <> to p5 If all goes well then (goodboy). Let me know if I've missed anything :) Other combinations: name: XorRanger's Go Figure Fixed!!! serial: Rz;aAkGuG3Xtlk>V;+/zV0Tj|H.(~*AShw`EwnLdR2<:9[ZXjDhb|v1X;Lc name: Happy New Year! serial: E2wbCkcMh2E{(v$M)L!cgvY0|HS*SCBSn!IbLm?R$J+BD+gSzwIzml&M7Ia kg.7z

Solved it already. Thanks to all for the help.

Just give me the binary

X0rby what ai engine used to get this code? Haven't tried your code yet will try it asap. Looks very clean and simple. Fixed my code from Hex-ray and this is the decompiled working ok code: Obfuscate_Data(uint8_t* input, uint8_t* output) { int v2; uint8_t buffer[12]; uint8_t* output_1; int v5; int i; uint8_t v7; uint8_t v8; uint8_t v9; uint8_t n117_1; int n12; uint8_t* v12; uint8_t v13; uint32_t internal_state; uint8_t state; uint8_t table_var; uint32_t table[11]; buffer[0] = input[1]; HIBYTE(table[4]) = *input; buffer[4] = input[2]; BYTE2(table[3]) = buffer[0]; buffer[0] = input[3]; BYTE1(table[5]) = buffer[4]; buffer[4] = input[4]; BYTE1(table[4]) = buffer[0]; buffer[0] = input[5]; HIBYTE(table[3]) = buffer[4]; buffer[4] = input[6]; LOBYTE(table[5]) = buffer[0]; buffer[0] = input[7]; LOBYTE(table[3]) = buffer[4]; buffer[4] = input[8]; BYTE2(table[4]) = buffer[0]; buffer[0] = input[9]; output_1 = output; LOBYTE(table[4]) = buffer[4]; BYTE1(table[3]) = buffer[0]; table[0] = 0x6F6D6564; table[1] = 0x4F4D4544; table[2] = 0x45444F4D; table_var = 0xEA; internal_state = 0; v2 = 0; for (i = 0; i < 10; ++i) { v7 = *((_BYTE*)&table[3] + i); v8 = v7 * (i + 1); LOBYTE(internal_state) = v8 + internal_state; v9 = BYTE1(internal_state) - v8; BYTE2(internal_state) += v7 * (i + 56); BYTE1(internal_state) -= v8; } n117_1 = table_var; BYTE2(table[5]) = LOBYTE(table[3]) * internal_state; HIBYTE(table[5]) = (LOBYTE(table[3]) * internal_state) ^ v9; state = (BYTE2(internal_state) ^ (HIBYTE(table[5]) + 1)) & 3; n12 = 0; while (1) { v12 = &output_1[n12]; v13 = 5 * n12++ + (n117_1 ^ *((_BYTE*)&table[3] + v12[(char*)table - (char*)output])); *v12 = v13; n117_1 = v13 + 34; if (n12 >= 12) break; output_1 = output; } output[12] = state | (4 * v2) & 0xC; return 1; }But i need function that reverses the output of the function. I mean to get the input if i have the output buffer already. PS. Tried X0rby code but no luck it didn't give good result. Only the first byte is encoded ok with this function.

#include <stdint.h> #include <string.h> #include <stdio.h> #ifndef _WIN32 #define __stdcall #endif int __stdcall ted(uint8_t* input_buf, uint8_t* output_buf, uint8_t arg_8) { uint8_t permuted_input[10]; permuted_input[0] = input_buf[6]; // var_10 permuted_input[1] = input_buf[9]; // var_F permuted_input[2] = input_buf[1]; // var_E permuted_input[3] = input_buf[4]; // var_D permuted_input[4] = input_buf[8]; // var_C permuted_input[5] = input_buf[3]; // var_B permuted_input[6] = input_buf[7]; // var_A permuted_input[7] = input_buf[0]; // var_9 permuted_input[8] = input_buf[5]; // var_8 permuted_input[9] = input_buf[2]; // var_7 uint8_t var_24[4] = {0, 0, 0, 0}; uint8_t key_string[] = { 0x6F, 0x6D, 0x65, 0x64, 0x4F, 0x4D, 0x45, 0x44, 0x45, 0x44, 0x4F, 0x4D }; uint8_t var_1D = 0xEA; for (int i = 0; i < 10; i++) { uint8_t val = permuted_input[i]; uint16_t product1 = (i + 1) * val; uint8_t p1_low = (uint8_t)product1; var_24[0] += p1_low; var_24[1] -= p1_low; uint16_t product2 = (i + 0x38) * val; var_24[2] += (uint8_t)product2; } uint8_t al = var_24[0] * permuted_input[0]; uint8_t bl = var_24[1] ^ al; var_24[2] = ((bl + 1) ^ var_24[2]) & 3; uint8_t current_dl = var_1D; for (int i = 0; i < 12; i++) { uint8_t key_char = key_string[i]; - // The original assembly does: mov al, [ebp + key_char + var_10] // This reads outside the 'permuted_input' array. uint8_t magic_byte = *( (&permuted_input[0]) + key_char ); uint8_t calculated = magic_byte ^ current_dl; uint8_t add_val = (uint8_t)(i * 5); calculated += add_val; output_buf[i] = calculated; current_dl = calculated + 0x22; } uint8_t final_byte = ((arg_8 * 4) & 0x0C) | var_24[2]; output_buf[12] = final_byte; return 1; } int main() { uint8_t input[] = {0,1,2,3,4,5,6,7,8,9}; uint8_t output[13]; ted(input, output, 0x10); return 0; }

pay them they will instantly do for you.

Try AI, grok will give you a much better code but you will need several iterations till it gets a working one

My previous video link is dead. Here below you can watch how to use my plugin.

To avoid blind guessing, I suggest you to get old iLO firmware packages and analyze them. See what conditions must be fulfilled in order to get the "SmartMemory" status. If my google-fu is working, Gen10 servers use iLO5, here is it's general spec: https://www.hpe.com/us/en/collaterals/collateral.c04154343.html, and here are the download links https://support.hpe.com/connect/s/softwaredetails?language=en_US&collectionId=MTX-2dc80c4ae4b943fa. It would appear that older firmware packages didn't use any encryption, just some (trivial) compression, making the job so much easier.

My server is working, i just migrated to docker. (Its WebDav , https) https://eddynet.cz:9865 File list is in attached files. content_250414.7z

I admit it, I'm just showing off, you can show off if you have the ability. Unfortunately, apart from jealousy, you are useless. You only fantasize about getting someone else's knowledge without any effort. Anyone with some level of proficiency will think and search for clues based on the documents I provide. Only someone like you who only wants to get something for nothing would make these unreasonable demands? Everyone knows who the joke is. You can you up, No can no BB

😁 I'm not asking you to share your src or tuts/offer a solution. But your reply in my topic are these useful? No - absolutely not. Only one sentence, one picture, and one RAR package. Even more unfortunately, some files in your RAR package are deliberately VM some code snippets. What can the downloaders learn from your RAR package? Besides the analysis reply I provided, which downloader provided an effective analysis reply? In this topic, you're just trying to get attention by showing-off that you can do this with some deliberately modified files that don't have any useful information. We're here to learn and share knowledge. If you don't want to share, that's fine. No need to brag, but if you do, I don't mind. In addition, this topic would like to give special thanks to @TRISTAN Pro for selflessly sharing his tutorials and knowledge.

Please record the process and post it, so we can get benefit from you. Regards. sean.

Refer to this thread. Regards. sean.

After spending three days i m still stuck at 4th challenge now i understand what it mean to be a reverse engineer. May be i will not solve all(or may be even the half of them) the challenge but i still try my best till the last day.

@Rurik: why the kdnet requirement? Why 2 virtual machines? I'm no kernel debugging wizard by any means, but here's a primitive setup that serves me well. WinDbg runs on my main machine, connects to VMWare guest machine via a named pipe. Pretty much everything was taken from this guide: https://www.triplefault.io/2017/07/setting-up-kernel-debugging-using.html 1) Windbg - I have a BAT file with the command-line. It's used only for kernel debugging: windbg -k com:pipe,port=\\.\pipe\com_1,resets=0,reconnect 2) VMWare guest is set up to have virtual com port that uses named pipe: 3) When necessary, I enable kernel debugging in VMWare guest using bcdedit commands from elevated command prompt: bcdedit /debug on bcdedit /dbgsettings serial debugport:1 baudrate:115200 4) Reboot the guest machine, it will freeze for ~30 seconds waiting for WinDbg to attach. 5) Run WinDbg from .BAT file, done. If you insist on running WinDbg in the other VM, you can still link 2 machines via virtual com port and named pipes. I just quickly tried, something like this: 1) set up VMWare with kernel debugging enabled just like before. 2) set up VMWare with Windbg to use com port like this: Notice "this end is the client" setting 3) Start VMWare with WinDbg, run WinDbg like this: windbg -k com:port=COM1,baud=115200 4) (re-)start VMWare with kernel debugging enabled, WinDbg should automagically attach.

char v2; // al char v3; // dl char v4; // cl char v5; // dl char v6; // cl char v7; // dl char v8; // cl char v9; // dl char v10; // cl char v11; // dl int v12; // esi char v13; // al int i; // ecx char v15; // dl char v16; // al char v17; // bl char v18; // dl int v19; // ecx _BYTE *v20; // esi char v21; // al int v23; // [esp+14h] [ebp-24h] char v24; // [esp+16h] [ebp-22h] char v25; // [esp+1Bh] [ebp-1Dh] int v26; // [esp+1Ch] [ebp-1Ch] BYREF int v27; // [esp+20h] [ebp-18h] int v28; // [esp+24h] [ebp-14h] _BYTE v29[11]; // [esp+28h] [ebp-10h] char v30; // [esp+33h] [ebp-5h] v3 = a1[1]; v29[7] = *a1; v4 = a1[2]; v29[2] = v3; v5 = a1[3]; v29[9] = v4; v6 = a1[4]; v29[5] = v5; v7 = a1[5]; v29[3] = v6; v8 = a1[6]; v29[8] = v7; v9 = a1[7]; v29[0] = v8; v10 = a1[8]; v29[6] = v9; v11 = a1[9]; v12 = a2; v13 = 4 * v2; v29[4] = v10; v29[1] = v11; v26 = 1684368751; v27 = 1145392463; v28 = 1297040453; v25 = -22; v23 = 0; for ( i = 0; i < 10; ++i ) { v15 = v29[i]; v16 = v15 * (i + 1); LOBYTE(v23) = v16 + v23; v17 = BYTE1(v23) - v16; BYTE2(v23) += v15 * (i + 56); BYTE1(v23) -= v16; } v18 = v25; v29[10] = v29[0] * v23; v30 = (v29[0] * v23) ^ v17; v24 = (BYTE2(v23) ^ (v30 + 1)) & 3; v19 = 0; while ( 1 ) { v20 = (_BYTE *)(v19 + v12); v21 = 5 * v19++ + (v18 ^ v29[(unsigned __int8)v20[(_DWORD)&v26 - a2]]); *v20 = v21; v18 = v21 + 34; if ( v19 >= 12 ) break; v12 = a2; } *(_BYTE *)(a2 + 12) = v24 | (4 * v2) & 0xC; return 1; }This is what i got from hex-rays but it is very bad and useless decompiled code.

The target has a license server that collects minimal, anonymized information about the launch. Information about debugger detections, code integrity violations, launches in virtual environment, etc. is also transmitted to the license server. Most likely, you simply did not reach the point where the application would display a MessageBox with a message about detecting a debugger. The debugger was detected by 3 out of 3 methods, ScyllaHide was unable to deceive any of them. The screenshot shows the log of your last target launch.