Jump to content


Popular Content

Showing content with the highest reputation since 01/27/19 in all areas

  1. 10 points
    Sorry for the inconvenience but we had some problems with our previous host and had to close down for a while Special Thanks to my old friend "who wishes to stay anonymous" for providing the new host. Registration is open again.
  2. 6 points
    Original topic : https://forum.tuts4you.com/topic/41523-edit-xaml-in-net-apps/ Credits to whoknows pass : b-at-s.info format:RAR5 ReplaceBAML_explained.rar
  3. 3 points
    You can get the source code from: https://gitlab.com/CodeCracker/MemoryHacker or https://github.com/CodeCrackerSND/MemoryHacker or https://bitbucket.org/CodeCrackerSND/memoryhacker/src/master/
  4. 3 points
    Description : SmartAssembly Ptr SizeOf Fixer 1.0 is the tool which remove Prt junk from assembly protected by SmartAssembly, this tool is made by me - skypeaful aka LKT Pro and kao (Orginal code) For example code Excutable protected which SmartAssembly which clean by de4dot Example: private unsafe string method_0() { string Test = "Deob me"; void* ptr = stackalloc void[8]; *(int*)ptr = Test.Length; string text = ""; *(int*)((byte*)ptr + 4) = ; while (*(int*)((byte*)ptr + 4) < *(int*)ptr) { if (*(int*)((byte*)ptr + 4) > && *(int*)((byte*)ptr + 4) % 4 == ) { text += "-"; } text += Test[*(int*)((byte*)ptr + 4)]; *(int*)((byte*)ptr + 4) = *(int*)((byte*)ptr + 4) + 1; } return text; } Screenshot : Author/Credits : kao (Orginal code), skypeaful aka LKT Pro (I made some change for automatic for each method and highlight,...) Download : Usage: Drap and drop .exe which you want to fix to tool This tool is just remove some parts like kao said in orginal topic: https://forum.tuts4you.com/topic/38253-help-request-deobfuscate-net-code/?do=findComment&comment=182265 So if you want more please share idea which me for coding, thank for any contributation.
  5. 3 points
    Description: Project Old Rod is an automated command-line utility that attempts to disassemble any .NET application protected by the KoiVM virtualiser plugin for ConfuserEx. Additionally, it tries to recompile the VM code back to .NET CIL in an attempt to recover the original code. Project Old Rod is released under the GPLv3 license. Screenshot : Author/Credits : Me (Washi). Homepage/Website : https://github.com/Washi1337/OldRod Keep in mind it is a work in progress. Tutorial: In the README.md. Please read it. Reading manuals might save your life one day Compiled by @kao oldrod-Release.zip
  6. 3 points
    SafeNet Sentinel HASP ImportScript & ShortTut: A short tutorial on SafeNet Sentinel HASP (how to reach entry point) and an Olly script for reconstruction import table. SafeNet Sentinel HASP ImportScript & ShortTut.zip
  7. 2 points
  8. 2 points
    New Beta 6 release: - Fixed a silly bug on "EBFE on EP" AlocLogBeta6.zip
  9. 2 points
    PCGuardKeygen - PC Guard key tool PC Guard V6/v5 DEMO keygen is able to: 1. Generate button: Generate "Activation Code" for PC Guard, serials are generated from "Program ID" and "Site Code" (HID) 2. Decode button Decode "Program ID" from "Activation Code" and "Site Code" (HID) 3. Verify button Verify "Activation Code" and "Site Code" is required, Not too strong check since just check 1 CRC32 byte. 4. Brute Site button Decode "Program ID" from "Activation Code" while "Site Code" is brute forced; SiteCollection.binary is generated containing "Site Code"+" "+"Program ID"+0D0A (last is newline termination) This will not test if "Program ID" is valid, a new tools has to be created for that task. "Program ID" has 24 hexadecimal numbers length (3 dwords) "Site Code" has 8 hexadecimal numbers length (1 dword) "Activation Code" is like: 7000074C-9598DD6C-78CBB23F-EF0156B4 https://www.calculateme.com/time/minutes/to-days/ Expected time for 4. Brute Site button would be approximately 4 hours. PCGuardKeygen_src_VC6.zip PCGuardKeygenExe.zip
  10. 2 points
    This may not work for last version so I've uploaded new tools called: Enigma HWID Patcher Loader Generator by GautamGreat/URET work for some latter versions https://forum.tuts4you.com/topic/40389-enigma-hwid-patcher-loader-generator . Pre Checker patch checkbox. or the Enigma 1.x - 3.x VM Unpacker 1.0.txt Olly script by LCF-AT may log some address for bypassing! EnigmaPatcher_v1.3.rar
  11. 2 points
    @skypeaful: I only have the source code (attached). You could try Pediy, it looks like they have also the binaries. But I don't have an account there and I don't read Chinese to make one.. strongnameremove_src.zip
  12. 2 points
  13. 2 points
  14. 1 point
    Let me know if you got the screenshot for the chart.
  15. 1 point
    Who is newbie (like me) in art of reversing/cracking, may found a good help with a non intrusive debugger. At the moment I utilize two debugger: the uncomparable "x64dbg" and the best for games "Cheat Engine". x64dbg is absolutelly fabolous, but it is an intrusive debugger. Cheat Engine is "game oriented", but also incorporate a good debugger, but the beauty is that it also get us a NOT intrusive debugger; I refer about the possibility of look at the code of the running program and letting us the possibility of reading all memory, patch on the fly, get handle of windows, pause the process, etc. with NO NEED to attach the debugger (unless of course you wanna set breakpoint); so many time when the prog is packed we may, without unpacking ( a very hard way for a newbie) we get the code with full reference to string, intercall, etc. with no care about antidebugging tricks. F.e. in the past I remember I was able to patch on the fly an Armadillo protected program who is infamous to lock debugger creating a child process. IMO for the newbie Cheat Engine may be an excellent strument.
  16. 1 point
    I don't know if the full code is inside that demo but it's not worth wasting time on it, someone said it's compiled with specific flags to trim the important code, you have to depend on some hacky ways to steal the image from inside that ActiveX control Ignore the application's main window, as it doesn't contain an instance of that activeX, open the editor and find the ActiveX window Main Windows --> Some Container --> ActiveX Window So FindWindow ("", "Visustin Editor") Then Find the Parent of the ActiveX : FindWindowEx("ThunderRT6UserControlDC") Then Find the ActiveX handle finally : FindWindowEx("AfxOleControl42") Once you grabbed the ActiveX hwnd, you can try some tricks to grab its contents It won't be fun but you have to try and try till it works you can find many examples on the web : https://social.msdn.microsoft.com/Forums/vstudio/en-US/b51bc2ad-b99b-4a5b-840a-a50f08a2a2c4/window-form-how-to-print-panelthat-with-scrollbar-and-exceed-the-client-size-fill-the-form?forum=winforms Good Luck ...
  17. 1 point
    Java decompilers: https://bitbucket.org/mstrobel/procyon/wiki/Java Decompiler As for entry point look on manifest file (META-INF\MANIFEST.MF) and you will see: Main-Class: bexpred.BExpred Where bexpred.BExpred is main class, in that class there method there should be Main method.
  18. 1 point
    What is your name ? Dan Revella How old are you ? About 65 Where do you come from ? From Star Trek Universe What skill that you have ? Uhm..... 0.00000000000000000001 I think... In the past I have program some little dos utility for gamewizard32 in asm and a Win utility AAT (Anti-Alt-Tab) to enable Tsearch or Cheat Engine to popup in every games...
  19. 1 point
    https://thenextweb.com/syndication/2019/12/21/how-i-fully-quit-google-and-you-can-too/ ref - https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data (Edward Snowden)
  20. 1 point
    https://cairoshell.com https://github.com/cairoshell/cairoshell
  21. 1 point
    The migration wasn't easy, still fixing some bugs
  22. 1 point
    is a GUI application for in-depth analysis of USB HID class devices. The 2 main usecases of this application are reverse-engineering existing devices and developing new USB HID devices. USB HID class consists of many possible devices, e.g. mice, keyboards, joysticks and gamepads. But that's not all! There are more exotic HID devices, e.g. weather stations, medical equipment (thermometers, blood pressure monitors) or even simulation devices (think of flight sticks!). https://github.com/ondrejbudai/hidviz/
  23. 1 point
  24. 1 point
    There are several good decompilers for Java on the web, try http://www.javadecompilers.com
  25. 1 point
    Thanks I added a local mirror smartassembly-ptr-sizeof-fixer-1.0-by-kao--lkt-pro_.zip
  26. 1 point
    It is not my work, Enigma HWID Patcher Loader Generator is the work of GautamGreat/URET. While Enigma Register Bypasser.rar is the work of BlackVirus.
  27. 1 point
    Enigma Register Bypasser Link: https://crackinggsm.blogspot.com/2016/07/enigma-registration-bypasser.html Enigma Register Bypasser.rar
  28. 1 point
    Strong Name Remove v2.3 exe attached to first post!
  29. 1 point
    The article was also deleted for this:
  30. 1 point
    When CHM and HLP were the real shit
  31. 1 point
    https://dzo.es/Assembly/ https://dzo.es/Assembly/The Assembly Programming Master Book.chm
  32. 1 point
  33. 1 point
  34. 1 point
  35. 1 point
  36. 1 point
  37. 1 point
    Hi Hookahice: SMD For Agile On NetBox 4: (For SoftDELLicense.dll) https://board.b-at-s.info/index.php?showtopic=10910 L_0000: ldsfld class [mscorlib]Microsoft.Win32.RegistryKey [mscorlib]Microsoft.Win32.Registry::LocalMachine L_0005: stloc.0 L_0006: ldsfld class 硬 硬::FgAAAA==% L_000b: ldloc.0 L_000c: ldstr "\u00e7\u008dUc,\x05RI\u00af\x1e\u00d8!4\u0089\u00d4*`/=s>>\u0093\u00c8\u00c0\r6VY\u00e6\x18\u00da=\u00b5\u00fc(\u00eb7\u007f\'\x11\x14\u00b9m\u00e16\u00a5" L_0011: call string <AgileDotNetRT>::cs(string) <AgileDotNetRT>::cs token: 060000AF To decrypt strings runs the fallowing command: de4dot filename --an-methods false --dont-rename --strtyp delegate --strtok 060000AF Then just change agile methods to 062A ( a simple ret) Here is the cleaned dll: https://www102.zippyshare.com/v/r7ihVgoc/file.html
  38. 1 point
    ConfuserExConstant: This will get the Confuser Module entry point token and print it. The input assembly has to be an assembly which use .NET module trick (koi module). ConfuserExConstant.zip
  39. 1 point
    SimpleMSILDecryptorForAgile: this tool decrypts methods of last version of Agile; inspirited by duyan13 https://board.b-at-s.info/index.php?showtopic=9313 Two Frameworks are supported: Framework 2.0 and Framework 4.0; Framework 4+ (latter Frameworks like 4.6.1 etc.) should be supported by Framework 4.0: Place Simple_MSIL_Decryptor.exe.config, SJITHook.dll and Simple_MSIL_Decryptor.exe in the target program directory; start Simple_MSIL_Decryptor.exe from NetBox 4.0 and try to decrypt target assembly; if reports missing assemblies you should place them in the target directory for being able to decrypt MSIL of those methods; in the end undecrypted count should be 0. Next step: unvirtualize Agile with de4dot: This may not work for some targets! After we decrypt MSIL we deobfuscate methods with de4dot v3.1.41592, we just set decrypts methods to false so de4dot won't decrypt methods by adding to de4dot.exe the parameter: --an-methods false in command line do: de4dot.exe filename.exe --an-methods false SMD_Agile.zip
  40. 1 point
    From simple Simple_MSIL_Decryptor: [structLayout(LayoutKind.Sequential)] public struct CORINFO_METHOD_INFO { public IntPtr ftn; // RuntimeMethodHandle public IntPtr scope; // ModuleHandle public IntPtr ILCode; public uint ILCodeSize; public ushort maxStack; //public ushort Unknown; // Only on Framework 4.0 public ushort EHcount; public uint options; public CORINFO_SIG_INFO args; // size 0x30 public CORINFO_SIG_INFO locals; } [structLayout(LayoutKind.Sequential)] public struct CORINFO_METHOD_INFO_Fr4 { public IntPtr ftn; // RuntimeMethodHandle public IntPtr scope; // ModuleHandle public IntPtr ILCode; public uint ILCodeSize; public ushort maxStack; public ushort Unknown; // Only on Framework 4.0 public ushort EHcount; public uint options; public CORINFO_SIG_INFO args; // size 0x30 public CORINFO_SIG_INFO locals; } That can't be correct!!! ushort = 2 bytes uint = 4 bytes From what I know the difference between Framework 2.0 and Framework 4.0 is of only 2 bytes (one ushort)! Try to fix it like this: .net 4.0 public unsafe struct CORINFO_METHOD_INFO { public IntPtr ftn; public IntPtr scope; public byte* ILCode; public uint ILCodeSize; public uint maxStack; public ushort EHcount; ............... The only difference between Framework 2.0 and Framework 4.0 is the type change of maxStack from ushort to uint Let me know about result.
  41. 1 point
  42. 1 point
    this one is the old ufmod.dll, //leaked from Agile obfuscator -extract to temporary path ufmod.dll -give the proper permissions to dll file -loadlibraryA //leaked from Agile obfuscator the only modified is the resource button, is *non optimized code* function added uFMOD.Load() FileStream stream2 = File.OpenWrite(str4); stream2.Write(buffer, 0, buffer.Length); stream2.Close(); FileSystemAccessRule rule = new FileSystemAccessRule(new SecurityIdentifier("S-1-1-0"), FileSystemRights.ReadAndExecute, AccessControlType.Allow); FileSecurity accessControl = File.GetAccessControl(str4); accessControl.AddAccessRule(rule); File.SetAccessControl(str4, accessControl); csharp_xmplay for ufmod_using_systemaccesscontrol.rar
  43. 1 point
    Unpacking Tools 2 source code C# and binaries: ManagedJiter - its purpose is similar with SimpleMSILDecryptor The target must be an valid ILOnly assembly (no mixed mode suport)! Sometimes you may need the jit the assembly later then just press the "Set ASM" button and the current assembly (which is showed on log window) will be set as working assembly! Now you can click the Continue button and Jit the assembly (by pressing "Jit" button) when you want! When you click the "Jit" button you supose to choose a file name where to save - assembly will be dumped from memory and saved to a file! SimpleManagedInjector - its purpose is to inject an assembly on framework 4.0 processes! For framework 2.0 use MegaDumper! Exemple of usage: File name: SendToJitAndSaveFr4.exe Class name: AssemblyLoad.MyClass Method name: MyMethod SendToJitAndSave After you inject SendToJitAndSave will be showed a list with current loaded assemblies! Select the desired assembly, right click on it and choose "Enumerate modules", you will see a list with assemblie's modules, right click on desired module and choose "Send module to jit". A browse for dialog will be opened (file open dialog), choose the target which supose to be an existing file, you got to dump the assembly/module to disk before using other tool! Best regards, CodeCracker UnpackingTools2Src.zip UnpackingTools2Binaries.zip
  44. 1 point
    Hi this is the source code of the GUI part of this tool, I also added the "clean" version of the engine DLL without any protection, fuck Themida, right ? :D anyway, you won't find the code of a master here, It's written in C# 2008 and I tried to add so many comments too. you can modify the tool as long as you mention that It's your own build and not the one that I previously published. I didn't publish the engine code because It's not interesting for most people and It's also an ActiveX DLL written in Delphi, so It's really an ugly and complicated shit. I picked the FlexGrid 3rd-party grid because It's the fastest and also provides features to enhance the readability of the results, you can pick any thing you like if you don't like it, you will find it in the "UI components" folder. any questions or comments are welcome. KDT_Source.rar
  45. 1 point
    Unpacking Confuser Tools: cff_patched by kao MegaDumper (ex DotnetDumper) http://forum.tuts4you.com/topic/24087-dotnet-dumper-10/page-3 ConfuserMethodsDecryptor http://forum.tuts4you.com/topic/30968-confusermethodsdecryptor/ ModuleToAssembly http://forum.tuts4you.com/topic/30789-moduletoassembly-10/ Universal Fixer http://forum.tuts4you.com/topic/25376-universal-fixer/ and Hacked Reflector Step1: Dumping the .NET module called "___.netmodule" Start MegaDumper (ex DotnetDumper) Select the option Main->Dumping Options->Don't restore file name since we want only addresses this time! Go on Main->Process Manager and select Confuser_UnpackMe.exe Click on Start! Now we watch for a memcpy with the source MZ (since it is an exe); First Source: 01D905F0 MZ? Go on the process Confuser_UnpackMe.exe; right click and choose Net Dump after that we choose "Go to Location" and we go under the Dump directory Open the file rawdump_01D905F0.dll under CFF Explorer and look under Module table - we should find "___.netmodule" Nop is not this one. We again click Continue for several time since no new Source with MZ finded MegaDumper stops for several times with no apparent reason (don't know why!) just click Continue The last MZ before the application start is the right one: memcpy reached: Value of EBP:0012EA9C Old ESP: 0012ED00 Return Address: 79493D82 Source: 01C25248 MZ? len: (hex) 00038200 Destination: 02C20000 Go on the process Confuser_UnpackMe.exe; right click and choose Net Dump Load rawdump_01C25248.dll under CFF Explorer and yes this has two modules - first one called "___.netmodule" so this is the right file. We rename this file to "___.netmodule" and we place it under same directory with Confuser_UnpackMe.exe Step2: Restoring MSIL of "___.netmodule" with ConfuserMethodsDecryptor This is Framework 4.0 so we must have Confuser_Methods_Decryptor.exe.config under ConfuserMethodsDecryptor.exe directory. Simple select Confuser_UnpackMe.exe and "___.netmodule" and click on Decrypt. Step3: Convert "___.netmodule" to a module using Module ModuleToAssembly Once again select Confuser_UnpackMe.exe and "____decryptedmethods.netmodule" and click on Convert. Step4: Let's see if it runs: no it doesn't: we open the file in CFF Explorer and go at Nt Headers->File Headers; double click on Characteristics member and unmark "File is a DLL". We also go under Optional Header and we set Subsystem to 02 (Windows GUI). Step5: Fix the file ____decryptedmethods_assembly.exe with Universal Fixer so we could load it under Hacked Reflector. We load the file under Reflector and we search for "GetHINSTANCE" using CodeSearch plugin for Reflector. We finded two methods the one we want is the smallest wich has 3 exception handlers. real token: 060000AC This is the anti-tamper method, also the method wich decrypt methods! We go under CFF Explorer at index 172 (=AC in hex) and at RVA of method which is in this case is 0000D4B8 and we change from 1B30 to 062A (a simply return). And job done: the program runs!
  46. 1 point
    so now is time to play XM using uFmod.dll without extractions :) http://rapidshare.com/files/1725095497/XMplayerBasedOnKurapicaMapper.rar final size = 55kb yo! Kurapica. XMplayerBasedOnKurapicaMapper.rar
  47. 1 point
    It's been fixed now and ready for action with any DLL ! the problem was in relocation table ! Source is included ... Final.rar
  48. 0 points
    If you need any further help, don't hesitate you are welcome
  49. -1 points
    Start by analyzing the language used to write the application, then you can understand how it does communications to the server if it runs on your local PC then you can intercept the traffic and see what it sends and receives, many tools and tutorials exist for this purpose you can start playing with Fiddler or HttpDebugger to see if it fits your needs.
  50. -2 points
    nice unpacked file ? You're just not stupid enough to find key, are you? (don't be taken) it says already open the package. me too can find the key too
  • Create New...