Jump to content

All Activity

This stream auto-updates     

  1. Yesterday
  2. Last week
  3. freeware tool that captures text that's been copied to the clipboard (60kn zipped) https://cresstone.com/apps/clipLogger/
  4. Microsoft Teams is now available on Linux as a public preview, the first time an Office 365 application has been brought to the open source operating system. https://www.computerworld.com/article/3489079/microsoft-teams-comes-to-linux.html
  5. https://arstechnica.com/information-technology/2019/12/pensacola-city-government-was-hit-by-maze-ransomware-was-data-stolen/
  6. https://www.forbes.com/sites/thomasbrewster/2019/12/09/are-you-one-of-avasts-400-million-users-this-is-why-it-collects-and-sells-your-web-habits/ AVG has been acquired by rival Avast Software for $1.3 billion.
  7. https://erickutcher.github.io/#HTTP_Downloader
  8. https://torrentfreak.com/helix-iptv-hackers-threaten-to-expose-resellers-customers-191210/
  9. https://www.justice.gov/usao-ndia/pr/social-media-influencer-sentenced-14-years-federal-prison-after-plotting-hijack
  10. If you need any further help, don't hesitate you are welcome
  11. SiSC0

    Eazfuscator.NET

    Eazfuscator.NET 2019.4 - December 3, 2019 Blazor support .NET Core 3.1 support Unity 2019.2 support Out of the box support for System.Text.Json Improved ASP.NET Core support Improved ASP.NET support Improved JSON serialization support Improved XML serialization support Improved compatibility with .NET Framework SDK 4.8 Fixed issue that occurred during obfuscation of .NET Standard 2.0 assemblies when only .NET Core SDK 3.0 was installed Fixed VM issue that could lead to InvalidCastException error during runtime Fixed issue with absence of proper code access security attributes in the code injected by Eazfuscator.NET for .NET Standard assemblies Fixed issue in MSBuild interoperability with PostSharp 6.0+
  12. A Sage guides without offense, and teaches without humiliating. Thank you!
  13. https://cairoshell.com https://github.com/cairoshell/cairoshell
  14. Earlier
  15. Start by analyzing the language used to write the application, then you can understand how it does communications to the server if it runs on your local PC then you can intercept the traffic and see what it sends and receives, many tools and tutorials exist for this purpose you can start playing with Fiddler or HttpDebugger to see if it fits your needs.
  16. Hi, I wonder if there is any way to find the address of a program call to a website, and how to check what returns from that call and if there is any way to counteract? This program in question only makes this call on the server to check if the user exists and receives a return. Your database is all on the PC. Thank you in advance for your help. Victor
  17. https://www.commondreams.org/news/2019/12/04/massive-leak-data-reveals-money-hiding-secrets-superrich-and-only-beginning
  18. Password reset function and emoticons are fixed now
  19. The migration wasn't easy, still fixing some bugs
  20. Good to see it back up. Had a little shock when I visited the last time and was welcomed by a we are closed banner
  21. http://blog.loadzero.com/blog/si78c/
  22. https://coffee-and-dreams.uk/security/2019/10/20/mitigating-a-ddos.html
  23. https://www.city-journal.org/edward-snowden-permanent-record
  24. Oreans UnVirtualizer v1.8 by Deathway It is hard to find targets for which this Olly plugin works Orean VM section has empty name "": Memory map, item 25 Address=00EFF000 Size=00220000 (2228224.) Owner=LOTOdemo 00400000 Section= Type=Imag 01001002 Access=R Initial access=RWE So first thing to do is search for VMs jumps in code section: In Olly Code Section do right click and choose Orean Unvirtualizer -> Find references As VM Start enter the previous Orean VM section Address = 00EFF000 As VM Size enter the Orean VM section Size = 00220000 After pressing OK it should find Oreans Virtual Machine References We have two more options after "Find references" command: 1. Unvirtualize No Jmp Alt+U 2. Unvirtualize With Jmp Alt+I Those refers to the way to assemble unvirtualized instructions: the recommended one is 1. Unvirtualize No Jmp Alt+U So how we unvirtualize: On Oreans Virtual Machine References list choose a VM jump and right click on it and choose Foolow Enter and that address should be displayed on code Windows, now we right click the address from code Windows and we do Orean Unvirtualizer -> Unvirtualize No Jmp Alt+U Then a new txt windows appears (notepad Cisc_UV_dump.txt) containing unvirtualized instructions and also ask for an Unvirtualized First Memory Address - this is the address of REAL first instruction in notepad Cisc_UV_dump.txt ENTRY POINT: 00FCD78E PUSH DWORD PTR [ESP] 00FCD790 MOV EAX,DWORD PTR [ESP] 00FCD7A7 ADD ESP,0x4 00FCD7CE ADD ESP,0x4 00FCD81E PUSH EBP 00FCD825 MOV EBP,ESP 00FCD842 MOV ECX,0x6 Here Unvirtualized First Memory Address is 00FCD81E right after second ADD ESP,0x4 It must say that finding real first address is a bit tricky, if you see call to code section we know for sure that this is good address called like: 00FDB9A4 CALL 0x40149c 00FDB6C9 ADD ESP,0x4 00FDB6F3 ADD ESP,0x4 00FDB713 MOV ECX,DWORD PTR [ESP] 00FDB726 PUSH EDI 00FDB731 MOV EDI,ESP 00FDB747 ADD EDI,0x4 00FDB794 ADD EDI,0x4 00FDB7CD PUSH DWORD PTR [ESP] 00FDB7CF MOV DWORD PTR [ESP],EDI 00FDB818 POP EDI 00FDB82A MOV ESP,DWORD PTR [ESP] 00FDB849 MOV EDX,DWORD PTR [ESP] 00FDB861 PUSH ESI 00FDB879 MOV ESI,ESP 00FDB88E ADD ESI,0x4 00FDB8F2 ADD ESI,0x4 00FDB939 PUSH DWORD PTR [ESP] 00FDB93B MOV DWORD PTR [ESP],ESI 00FDB98E POP ESI 00FDB992 MOV ESP,DWORD PTR [ESP] 00FDB9A4 CALL 0x40149c // This time real address is 00FDB9A4 @Label_00FDB9D4 00FDBA04 AND EAX,0x80000000 00FDBA3F CMP EAX,0x80000000 00FDBAA4 JMP 0x407ade 00407AE1 8B0C24 MOV ECX,DWORD PTR SS:[ESP] 00407AE4 57 PUSH EDI 00407AE5 89E7 MOV EDI,ESP 00407AE7 83C7 04 ADD EDI,0x4 00407AEA 83C7 04 ADD EDI,0x4 00407AED FF3424 PUSH DWORD PTR SS:[ESP] 00407AF0 893C24 MOV DWORD PTR SS:[ESP],EDI 00407AF3 5F POP EDI 00407AF4 8B2424 MOV ESP,DWORD PTR SS:[ESP] 00407AF7 8B1424 MOV EDX,DWORD PTR SS:[ESP] 00407AFA 56 PUSH ESI 00407AFB 89E6 MOV ESI,ESP 00407AFD 83C6 04 ADD ESI,0x4 00407B00 83C6 04 ADD ESI,0x4 00407B03 FF3424 PUSH DWORD PTR SS:[ESP] 00407B06 893424 MOV DWORD PTR SS:[ESP],ESI 00407B09 5E POP ESI 00407B0A 8B2424 MOV ESP,DWORD PTR SS:[ESP] 00407B0D E8 8A99FFFF CALL 0040149C 00407B12 25 00000080 AND EAX,0x80000000 00407B17 3D 00000080 CMP EAX,0x80000000 00407B1C ^ EB C0 JMP SHORT 00407ADE This time real address is 00407B0D We can also see if the unvirtualized code is right by placing unvirtualized code starting from "VM jump" address and you should see if it matches until you fill out perfectly where last jump leads (JMP SHORT 00407ADE) 00407ADE would be the end of restored instructions: but this will only check if size of instructions matches! Unvirtualized code will always end with a jump: jump back to code section from Oreans VM.
  25. https://www.qt.io/blog/qt-marketplace
  26. Nice tool! I think it will be useful for malware analysis!
  1. Load more activity
×
×
  • Create New...