Feedback and Ideas

[Progman]

@Teddy Rogers - okay that sounds fine and reasonable.  I agree there can't be anymore of this he says she says wars of words going on.  But I do not have access to the PM feature anymore.  When post moderation was turned on, for whatever reason I lost access.  But you can check I have never abused the PM feature and hardly used it and now when it would be useful given this moderation - its disappeared altogether.  Kindly let me know if that right can be restored.

[Teddy Rogers]

Should be fixed now. Apologies for that, it was not intended to happen...

Ted.

[LCF-AT]

Hi again,

ah ok now I see that search options. Sorry,my faul.Just wonder why I didnt seen that before.Thank you NOP for the info.About post markings,no I dont wanna use or set browser bookmarks.I would like to have something what keeps here only and without to use any extern handling etc you know.Maybe you can implement such post markings (similar like the like button / as I told before / mark | unmark) and maybe its also possible to set a colored frame around the posts the user did mark for himself to see it quickly if the user X does trace around any topics etc you know.Just only a idea.

greetz

[Teddy Rogers]

Could you make use of Managed Followed Content as a substitute for bookmarking?

Ted.

[LCF-AT]

Hi again,

not sure about that so its not same like making some kind of single reply bookmarks you know.In the profile page for example I can choose "see reputation activity" and get a list of all who pressed a like button etc and something like that I would like to have for single replys I do mark for myself (as I told before already).Maybe its possible to add another button into the like button list..."Thanks,Haha,Confused,Sad,Like,......--> Mark <--"....you know.Just my idea so far.Not sure whether you can do that or whether its possible to make that on this forum but you know what I mean right.I think its a good idea.

About MFC.So in this case I only can follow a topic.If the topic has many sites and tons of replys then I also can not find quickly what I am looking for you know.Its not same like the idea about marking / bookmark single replys.

greetz

[Teddy Rogers]

@LCF-AT I think the closest thing to what you are after is going to be the followed content option for the time being...

Ted.

[root]

I wanted to suggest a section on the new ghadra decompiler (I'm doing the first tests and the results are excellent). a section for tutorials, modified versions, scripts etc ..😀

[Teddy Rogers]

I will wait to see what becomes of Ghidra once the surge of excitement and newness of having an NSA tool at hand all settles down. Most probably it will maintain its own site and community, likely centred around GitHub repository...

Ted.

[RiRye]

Any chance we can get a full sitedump / archive going?

Last file dump was from 2011 and a full forum backup would be cool.

[XenocodeRCE]

Say "A" post a crackme thread

Say "B" reply to that thread with minimal to no information / tutorial

B's reply will only be unlocked /un-hidden once someone reply to the thread.

 

My point is : it makes B's reply useless. What's the point of unhidding non-informative replies if the thread has one answer-dedicated reply ? 
My proposition is : make B's reply not hidden, and let the owner of the thread decide which reply is the best. Maybe make non-tutorial reply not votable for the "best answer of this thread". 

[Teddy Rogers]

23 minutes ago, XenocodeRCE said:

My proposition is : make B's reply not hidden, and let the owner of the thread decide which reply is the best. Maybe make non-tutorial reply not votable for the "best answer of this thread". 

If I understood you correctly this is similar to how it was prior to the change. Many members complained replies to challenges were all becoming an uploaded unpacked file or completed crackme, with no information on how it was achieved stating "unpacked", "done!", etc. This system only fueled the glory seekers. A suggestion was to deter this from happening to encourage the sharing of information on how these are solved. Unfortunately there is no automated system that can determine a genuine reply to one that is a completed solution with no information. All these need to be manually reviewed and approved. Regarding those replies that are hidden, this is a compromise to the glory seekers. To be clear, any replies that are discussing the challenge and not containing the solution are all approved.

It is not a perfect system for managing these forums, I am fully aware of this. It is a compromise between the wishes of other members, capabilities of the forums software and the moderating team. If it was not for the time waiting for review and approval and the lack of understanding why posted solutions have been hidden none of this would be up for discussion...

Ted.

[XenocodeRCE]

On 5/24/2019 at 11:02 PM, Teddy Rogers said:

If I understood you correctly this is similar to how it was prior to the change. Many members complained replies to challenges were all becoming an uploaded unpacked file or completed crackme, with no information on how it was achieved stating "unpacked", "done!", etc. This system only fueled the glory seekers. A suggestion was to deter this from happening to encourage the sharing of information on how these are solved. Unfortunately there is no automated system that can determine a genuine reply to one that is a completed solution with no information. All these need to be manually reviewed and approved. Regarding those replies that are hidden, this is a compromise to the glory seekers. To be clear, any replies that are discussing the challenge and not containing the solution are all approved.

It is not a perfect system for managing these forums, I am fully aware of this. It is a compromise between the wishes of other members, capabilities of the forums software and the moderating team. If it was not for the time waiting for review and approval and the lack of understanding why posted solutions have been hidden none of this would be up for discussion...

Ted.

I think there exists something between "just throw off your unpacked exe" and "write a god damn paper for every confuserex unpackme mod" you see ? 

For me you are slowly killing your board activities by doing that. The less we see our replies, the less we want to engage into this forum, but that's to be expected no ? 

By bluring / making these non-informative reply appears grayed it convey a good message to the poster : his reply is ok but not worth being reviewed as an answer. 

[blank]

On 1/19/2019 at 6:40 AM, Teddy Rogers said:

 there will be no easy way to distinguish whether a reply awaiting to be moderated is a general reply post or an answer awaiting review and moderation.

Wouldn't it be possible to add a button or a checkbox when posting a reply, saying something like "Are you posting an answer, or a general comment?" And then if the reply is an answer, you can moderate it to make sure it is complete. If it's just a general reply or asking for details, allow the system to post it, and review it later. I don't think people would abuse the system just to get their incomplete answers public for a few minutes/hours.

[kao]

4 hours ago, XenocodeRCE said:

"write a god damn paper for every confuserex unpackme mod"

We all know you have the skills to unpack vanilla version and most of the mods out there. You don't need to post 20 unpacked EXEs to show that - that's not the point of unpackmes. The point is to produce something that others can use as a starting point in their learning path.

Also, saying "I used my private unpacker that I'm not gonna share" is equally not helpful for learning.

So, perhaps you could start off by writing ONE paper about unpacking modified confuserex?

[Teddy Rogers]

19 hours ago, XenocodeRCE said:

I think there exists something between "just throw off your unpacked exe" and "write a god damn paper for every confuserex unpackme mod" you see ?

The posts being hidden are the ones only with the solution. As others members here have pointed out - which I agree with - they only show xyz member is uber. These don't benefit anyone else and no one learns from them. All other posts are approved to be viewed and discussed with other members. The only issue here is the delay in the review and approval process.

No one has asked or is saying you need to write a 3000 word essay about how you unpacked each variant of ConfuserEx. We have been very liberal about some of the solutions being given best answer with a small write up - at times a few key dot points is all it needs...

Ted.

[Teddy Rogers]

17 hours ago, blank said:

Wouldn't it be possible to add a button or a checkbox when posting a reply, saying something like "Are you posting an answer, or a general comment?" And then if the reply is an answer, you can moderate it to make sure it is complete. If it's just a general reply or asking for details, allow the system to post it, and review it later. I don't think people would abuse the system just to get their incomplete answers public for a few minutes/hours.

Good suggestion, I will have a think over this and how it could be implemented...

Ted.

[kao]

On 1/19/2019 at 5:14 AM, Teddy Rogers said:

I am open to suggestions on best ways to filter in or out ConfuserEx type challenges. Whether this entails anything from creating a dedicated area or banning them completely. Let me know your thoughts.

I'm afraid we need to reopen this topic again.

In last 2 months moderators have approved 8 (yes, eight!) unpackmes from the user mamo434376. They are all simple modifications of ConfuserEx and KoiVM with very little original work. What exactly is the point of having them here?

[Teddy Rogers]

I read you loud and clear. I don't like it myself either.

My personal opinion (if it even matters). If there was limited interest in .NET I'd probably ban members from posting .NET unpackme's altogether. Let's be honest, if you want your application to be difficult to unpack you don't code it in .NET. When I see any new .NET unpackme/protector I shake my head and wonder as to why. Unfortunately this is the world we live in.

What is a solution or remedy to the problem?

• Restrict members from posting consecutive unpackme's over x period of time?
• Ban all or certain ConfuserEx, KoiVM, etc? If we do this how to quickly determine between a good and a bad ConfuserEx or KoiVM over one worth approving?
• Who determines when a simple modification is a bad modification not to be approved - where is the benchmark?
• Who is interested in becoming a .NET unpackme moderator?

Suggestions and ideas to improve are always welcome...

Ted.

[Kurapica]

17 hours ago, Teddy Rogers said:

• Who is interested in becoming a .NET unpackme moderator?

 

I would take this job but !

Mental and Dental included ?

Kidding

 

[Washi]

On 10/18/2019 at 2:17 AM, Teddy Rogers said:

I read you loud and clear. I don't like it myself either.

My personal opinion (if it even matters). If there was limited interest in .NET I'd probably ban members from posting .NET unpackme's altogether. Let's be honest, if you want your application to be difficult to unpack you don't code it in .NET. When I see any new .NET unpackme/protector I shake my head and wonder as to why. Unfortunately this is the world we live in.

What is a solution or remedy to the problem?

• Restrict members from posting consecutive unpackme's over x period of time?
• Ban all or certain ConfuserEx, KoiVM, etc? If we do this how to quickly determine between a good and a bad ConfuserEx or KoiVM over one worth approving?
• Who determines when a simple modification is a bad modification not to be approved - where is the benchmark?
• Who is interested in becoming a .NET unpackme moderator?

Suggestions and ideas to improve are always welcome...

Ted.

Regardless of the borderline-spam that we have been observing in the challenges sections, I think .NET is still a valid platform to write reverse engineering challenges for. Look how obfuscators like DNGuard still seem to be a challenge for a lot of people. Also, even though KoiVM is more or less defeated nowadays, it used to be a very difficult task as well for the majority of people around here.

There are many tricks one could pull off to make a challenge interesting, and this includes the ones written in .NET. I think the difficulty of a challenge does not always rely on the platform it is running on. For example, some rely on interesting or flawed cryptographic algorithm implementations that the reverse engineer needs to exploit in some way or another. Others might use an uncommon model of a virtualization that people haven't seen before all too often. Furthermore, writing these kinds of challenges in .NET could make the challenge actually more fun, as the reverser doesn't have to worry too much about the imperfect decompiled code of IDA or Ghidra or whatever tool people use. Rather, they can focus more on the actual problem that the challenge is about. Granted, I might be talking a bit more about KeygenMes now rather than "simple" unpackme's, but I think you get my point. Creativity is the key to success in my opinion, but you are right this is hard to benchmark.

Banning challenges that are protected by a specific (potentially modded) obfuscator sounds like a bad idea as well in my opinion, and could hurt the forum more than it would do good. It might be a good idea however to limit the number of challenges per  obfuscator, although I am not entirely sure how to limit this or when to decide when this limit is reached. Perhaps one or two per version/update or maybe per feature that an obfuscator might offer?

Edited October 19, 2019 by Washi

[Teddy Rogers]

That was the point I was trying to make, even though I think .NET unpackme's may not be worthy of attention they still hold value and interest to other members. This is looking at the situation purely from a .NET unpackme perspective.

2 hours ago, Washi said:

I am not entirely sure how to limit this or when to decide when this limit is reached. Perhaps one or two per version/update or maybe per feature that an obfuscator might offer?

This is where I am trying to gain feedback and ideas, how to benchmark and define the cut off point. How will members be able to know in advance of posting, that an unpackme challenge will be approved, over one that will not. To maintain consistency how will moderators be able to determine the good from the bad.

I am open to feedback on this one...

Ted.

[atom0s]

There is definitely room for a good modification of ConfuserEx to eventually happen and be posted here. ConfuserEx itself was the successor/fork of Confuser itself, which has greatly improved the original. ConfuserEx has completely changed how the .NET protection field has worked as well, with it completely influencing every other obfuscator on the market. Especially the ones made from people in the RE scene all using ConfuserEx as a base to work from. (Whether they want to admit to it or not.)

Since ConfuserEx and now KoiVM are open source, they tend to be the most used and modified. No other real protection system for .NET is open source let alone offers the kind of features that they do. While it does mean a lot of terrible rebrands and mods will happen, it doesn't mean every single one is going to be trash in the future. Given that KoiVM is open source, it leaves a lot of room for others to take that concept and run with it to make their own VMs with much more in depth features, better C# language support for newer features, and so on.

I don't think out-right banning it from existing on the site is a good idea either. There shouldn't be a reason to further divide what little of the RE scene is left.

Some thoughts of mine on how to approach this going forward:

1. Make a new section/sub-forum specifically for ConfuserEx mods. This way the general .NET unpack section can focus on other non-ConfuserEx related challenges and not be drowned out with the various customizations/mods people want to post. 

2. In the new section, have some type of guidelines/rules on what is considered a valid challenge. Mods to ConfuserEx that do nothing to the actual core and just add 1-2 new things should be rejected because the base/core has not been touched, therefore all the existing tools will work against said mod. Simply renaming the ConfuserEx attribute is not a valid means to try and deter tools from working etc. Focus on making sure people have actually put time/effort into their mods vs. just renaming the project and adding 1 thing to it.

3. Avoid belittling people that are coming here to learn and making an effort to work on modifications. Rather than people just shitting on someone or leaving a few word replies telling the person they suck, their mod is shit, etc. encourage people responding to the threads to actually give feedback in a friendly manner. Everyone started somewhere, knowing nothing, so putting egos aside and encouraging new comers to go back and learn certain things, showing them why a certain protection/mod doesn't work/help, etc. goes a long way. (Simply put, if your objective is just to be a dick when responding, just don't respond.)

4. If moderators are added, would really suggest making sure that there is some rules/guidelines on how they should moderate the new section/topics. Basically to avoid power-tripping, egos, and other nonsense that doesn't need to exist here. Another thing is to understand everyone has different skill levels when it comes to unpacking/cracking things, and while person A may think a given mod is weak/easy/crap, person B who is just learning may see the given challenge as a great learning experience and a way to enhance their skills. So avoiding skill sets being the end-all judgement of how something is moderated. 

Of course there are situations where things like this will have trolls or people posting challenges that have their own issues with pride/ego as well. Which is something seen already with a few people posting ConfuserEx mods that do not really understand the base project, how .NET operates, etc. For example, there is someone on a specific Discord community that keeps making 1-2 line edits to ConfuserEx and deeming it uncrackable. Every time, someone will use the existing tools, unpack his app and prove him wrong, but he refuses to be wrong and keeps spamming the Discord with modifications constantly. In a case like this I would say preventing them from posting new challenges for a given period of time may be warranted to avoid them from posting 100 different mods in a day. 

All in all though, I wouldn't recommend banning it altogether. The RE scene is so small anymore as it is, banning discussions on given topics at all is just going to further divide things than they already are. As it is, there are people on this site that land up driving new comers away already which most land up joining one of the various Discord communities instead that are focused on RE/.NET RE etc. 

[kao]

+1 to what @Washi and @atom0s said.

To keep the .NET unpackme section in a decent shape we would need a moderator who, well, moderates..  Posting a crackme is not a basic human right - it must be earned. I believe it's a moderators right and duty to say "Sorry, but this thing you made is not a good crackme. May I suggest you to learn a bit more and come back later?" That moderator action would stop floods of ConfuserEx shit-mods once and for all.

Another duty of moderator is to intervene and to keep discussion civilized and to the point. Mamo's responses in his topics fell short of that (for example, the part where users reported broken/nonworking crackme). While I understand that some of members don't speak good english or even use a machine translator, it doesn't give them rights to behave like a dick. 

As for newcomers going away from the forum and joining some Discord channel - there's nothing we can or should do about that. Those Discord channels are full with blinds leading the blind. But that's what modern skids want - feeling important, feeling smart and being able to shout "omg lol i brokz t3h unpacker!!!111", "how i can make this rat fud??", "duuude, I compiled confuserex!" or, better yet, posting an excruciating 30minute video showing that process.. We don't need that here.

[XenocodeRCE]

On 10/18/2019 at 2:17 AM, Teddy Rogers said:

I read you loud and clear. I don't like it myself either.

My personal opinion (if it even matters). If there was limited interest in .NET I'd probably ban members from posting .NET unpackme's altogether. Let's be honest, if you want your application to be difficult to unpack you don't code it in .NET. When I see any new .NET unpackme/protector I shake my head and wonder as to why. Unfortunately this is the world we live in.

What is a solution or remedy to the problem?

• Restrict members from posting consecutive unpackme's over x period of time?
• Ban all or certain ConfuserEx, KoiVM, etc? If we do this how to quickly determine between a good and a bad ConfuserEx or KoiVM over one worth approving?
• Who determines when a simple modification is a bad modification not to be approved - where is the benchmark?
• Who is interested in becoming a .NET unpackme moderator?

Suggestions and ideas to improve are always welcome...

Ted.

 

• It's not about restricting someone from posting a challenge consecutively over x period of time, it's about preventing the board activity to be flooded by non-interesting challenges because the content of the board express the idea of what the board is about. To prevent what Kao, Washi and atom0s spoke about and underlined with lucidity, I would suggest that "reputable members" shall report non-interesting challenges (Mamo's 8 variation of ConfuserEx for instance, nothing ad personam, it's just that the qualitative diference is not that interesting between each challenge he posted) and one of the mod, whoever she/he is, shall hide the topic from the public and take the time to see if it is indeed something to remove or not, of course "reputable members" can explicitely write arguments in the topic's reply section before it get hidden from the public so the mod in charge will know what to do if she/he is clueless.
   
• The problem is the problem of the criterion : you need a good criterion to determine if a challenge is a good or a bad ConfuserEx / KoiVM challenge, but the real issue at stake is that you also need a criterion to decide what is a good criterion to then determine if a challenge is a good or a bad ConfuserEx / KoiVM challenge, you got me. Don't ban in a systematic way X or Y challenges, just let the communoty react and report the one that are not adding any qualitative content to the board. 
• That point is similar to some extent to the former one.
• Washi used to be a mod on another forum and he did a decent job, so I would vote for him, however if it is possible not to elect somebody and rather let the communoty become mature and let it report the posts, aka auto-moderation, that might work great. 

[Washi]

4 hours ago, kao said:

I believe it's a moderators right and duty to say "Sorry, but this thing you made is not a good crackme. ..."

The problem is defining what a good crackme is and where we draw the line. Being able to decide whether an unpackme would be good enough would require for the moderator to essentially solve the challenge themselves as well, which might require too much time for a simple approval, or worse, it might not always be within the skill set of the moderator him-/herself.

A random idea that popped into my mind today: It might be possible to incorporate a system that is similar to how crackmes.de used to do it in the past when it was still online. What they did was only approving challenges that also provided an example solution with a full disclosure on the techniques used to protect the challenge or make it interesting. The example solution would only be visible to the staff and to the original author.

The way I see it, this has a couple of advantages:

• It makes the approval procedure more objective. Staff would judge the actual contents of the challenge, rather than having to guess or solving the challenge themselves first.
• It makes the approval procedure a lot less time consuming.
• It forces the creator of the challenge to actually think of something interesting and not impossible. Effectively, they have to be able to solve their own challenge, and be able to convince one of the staff members the challenge is interesting.

Some downsides would be:

• UnpackMes protected by new (updates of) obfuscators might not be possible anymore this way. The author might not have the skill to reverse the new technique that is applied either and the UnpackMes is more of an incentive for other, more experienced reverse engineers to have a look at it.
• As a consequence of the above, collaborative reversing might also be more discouraged by this methodology, since these UnpackMes without a solution would be denied.
• I also don't know if the current forum software supports any kind of system like this? I can imagine staff not wanting to get spammed with private messages about approval of a challenge either, so it might require a dedicated system, which might require some more coding to get it to work.

 

3 hours ago, XenocodeRCE said:

Washi used to be a mod on another forum and he did a decent job, so I would vote for him,

I don't think I am eligible for a moderator, nor do I think I would be having time for it.

Edited October 20, 2019 by Washi
Grammar