Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Password:

Spoiler

Youdidit!

 

Capture 2.PNG

  • 3 weeks later...

fc2f2928f9775d3e4be2d40545607c05.1000x56

gXYPHP0.png

 

CCtor => 0x06000034 => Clean the antitamper => Clean cflow => clean string encryption and that's it

Most cleans are done by tweaking some public cleaners.

The right key is "Youdidit!"

Edited by ForlaxPy

Unpacked file????

  • Author
On 5/8/2020 at 5:09 AM, ForlaxPy said:

fc2f2928f9775d3e4be2d40545607c05.1000x56

gXYPHP0.png

 

CCtor => 0x06000034 => Clean the antitamper => Clean cflow => clean string encryption and that's it

Most cleans are done by tweaking some public cleaners.

The right key is "Youdidit!"

How do you remove anti tamp without breaking the file ?

  • 3 weeks later...

Unpacked! So here's what i did.
 

Removing the antitamper is really difficult if you're going to decrypt the methods by executing the method decrypt call in <module>.cctor. I think this is caused by the function that modifies some parts of metadata. The function is placed before the method decrypt function and after PE section finding part. 

So what i did was i modified abugger's antitamper remover and it pretty much worked.
After antitamper was removed, it somehow created an error when decompressing constant data.

Anyways, im too lazy to find out how removing antitamper was causing that.

I just executed the original file and grabbed the decompressed byte array value for constant and moved the initializer in <module>.cctor.

After that, i resolved the values of mutations. If i remember, there were sizeof, convert.toint32, math.(function) and int/short.parse. 
After the mutations, all you need to do is to convert the fields to locals, calli to call, resolve the delegates, and resolve and remove the proxy call delegates.
You have to make your own approach on removing the proxy call delegates on this one. The values of the delegates are initialized at <module>.cctor.

here's the result of what i did. (manually cleaned junk types).

Unpackme_cleaned.exe

screenshot:
image.png.c81366ce0eb47a58ae9e5205dc8c572b.png

  • 3 years later...
On 5/8/2020 at 1:09 AM, ForlaxPy said:

0x06000034

 

 

Edited by andrus_777123
error messaging

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.