Leaderboard

It's that time of the year again. It seems we're starting September 26 8PM EST again with a return to Web3 and YARA as well. Four weeks instead of six this year... I wonder what the reason for this is. 🤔 https://flare-on.com/

just DO it :) © any action

The tool was designed for obfuscated code, not for handling standard code with external calls (iat, etc.). So, when splitting blocks, an address will likely be invalid. There's nothing stopping you from implementing and adding new features to the code. procedure TCFG_Analysis.SplitBlock( split_addr: UInt64); (* Split basic block @ split_addr and create a new basic_blocks[] entry. *) var bb_head,orig_head : UInt64; instr : TCfGIns; tmpIns : TIns; begin OutDbg( Format('>Function:SplitBlock - Entry splitting @ [%08x] ',[split_addr])); if Fbasic_blocks.ContainsKey(split_addr) then Exit; bb_head := split_addr; orig_head := DFSBBSearchHead(split_addr); if orig_head = 0 then begin OutDbg(Format('>Function:SplitBlock - Failed @ [%08x]: orig_head=None ',[split_addr])); // raise Exception.Create('SplitBlock: orig_head not found'); end; OutDbg(Format('>Function:SplitBlock - Got orig_head [%08x] ',[orig_head])); // Create new BBlock Fbasic_blocks.Add(bb_head,[]) ; if Length(Fbasic_blocks[orig_head]) > 0 then begin tmpIns:= Fbasic_blocks[orig_head]; instr := tmpIns[ High(Fbasic_blocks[orig_head]) ]; SetLength(tmpIns, Length(Fbasic_blocks[orig_head])-1); Fbasic_blocks[orig_head] := tmpIns; end else Exit; while True do begin tmpIns:= Fbasic_blocks[orig_head]; Insert(instr,tmpIns,0 ); Fbasic_blocks[orig_head] := tmpIns; if instr.OriginEA = bb_head then break ; tmpIns:= Fbasic_blocks[orig_head]; instr := tmpIns[ High(Fbasic_blocks[orig_head]) ]; SetLength(tmpIns, Length(Fbasic_blocks[orig_head])-1); Fbasic_blocks[orig_head] := tmpIns; end; OutDbg(Format('>>Function:SplitBlock - Split @ [%08x]; original @ [%08x]',[split_addr,orig_head])); end;

Source code https://github.com/HFAsif/DiskInfoArtificial

if anyone has access to the courses, please upload!!

.

just DO it :) © any action @Nooboy my methode = noob methode😅 unpackin-fujifuscater_VGNDlJbp.mp4

just dump it & fix dump.

@root you have lots of sample *.asm files inside the "\D_CodeGen\Test file" are those the sample obfuscated pieces that noe has to compile/build into PE binary so that the tool/lib could gracefully "eat" it or there is another way to feed .asm files directly into the lib?

There is no gchandle.free in the Confuser.Core 1.6.0+447341964f module. How to deal with it?

I fully agree but the question was about this - why? >EListError: Item not found

there is nothing to deobfuscate in that code, the list remains empty text:0000000000400250 .text:0000000000400250 ; =============== S U B R O U T I N E ======================================= .text:0000000000400250 .text:0000000000400250 ; Attributes: bp-based frame .text:0000000000400250 .text:0000000000400250 public start .text:0000000000400250 start proc near ; DATA XREF: HEADER:00000000004000B0↑o .text:0000000000400250 .text:0000000000400250 var_20 = qword ptr -20h .text:0000000000400250 .text:0000000000400250 enter 40h, 0 .text:0000000000400254 and [rsp+40h+var_20], 0 .text:000000000040025A mov ecx, offset __ImageBase ; hInstance .text:000000000040025F mov edx, 64h ; 'd' ; lpTemplateName .text:0000000000400264 xor r8d, r8d ; hWndParent .text:0000000000400267 lea r9, DialogFunc ; lpDialogFunc .text:000000000040026E call cs:DialogBoxParamA .text:0000000000400274 xor ecx, ecx .text:0000000000400276 call cs:RtlExitUserProcess .text:0000000000400276 start endp ; sp-analysis failed .text:0000000000400276 .text:000000000040027C .text:000000000040027C ; =============== S U B R O U T I N E ======================================= .text:000000000040027C .text:000000000040027C ; Attributes: bp-based frame .text:000000000040027C .text:000000000040027C ; INT_PTR __stdcall DialogFunc(HWND, UINT, WPARAM, LPARAM) .text:000000000040027C DialogFunc proc near ; DATA XREF: start+17↑o .text:000000000040027C .text:000000000040027C format = dword ptr -80h .text:000000000040027C h = qword ptr -5Ch .text:000000000040027C ho = qword ptr -54h .text:000000000040027C Paint = tagPAINTSTRUCT ptr -48h .text:000000000040027C hWnd = qword ptr 10h .text:000000000040027C .text:000000000040027C enter 0A0h, 0 .text:0000000000400280 mov [rbp+hWnd], rcx .text:0000000000400284 cmp edx, 110h .text:000000000040028A jz short loc_4002E5 .text:000000000040028C cmp edx, 111h .text:0000000000400292 jz loc_400654 .text:0000000000400298 cmp edx, 10h .text:000000000040029B jz loc_40065A .text:00000000004002A1 cmp edx, 113h .text:00000000004002A7 jz loc_4003C2 .text:00000000004002AD cmp edx, 0Fh .text:00000000004002B0 jz loc_4004BC .text:00000000004002B6 cmp edx, 201h .text:00000000004002BC jnz loc_40067C .text:00000000004002C2 call cs:ReleaseCapture .text:00000000004002C8 mov rcx, [rbp+hWnd] ; hWnd .text:00000000004002CC mov edx, 112h ; Msg .text:00000000004002D1 mov r8d, 0F012h ; wParam .text:00000000004002D7 xor r9d, r9d ; lParam .text:00000000004002DA call cs:SendMessageA .text:00000000004002E0 jmp loc_40067C .text:00000000004002E5 ; --------------------------------------------------------------------------- .text:00000000004002E5 .text:00000000004002E5 loc_4002E5: ; CODE XREF: DialogFunc+E↑j .text:00000000004002E5 call cs:GetTickCount .text:00000000004002EB mov cs:dword_400800, eax .text:00000000004002F1 push offset pszFaceName ; pszFaceName .text:00000000004002F6 push 1 ; iPitchAndFamily .text:00000000004002F8 push 2 ; iQuality .text:00000000004002FA push 0 ; iClipPrecision .text:00000000004002FC push 6 ; iOutPrecision .text:00000000004002FE push 0 ; iCharSet .text:0000000000400300 push 0 ; bStrikeOut .text:0000000000400302 push 0 ; bUnderline .text:0000000000400304 push 0 ; bItalic .text:0000000000400306 push 2BCh ; cWeight .text:000000000040030B sub esp, 20h .text:000000000040030E mov ecx, 50h ; 'P' ; cHeight .text:0000000000400313 mov edx, 19h ; cWidth .text:0000000000400318 xor r8d, r8d ; cEscapement .text:000000000040031B xor r9d, r9d ; cOrientation .text:000000000040031E call cs:CreateFontA .text:0000000000400324 mov cs:h, rax .text:000000000040032B mov ecx, 40h ; '@' ; uFlags .text:0000000000400330 mov edx, 400h ; dwBytes .text:0000000000400335 call cs:GlobalAlloc .text:000000000040033B mov cs:qword_4007F8, rax .text:0000000000400342 mov edi, eax .text:0000000000400344 mov ecx, 40h ; '@'

1st issue on sample masm binary - (400250 = EP VA) c:\CodeDeob-main\Win32\Debug\123>Deob1.exe fire.exe $400250 CodeDeob cli demo util v0.1 (c) 2025 by jj EListError: Item not found fire.zip

btw any documentation for the lib ?

The project DiskInfoArtificial was designed with .NET Framework 4.0 in mind, as the author notes in the README.

is it OK to test on a simple (eg masm binaries) or it needs only sophisticated mutatied/vm-ed opcodes

It's a project I worked on years ago, I don't remember everything exactly but it seems to be correct. I need to understand what errors it gives and on which target it was tested.

@root thanks! this is my sample POC based on your lib: begin try Writeln('CodeDeob cli demo util v0.1 (c) 2025 by jj'); if (ParamCount > 1) then begin deo := TDeobFuscate.Create(CP_MODE_32, ParamStr(1)); insList := TLinkedList<TCpuIstruz>.Create; deo.DeobfuscateAT(StrToInt(ParamStr(2)), insList); end else Writeln('Usage: tool pe-file VA'); except on E: Exception do Writeln(E.ClassName, ': ', E.Message); end; end. but it fails due to diff reasons... is it correct usage?

It's a project for enthusiasts who love to learn and understand; it's not a ready-to-use tool. To use it, you need to study the code, otherwise it won't do anything. typically: procedure TfrmMain.testPeepHole2(fFile : string); var ins1 : TArray<TIstruzione> ; Deobf : TDeobFuscate; i, nNumStartL : Integer; LWatch : TStopwatch; modo : Byte; linea : string; procedure printInstrs(const instrs : TArray<TIstruzione>); var instr : TIstruzione; begin for instr in instrs do mmo1.Lines.Add(instr.ToString); mmo1.Lines.Add(''); end; begin LWatch := TStopwatch.StartNew; if fFile = '' then fFile := 'Code.txt'; ins1 := FileToSimbolicI(fFile,modo); nNumStartL := High(ins1); Deobf := TDeobFuscate.Create(modo); try mmo1.Lines.Add(sLineBreak +'Input Code:'); mmo1.Lines.BeginUpdate; try printInstrs(ins1); Deobf.UsaDeadC_Sp := chkDeadSper_0.Checked; Deobf.DeobfuscateList(ins1); mmo1.Lines.Add('---- Deobfuscate Code : -------'); printInstrs(ins1); finally mmo1.Lines.EndUpdate; end; frmMain.mmo1.Lines.Add(sLineBreak + Format('-->Funzione testPeephole<-- Totale Linee: %d/%d operazione eseguita in: %d ms', [High(ins1),nNumStartL,LWatch.ElapsedMilliseconds]) ); mmoCodeOri.Lines.LoadFromFile(fFile); for i := 0 to mmoCodeOri.Lines.Count - 1 do begin linea := mmoCodeOri.Lines[i]; if Pos('Codice Orig.:',Linea) <> 0 then begin mmoCodeOri.Clear; mmoCodeOri.Lines.Add(linea) ; pnl1.Visible := True; Break; end; pnl1.Visible := False; end; finally Deobf.Free; end; end;

This file has not been set up to detect virtual machines, so you can try unpacking it in a virtual machine instead of on a real machine... :)

For this package, I did it. Winlicense 3.1.3 Test x64.zip However, @boot I couldn't do it for this package. give me your hand please. Many thanks in advance. Regards. sean.

Dunno, check your system - works well here in a freshly installed Windows 10.

Best days of programming before all this Java and Android chaos

Hi all, we can change the image base of executable file while linking with /BASE option. i.e. Link /BASE:0x600000 but is there any way to change the image base after linking? we may use PE editor to change the ImageBase value! but the problem raises when building import table! 00601060 FF25 08104000 JMP DWORD PTR DS:[401008] 00601066 FF25 00104000 JMP DWORD PTR DS:[401000] jump addresses must change to their appropriate values! any idea? Regards.