Leaderboard

TitanHide has been updated to support the latest VMProtect v3.9.4 changes. The service name is now used as the device name, as well, so the check for \\.\TitanHide will fail if you name the service the differently. Latest version (v0019) download link

Hi all, this is my analysis of GanDiao.sys, an ancient kernel driver based malware. It only works in WinXP as it is unsigned. This driver was used by various malware families and it allowed any userland application to kill other protected processes. This doc also includes a custom userland app source code to use GanDiao and test its capabilities. ENGLiSH VERSiON: http://lucadamico.dev/papers/malware_analysis/GanDiao.pdf iTALiAN VERSiON: https://www.lucadamico.dev/papers/malware_analysis/GanDiao_ITA.pdf As usual, I'm also attaching both PDF files here, just in case. Enjoy. GanDiao.pdf GanDiao_ITA.pdf

It's that time of the year again. It seems we're starting September 26 8PM EST again with a return to Web3 and YARA as well. Four weeks instead of six this year... I wonder what the reason for this is. 🤔 https://flare-on.com/

Reverse Engineering Denuvo in Hogwarts Legacy Slides Sogen Emulator Source Ted.

Your crackme seems to have multiple solutions. Not sure if this was intended: Some example passwords: Approach:

Hello! I am 14yoKID , and i have documented everything tothe best of my ability. If you have any questions, please feel free to reach out or respond to my solution. I appreciate any feedback or discussion. The first step is to look inside the crackme’s binary for any references to “Wrong key!” (the error message). We load the executable into a disassembler or debugger (IDA, x64dbg, or similar). A quick search reveals that “Wrong key! Try again.” is located around the following code: 00408C3E | A1 0CA34000 | mov eax, [0x40A30C] 00408C43 | BA D48C4000 | mov edx, 0x408CD4 ; "Wrong key! Try again." This is where program prints the "Wrong Key! message. Scrolling above that reference,we see : 00408C16 | A1 98B74000 | mov eax, [0x40B798] ; loads the user's computed key 00408C1B | 3B05 ACB74000 | cmp eax, [0x40B7AC] ; compares it to the correct key 00408C21 | 75 1B | jne 0x408C3E ; jump if not equal => "Wrong key!" This shows: The user’s input key is stored at [0x40B798]. The “correct” key resides at [0x40B7AC]. If these two values do not match, we jump to the code that prints “Wrong key! Try again.” If they do match, we take the path that prints “Correct key!, Now Try to Keygen ME !” Finding Where [0x40B7AC] Is Set : Quick look upword in disassembly reveals: 00408BB0 | E8 5BFEFFFF | call 0x408A10 00408BB5 | A3 ACB74000 | mov [0x40B7AC], eax So at address 0x00408BB0, we call a function (which we’ll refer to as sub_408A10). Right after that call, we store EAX into [0x40B7AC]. That means the function at 0x00408A10 produces the correct key in EAX. To finally find a key set a breakpoint at 0x00408BB0 or directly inside sub_408A10 at 0x00408A10. Run the program and break on that address,press F7 ( Step into ) the call to examine how the function computes EAX. Inside sub_408A10, we notice: It reads a hard-coded byte 0x5A from [0x40A298] It loops exactly four times over bytes stored at [0x40A29C..0x40A29F] ( for instance , 0xA5 , 0x3C , 0xD7 , 0x82 ) Each iteration does some arithmetic: XOR , multiply by 12345 , add 0x6789, shift bits, etc. After finishing four iterations, it multiplies EAX by 0xDEADBEEF , does a final XOR and then returns EAX. Stepping through the entire function, we see that every run ends with a single final value: EAX = 0x8981B3E0 Then writes this to [0x40B7AC]. Therefore, the correct key is a constant number: 0x8981B3E0 ( OR IS IT?? ) Even though we know the internal number is 0x8981B3E0 , how do we type it so that crackme accepts it? By stepping into the function that processes (sub_4060A8 or sub_4045D4), or simply by trial and error, we learn: The crackme expects a leading '$' to interpret the rest of the text as hex. Typing XXXX1B3E0 ( dont want to spoil fun for others ) is interpreted as the hex value 0x8981B3E0. This matches the stored correct key, so the crackme prints : Correct key!, Now Try to Keygen ME ! But why $? In this particular crackme, the $ symbol is how the program’s input-parsing routine recognizes the user’s entry as a hexadecimal number. Without the '$' prefix, the code typically treats your input as decimal (or otherwise misreads it). Since the “correct key” is stored internally as the hexadecimal value 0x8981B3E0, the crackme will only accept a matching hex number—and it specifically wants you to indicate “hex mode” with '$'. That’s why typing 0x8981B3E0 or plain 8981B3E0 fails: the program doesn’t parse those formats as the same 32-bit value. Only '$8981B3E0' matches the exact hexadecimal integer 0x8981B3E0 the crackme expects. The final answer of mine and correct/valid key is :

Hey guys! I’m iced, a passionate student from Bosnia who’s really into reverse engineering. I decided to join Tuts4You to expand my knowledge and trade insights with people who are way better than me.Im also a friend of @0xret2win and he suggested me to join site and try to tackle couple of nice crackmes posted here. Also i dont think the guy who made this applied full protection settings. Anyways upon investigating this target i found two interesting calls: ( Not entierly sure if i should do step-by-step since if you follow "MessageBoxA" in ret and stack you will eventually get to same place i got ) "vmp-licensing-test.vmp.exe"+A19CAE - E8 B9CB60FF - call "vmp-licensing-test.vmp.exe"+2686C This is upon hitting "VMProtectGetCurrentHWID". RAX => 29 "vmp-licensing-test.vmp.exe"+A19C9C - E8 2550ABFF - call "vmp-licensing-test.vmp.exe"+4CECC6 This is upon hitting on "VMProtectSetSerialNumber". RAX => 20 Using x64dbg : 00007FF665759CAE | E8 B9CB60FF | call vmp-licensing-test.vmp.7FF664D6686C | -> VMProtectGetCurrentHWID 00007FF665759C9C | E8 2550ABFF | call vmp-licensing-test.vmp.7FF66520ECC6 | -> VMProtectSetSerialNumber

i may banter a lil in the opening, but that is how i was taught when i was in highschool learning ASM from the ukranians and russians, bootkits from the chinese You give a short shoutout or point to be made and ya write and code Here, i use the LCRN (LCG) from the GiantBlack Book of Viruses (Physicist Dr. Mark Ludwig) and his 16-bit many hoops and recreated it for x86 (32 bit) VXWriteUp.pdf

Among the anti-debug techniques, there's an interesting one worth noting. A dummy thread is created and then it calls Sleep(0x32). (The goal is for the created thread to be detected by tools like x64dbg.) Then, it calls NtQueryObject with the ObjectBasicInformation class using the thread handle. If the returned HandleCount is greater than 1, it determines that debugging is in progress. void dummy() { Sleep(8000); } bool CheckCreateThreadHandleCount() { HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)dummy, NULL, 0, NULL); if (hThread == NULL) { return false; } Sleep(0x32); PUBLIC_OBJECT_BASIC_INFORMATION objInfo; NTSTATUS status = NtQueryObject(hThread, ObjectBasicInformation, &objInfo, sizeof(objInfo), NULL); if (!NT_SUCCESS(status)) { CloseHandle(hThread); return false; } std::cout << "Handle Count: " << objInfo.HandleCount << std::endl; if (objInfo.HandleCount > 1) { CloseHandle(hThread); return true; } CloseHandle(hThread); return false; }

Since @Washi provided the solution first, you may mark his answer as solved. However, I’d like to share my approach as well for reference. 1) Polynomial Coefficients and Matrix 1. Username - Polynomial Coeffs The code has a function that folds ASCII values into 8 coefficients ( size = 7 ). For "CHESSKING" , we take each character's ASCII and add it to slot in the array. 2. Matrix Build We then build 5 x 5 integer matrix from these 7 coefficients. Each entry is computed via this formula : mat(r,c) = ( coeffs ( r mod 7 ) x ( c + 1)) + ( r + 1 ) ---> All in paranthesses from start has to be to the power of 2. 3. Determinant ( mod 65521 ) We do a row-reduction to find the matrix's determinant, and then take /bmod 65521. 2) Toy Elliptic-Curve Step The code defines a small curve: y2 ≡ x3 +Ax+B (modp), p=1201, A=1,B =1. ( x3 here is actually x to the power of 3 ) We have a base point G = ( 5,116 ) this goes : finalPoint= ECSM (G,detMod) That is, we "add" G to itself ( detMod ) times in elliptic-curve arithmetic. The result is ( X , Y ) . Then we define it with this formula : curveSecret= X+ (Y≪16) 3) LFSR Shuffle We take 64 bits (lowest bits) from curveSecret and feed them into a Linear Feedback Shift Register for 64 rounds, producing a new 64-bit integer lfsrOutput. This step effectively scrambles the bits further. 4) BFS-Based Knight Path The code starts at square E5 on a 10×10 board labeled A..J (files) and 1..10 (ranks). Internally, E5 is (4,4) in 0-based coordinates. For each character in the username, we do: steps= (ASCII of char) mod 5 , then run a BFS for that many expansions. The BFS uses Knight moves (like (2,1), (1,2), etc.) with wrapping if we go off the board. We capture the last enqueued square after those BFS expansions, add that to our path, and repeat for the next character in the username. 5) “Check to the King” There is a King placed on G10 → (6,9) in 0-based coordinates. We look at the final square in our BFS path. If that final square is one knight’s move away from (6,9), we do an extra step: lfsrOutput  =  lfsrOutput⊕0xA5A5A5A5 For "CHESSKING" , the BFS path’s last square does or does not cause this XOR. In our run, it does cause the XOR (i.e., it’s in position to “check the King”). 6) Nibble → Weird SAN Moves We take the final integer (lfsrOutput) and break it into 12 consecutive 4-bit nibbles. For each nibble, we pick a “weird” standard algebraic notation (SAN) chess move from the code’s move table. This yields moves like e2e4, Na3xb5, Qd1h5, etc. 7) Final Serial Part A: The BFS squares (space-separated). A dash ( - ) Part B: The 12 SAN moves from the nibble-based table. Verifying everythin we gathered so far : For "CHESSKING" : E5 I3 C1 A7 G4 C1 C1 I8 E5 G4 After the code determines the King is in check, it XORs the LFSR output with 0xA5A5A5A5 Extract 12 nibbles → map to the weird SAN table. They all turned out to be mostly e2e4, with a couple of different ones in the middle (Bf1c4, d2d4) My final answer which is my Username and Serial Key is :

-src -ARTeam.esfv -Thumbs.db -Weakness of the Windows API.Part1.pdf WeaknessoftheWindowsAPI.rar

Here is unpacked folder, all tools included. https://limewire.com/d/PWsfv#C32mVemS40 https://fileroy.com/2WVGr1E9zkx7/file https://zippyshare.day/YPGm89uDHMSpeoC/file Final unpacked exe is called drr_msil_Slayed2cleaned_.exe

I commented out that portion of code because transparency works correctly, but if you look closely, it generates artifacts, especially when selecting text. However, I solved the problem just last night by looking at some templates on the forum in asm x86 and making the appropriate changes. Below, I show all the updated code. In attachment you will find image resource and the exe file. #include <windows.h> #include <wingdi.h> #include "ufmod.h" #include "resource.h" #include "song.h" #pragma comment(lib, "Msimg32.lib") #pragma comment(lib, "ufmod.lib") #pragma comment(lib, "winmm.lib") HINSTANCE hInst; HBITMAP hBackground = NULL; HBRUSH hBrushBackground = NULL; HBRUSH hBrush; COLORREF transparentColor = RGB(255, 0, 255); // Magenta color key // Bitmap per il pulsante di chiusura HBITMAP hBtnCloseNormal = NULL; HBITMAP hBtnCloseHover = NULL; // Procedura finestra del dialogo INT_PTR CALLBACK DialogProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam) { switch (uMsg) { case WM_INITDIALOG: { HICON hIcon = LoadIcon(hInst, MAKEINTRESOURCE(IDI_ICON1)); SendMessage(hwndDlg, WM_SETICON, ICON_BIG, (LPARAM)hIcon); SetWindowText(hwndDlg, L"Keygen Template by jNe"); // Imposta il testo predefinito SetDlgItemText(hwndDlg, EDIT_username, L"Enter Username"); // play chip-tune <3 uFMOD_SetVolume(20); uFMOD_PlaySong(songData, (void*)sizeof(songData), XM_MEMORY); // BMP in background hBackground = LoadBitmap(GetModuleHandle(NULL), MAKEINTRESOURCE(BMP_form)); hBrush = CreatePatternBrush(hBackground); // set magenta color key SetLayeredWindowAttributes(hwndDlg, transparentColor, 0, LWA_COLORKEY); // --- FINE --- // BMP close hBtnCloseNormal = LoadBitmap(GetModuleHandle(NULL), MAKEINTRESOURCE(BMP_close)); hBtnCloseHover = LoadBitmap(GetModuleHandle(NULL), MAKEINTRESOURCE(BMP_close_hover)); if (hBtnCloseNormal) { HWND hBtnClose = GetDlgItem(hwndDlg, BTN_CLOSE); if (hBtnClose) { BITMAP bm; GetObject(hBtnCloseNormal, sizeof(bm), &bm); SetWindowPos(hBtnClose, NULL, 0, 0, bm.bmWidth, bm.bmHeight, SWP_NOMOVE | SWP_NOZORDER); } } } return TRUE; case WM_ERASEBKGND: return TRUE; case WM_PAINT: { PAINTSTRUCT ps; HDC hdc = BeginPaint(hwndDlg, &ps); if (hBackground) { HDC hdcMem = CreateCompatibleDC(hdc); HBITMAP hOldBmp = (HBITMAP)SelectObject(hdcMem, hBackground); BITMAP bm; GetObject(hBackground, sizeof(bm), &bm); BitBlt(hdc, 0, 0, bm.bmWidth, bm.bmHeight, hdcMem, 0, 0, SRCCOPY); SelectObject(hdcMem, hOldBmp); DeleteDC(hdcMem); } EndPaint(hwndDlg, &ps); } return TRUE; case WM_DRAWITEM: { LPDRAWITEMSTRUCT lpdis = (LPDRAWITEMSTRUCT)lParam; if (lpdis->CtlID == BTN_CLOSE) { HDC hdcMem = CreateCompatibleDC(lpdis->hDC); HBITMAP hBmpToUse; if (lpdis->itemState & ODS_SELECTED) { hBmpToUse = hBtnCloseHover; // HOVER } else { hBmpToUse = hBtnCloseNormal; // NORMAL } if (hBmpToUse) { HBITMAP hOldBmp = (HBITMAP)SelectObject(hdcMem, hBmpToUse); BitBlt(lpdis->hDC, lpdis->rcItem.left, lpdis->rcItem.top, lpdis->rcItem.right - lpdis->rcItem.left, lpdis->rcItem.bottom - lpdis->rcItem.top, hdcMem, 0, 0, SRCCOPY); SelectObject(hdcMem, hOldBmp); } DeleteDC(hdcMem); } } return TRUE; case WM_CTLCOLORDLG: return (INT_PTR)hBrush; case WM_CTLCOLOREDIT: case WM_CTLCOLORSTATIC: { HDC hdcEdit = (HDC)wParam; int controlId = GetDlgCtrlID((HWND)lParam); if (controlId == ABOUT) { SetBkMode(hdcEdit, TRANSPARENT); SetTextColor(hdcEdit, RGB(255, 255, 255)); SetBkColor(hdcEdit, 0x00000000); SetBrushOrgEx(hdcEdit, -23, -88, NULL); return (INT_PTR)hBrush; } if (controlId == EDIT_username) { SetBkMode(hdcEdit, TRANSPARENT); SetTextColor(hdcEdit, RGB(255, 255, 255)); SetBkColor(hdcEdit, 0x00000000); SetBrushOrgEx(hdcEdit, -23, -88, NULL); return (INT_PTR)hBrush; } if (controlId == EDIT_serial) { SetBkMode(hdcEdit, TRANSPARENT); SetTextColor(hdcEdit, RGB(255, 255, 255)); SetBkColor(hdcEdit, 0x00000000); SetBrushOrgEx(hdcEdit, -23, -151, NULL); return (INT_PTR)hBrush; } break; } case WM_LBUTTONDOWN: SendMessage(hwndDlg, WM_NCLBUTTONDOWN, HTCAPTION, 0); return TRUE; case WM_COMMAND: switch (LOWORD(wParam)) { case EDIT_username: { if (HIWORD(wParam) == EN_CHANGE) { char username[256]; GetDlgItemTextA(hwndDlg, EDIT_username, username, 256); SetDlgItemTextA(hwndDlg, EDIT_serial, "OMFG-THIS-IS-A-DEMO"); } break; } case BTN_CLOSE: SendMessage(hwndDlg, WM_CLOSE, 0, 0); return TRUE; } break; case WM_CLOSE: uFMOD_StopSong(); if (hBrush) DeleteObject(hBrush); if (hBackground) DeleteObject(hBackground); if (hBtnCloseNormal) DeleteObject(hBtnCloseNormal); if (hBtnCloseHover) DeleteObject(hBtnCloseHover); EndDialog(hwndDlg, 0); return FALSE; } return FALSE; } // Entry point int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { hInst = hInstance; DialogBox(hInstance, MAKEINTRESOURCE(IDD_DIALOG1), NULL, DialogProc); return 0; } keygen template - fix.zip

Hi @LCF-AT , DriverMonitor is an old tool that has been released for over 20 years. I am accustomed to using this app to load some Windows drivers. For learning and testing purposes, I used some leaked certificates to sign this driver. Now I will upload the signed driver here. I have set up a callback function (ProcessNotifyExRoutine_call_back) in the driver to filter specific process names in order to prevent their loading. Therefore, before uninstalling the driver, the target process cannot be started. This simple APP can kill some driver-protected antivirus software or system-level processes. For example, antivirus software such as Kaspersky and Symantec. If you terminate the system processes (e.g. winlogon.exe and dwm.exe), it will result in a BSOD. bin_v0.002.zip(Requires: 64-bit OS & >= Windows 7) DriverMonitor_EN.rar Video_2025-09-14_161309.mp4 (4.69 MB)

damn it! this is GENIOUS! (instead of WinAPI old dirty crap!!!) easy! just read the docs :) built a binary using that multi-precision lib: (left vs last build fom @Stuttered ) FileSizeCALC_0.0.11.zip

Here are the steps to get a completely modified version of x64dbg. Go to https://github.com/x64dbg/x64dbg Press this button in the top-right corner of your screen: You can then change the code to your liking (e.g., to bypass the anti-debug problem).

For some reason, when I press VMCode, nothing happens. No badboy or goodboy message. But for now, I’ve managed to get any key to register successfully. I’ll still take a look at the VMCode routine—just out of curiosity—and if I manage to figure it out, I’ll definitely write a tutorial. Btw whats up with your x86 with your anti-anti tricks? It wont even start on my machine for some reason. Could you please take a look at it?

...because cloning git repo, or just clicking on anonfiles.com_d1D7M7q9z4_vmpsrc.zip is so f*ing complicated. You don't need VMProtect sources. What you need is a basic understanding of this magical thing called "the internet".

I can only wish you luck in your search 😄

Hi! I took a look at it and shame that no one tried to solve it,here is my approach. Basic things i pulled: All four keys must differ. If any two keys are the same string, it shows “All keys must be different.” No key can contain "0@0". If you type a key like "0@0@something", it rejects it. “Erjey” can be used at most once, and if it appears, the fourth chunk of that key must be less than 6. That is, if a key has the substring "erjey", its format is X@Y@erjey@W, and W<6W < 6W<6. The third chunk in each key can be one of three strings: erjey kao tuts4you If you use something else, you get badboy error message. 2.2. Internally, a Linear Solver Digging deeper, i discovered a set of classes (d, e, j, etc.) that build a system of linear equations or inequalities. Each key of the form X@Y@{erjey|kao|tuts4you}@W is taken to mean X⋅x+Y⋅yRELWX , where the “relation” REL depends on the keyword: erjey → equality (=). kao → some inequality (≥ or ≤) depending on puzzle logic. tuts4you → the other inequality. From hints in the code and trial tests, we saw that: erjey is effectively “=”. For this puzzle’s code, kao ended up being “≥” and tuts4you was “≤” (the code flips them). Finally, after the solver ensures a feasible solution for (x, y), it calculates an “objective value” from the Name field, which must also be in the format A@B (two doubles). The code uses: objective=A×x+B×y If that objective is exactly 44 000, it shows: MessageBox.Show("Valid combination!"); That is the central condition: Ax+By=44000. 3. Constructing a Solution To guarantee the solver yields 44,000, we needed to pick (x, y) and (A,B) so that: A×x+B×y=44000. Additionally, we had exactly four constraints (the “Keys”) to pin down x and y. 3.1. The Simplest Trick: Set x=y One common approach: force x=y=c for some integer c < 6 (because the puzzle disallows “erjey@W” if W >= 6). Then we just need: (A+B)×c=44000 then this becomes A+B = 44000 / c Hence, pick any c in [1..5], and pick A + B = 44000 / c. 3.3. Example Name Then to satisfy (A+B) c=44000, choose a Name that splits as A@B with A+B=44000/c. For instance: Let c = 4. Then A+B must be 11000. We pick A = 5500 and B = 5500. So Name = "5500@5500". 3.4. Putting It All Together And if im right and if this is the keygen you have asked for : keygen.py

I recommand the people to use this protection because it's very good. The protection is advanced like Pelock but very good. Only a real reserver can do it But it needs much times to be able handle it. UnpackMe.Obsidium.1.69b1.x86_unprotect.rar

Dear friends Berkeley Mono Font face is updated to version2. They included ligatures (nerd glyphs) directly in this build. The font face is 75$ for developer use only (no commercial use.) I have included this fontface so you can try them. Enjoy! Homepage hxxps://usgraphics[.]com/products/berkeley-mono Archive Pass: Download tx-02-berkeley-mono-pass=SCT.7z

Here we go, after the above step with slayer - Decrypt Methods unckecked; // Token: 0x0600081D RID: 2077 RVA: 0x0006E2E8 File Offset: 0x0006C4E8 [MethodImpl(MethodImplOptions.NoInlining)] internal unsafe static void qp1d5IbOJ() { Just fill at 006C4E8 with 062A so will change the body of method qp1d5IbOJ to a simple ret. after that we have a working file and we can deobfuscate with BabelDeobfuscator. Here is working unpacked file: https://workupload.com/file/3JqMck9ZtYR

StrongName tools: - added SamePKT tool - added 64 bits support for all tools StrongName2.rar

I wanted to devirtualize it manually so I made a disassembler for it using the new yara-x to locate the handlers and the bytecode. Probably going to turn it into a full devirtualizer from binaryshield bytecode straight to x86_64. I saw these values(the one in the cmp comment) put them as input since it was valid I didn't go further. You can find my work at https://github.com/xlatbx59/Bshld, the file with the disassembly is at https://github.com/xlatbx59/Bshld/blob/master/binshield.txt. It was fun to reverse

You can look for HydraDragonAntivirus/AutoNuitkaDecompiler: Get malware payload without dynamic analysis with this auto decompiler or my main project. I did with that. If you want dynamic analysis then Is Nuitka No Longer Secure? A Reverse Engineering Tool for Nuitka/Cython-Packed Applications — pymodhook | by qfcy | Medium (There more advanced special python code for pymodhook but it's closed source for vxnet and not made by me so I can't make it public) If you want both dynamic and static: Siradankullanici/nuitka-helper: Symbol Recovery Tool for Nuitka Binaries I did extract with stage1.py or nuitka-extractor extremecoders-re/nuitka-extractor: Tool to extract nuitka compiled executables (or just do dynamic analysis for extract and sometimes it can't extract or Nuitka compiles executable as dll so you need dll loader It seems like it becoming obsolete · Issue #15 · extremecoders-re/nuitka-extractor) my main project not stable but if he is become stable then he can detect is he nuitka and do auto extract with auto decompile and you get source code. Nuitka is actually hiding data in resources section in specia bytecode format. Actual source code starts from (u)python.exe or /python.exe (generally in broken executables) then you need look for <modulecode part for import recovery and Nuitka compiles with everything for obfuscation. So too many comment lines from file exists. You can detect junks by that line contains no u word. Which means this line is junk because u means go to next line in Nuitka bytecode. Nuitka is not obfuscated if he doesn't compile with everything otherwise it's obfuscated. You can improve my script by looking Nuitka bytecode source code. You can post to ay AI to recover code but Gemini is currently best for very long codes. Compared to other obfuscators you need pyarmor with Nuitka to make him more secure (or guardshield with pip install guardshield), otherwise it's easy task if there no too many imports. Rarely user disables compile everything even if the docs then your task much easier but in default Nuitka compiles everything. Nuitka clearly worser than Rust for some reason. 1) Antiviruses flags as malware because malware analysts can't understand Nuitka (even if they are too experinced they really don't know how to solve Nuitka) so you get false positives. 2) It's not good obfuscator and it's not creating millions of line hello world code via normal cython. I don't recommend python to use for avoid reverse engineering but you can still use it. If you want I can give all details which I know with tutorial or I can release my main project for auto Nuitka decomplication. My last words are don't use pyoxidizer, pyinstaller, cx_freeze if you want obfuscate your code because Nuitka is still best open source option for python. Nuitka can't remove python.h so the code must be pseudo python (Cython like style)

Seems like we have a winner! 👍

Update v0.0.10. Thx @jackyjask for pointing to the BigNumber library and assist. See attached. FileSizeCALC_v0.0.10.rar

Why? I don't depend on anyone.

It is not hard to update dnlib, maybe 8/10 fixes on de4dot and it will work. Tomorrow I will share my updated de4dot-cex with you.

Mono still makes sense for environments that cannot work with JIT and require an interpreter (e.g., wasm), and is still the default implementation for legacy .NET Framework in e.g., wine. Also, MonoMod is not affiliated with Mono, nor does it work "just" for Mono. Its name originates from Unity using Mono, but it is built to also work for other versions of .NET, including .NET Framework, .NET Core and .NET. Harmony under the hood also uses MonoMod. If you want to use MonoMod directly instead of Harmony, it should be doable using MonoMod.RuntimeDetour. Example from their docs: // Create a Hook. using (var d = new Hook(methodInfoFrom, methodInfoTo)) { // When the detour goes out-of-scope (and thus has Dispose() called), the detour is undone. // If the object is collected by the garbage collector, the detour is also undone. }

What? No explanation of what he done?

> WindowsFormsApplication37_Slayed.exe!WindowsFormsApplication37.Internal.PolicyFinalizer.VisualContainerPolicy.CombineTransaction(WindowsFormsApplication37.Internal.PolicyFinalizer.ArgumentViewer instance) (IL=0x2260, Native=0x091A0040+0x6B85) case (PolicyFinalizer.NotificationCall)128: if (PolicyFinalizer.m_PolicySenderList.Count == 0) { Module module = typeof(PolicyFinalizer).Module; this.m_ClientEvaluator.IncludeManager(new PolicyFinalizer.PolicyFinder(module.ResolveString((int)this.m_CustomDecryptorPolicyObj | 1879048192))); return; } 70000000 metadataToken 0x7000174A int - metadataToken of good string: 0x700016DE but it is not easy as replacing a string- it is not working after changing string.

.

If you are familiar with the Armadillo program, you will remember that this software had a very interesting feature called "Nanomits", which was created to prevent dumps from being taken from protected processes. The source code below is actually a re-engineered version of the original product's behavior that is available to everyone https://github.com/NIKJOO/Nanomits Give repo a star if you find it useful.

@Noob boy Hi again! I spent some time unpacking this WinLicense v3.2.2 x64 target. unpacked_x64.zip

Time spent: 5 minutes from start to typing this message. It's a great example of how a compromised older version of the software (like your crackme v1.0) leads to a complete compromise of the new and improved protection. I hope to find some time on Sunday or early next week to make a writeup. But my spare time is limited these days, I apologize for that in advance.. If someone else wants to make a tutorial, I'd love to see that!

hi, i am new to devirtualization topic and this challenge was very good for beginners and me. first, my goal was not just obtain the keys but devirtualize whole function automatically and recompile back to be able to patch it. i lifted handlers to LLVM IR and recompiled in a new binary to analyze it this is my final output i know its a little difficult to read, but at least you can see the correct keys clearly if you look at if statements. sadly, code crashes at runtime, i dont know why. it will probably take really long time to identify the problem. i dont think i will do that. maybe i might try VTIL instead of LLVM. i would like to see others approaches on fully devirtualizing this vm. great challange again.

@boot How to bypass the x64 target like you had done? Regards. sean.

@Sh4DoVV How to bypass x64 version of enigma constant used target? Do we have to change CRCs and then change hwid to the given one like changing x86 version of it's hwid using @CodeExplorer's EnigmaHardwareID Tool and scripts for x86 targets? Many thanks in advance. Regards. sean.

Forgive me for speaking frankly. There is no need to use the so-called "KeyGen", and it can be directly forced to bypass this protection. Those who boast about "KeyGen" but do not provide effective solutions are useless besides wasting forum space and questioner's time. Video_2025-01-25_181545.mp4

WindowsFormsApplication4.vmp35.exe: 1. VMUnprotect.Dumper https://github.com/void-stack/VMUnprotect.Dumper/releases/tag/1.1.0.0 2. Unset "IL Only" Flag from .NET Directory with CFF Explorer 3. Demutation Tool https://forum.tuts4you.com/topic/45162-demutation-vmprotect-net https://forum.exetools.com/showthread.php?t=21105 4. de4dot Use --keep-names ntpfg while cleaning the file using de4dot Or use --dont-rename 5. VMP Killer by DarkBullNull Use Option 2 First and Fix CRC and Debug Check https://github.com/DarkBullNull/VMP.NET-Kill https://forum.tuts4you.com/topic/45179-vmpnet-kill/ https://forum.exetools.com/showthread.php?p=131964 6. Unset "IL Only" Flag from .NET Directory with CFF Explorer 7. Use VMProtectNoDelegates to clean delegates https://forum.exetools.com/showthread.php?t=21106 https://forum.tuts4you.com/topic/45163-vmprotectnodelegates-net The only thing left if unvirtualization. WindowsFormsApplication4.vmp35-decrypted-demutate-cleaned.justify_nodel.rar

I have already conducted testing before, and if you compile the 32-bit plugin according to the original source code provided here (https://bbs.kanxue.com/thread-282244.htm). Original 32-bit (Imperfect Version).zip This plugin is effective on Win7 x64 SP1; But it fails in Win10/11 x64. e.g. VMP_3.8.7_x86_32-bit.vmp.exe Win7 x64 SP1 √ Win10 x64 × Win11 x64 × By recompiling the 32-bit plugin according to the modified code provided by karan, the above issue has been resolved. The revised and recompiled complete version is now uploaded as follows, and has been tested to be effective in Win7/10/11 x64. ScyllaHide_2024_x86_x64_v0.002.zip

For this package, I did it. Winlicense 3.1.3 Test x64.zip However, @boot I couldn't do it for this package. give me your hand please. Many thanks in advance. Regards. sean.