Jump to content

CodeExplorer

B@S Team
  • Content Count

    892
  • Joined

  • Last visited

  • Days Won

    340

Everything posted by CodeExplorer

  1. Oreans UnVirtualizer v1.8 by Deathway It is hard to find targets for which this Olly plugin works Orean VM section has empty name "": Memory map, item 25 Address=00EFF000 Size=00220000 (2228224.) Owner=LOTOdemo 00400000 Section= Type=Imag 01001002 Access=R Initial access=RWE So first thing to do is search for VMs jumps in code section: In Olly Code Section do right click and choose Orean Unvirtualizer -> Find references As VM Start enter the previous Orean VM section Address = 00EFF000 As VM Size enter the Orean VM section Size = 00220000 After pressing OK it should find Oreans Virtual Machine References We have two more options after "Find references" command: 1. Unvirtualize No Jmp Alt+U 2. Unvirtualize With Jmp Alt+I Those refers to the way to assemble unvirtualized instructions: the recommended one is 1. Unvirtualize No Jmp Alt+U So how we unvirtualize: On Oreans Virtual Machine References list choose a VM jump and right click on it and choose Foolow Enter and that address should be displayed on code Windows, now we right click the address from code Windows and we do Orean Unvirtualizer -> Unvirtualize No Jmp Alt+U Then a new txt windows appears (notepad Cisc_UV_dump.txt) containing unvirtualized instructions and also ask for an Unvirtualized First Memory Address - this is the address of REAL first instruction in notepad Cisc_UV_dump.txt ENTRY POINT: 00FCD78E PUSH DWORD PTR [ESP] 00FCD790 MOV EAX,DWORD PTR [ESP] 00FCD7A7 ADD ESP,0x4 00FCD7CE ADD ESP,0x4 00FCD81E PUSH EBP 00FCD825 MOV EBP,ESP 00FCD842 MOV ECX,0x6 Here Unvirtualized First Memory Address is 00FCD81E right after second ADD ESP,0x4 It must say that finding real first address is a bit tricky, if you see call to code section we know for sure that this is good address called like: 00FDB9A4 CALL 0x40149c 00FDB6C9 ADD ESP,0x4 00FDB6F3 ADD ESP,0x4 00FDB713 MOV ECX,DWORD PTR [ESP] 00FDB726 PUSH EDI 00FDB731 MOV EDI,ESP 00FDB747 ADD EDI,0x4 00FDB794 ADD EDI,0x4 00FDB7CD PUSH DWORD PTR [ESP] 00FDB7CF MOV DWORD PTR [ESP],EDI 00FDB818 POP EDI 00FDB82A MOV ESP,DWORD PTR [ESP] 00FDB849 MOV EDX,DWORD PTR [ESP] 00FDB861 PUSH ESI 00FDB879 MOV ESI,ESP 00FDB88E ADD ESI,0x4 00FDB8F2 ADD ESI,0x4 00FDB939 PUSH DWORD PTR [ESP] 00FDB93B MOV DWORD PTR [ESP],ESI 00FDB98E POP ESI 00FDB992 MOV ESP,DWORD PTR [ESP] 00FDB9A4 CALL 0x40149c // This time real address is 00FDB9A4 @Label_00FDB9D4 00FDBA04 AND EAX,0x80000000 00FDBA3F CMP EAX,0x80000000 00FDBAA4 JMP 0x407ade 00407AE1 8B0C24 MOV ECX,DWORD PTR SS:[ESP] 00407AE4 57 PUSH EDI 00407AE5 89E7 MOV EDI,ESP 00407AE7 83C7 04 ADD EDI,0x4 00407AEA 83C7 04 ADD EDI,0x4 00407AED FF3424 PUSH DWORD PTR SS:[ESP] 00407AF0 893C24 MOV DWORD PTR SS:[ESP],EDI 00407AF3 5F POP EDI 00407AF4 8B2424 MOV ESP,DWORD PTR SS:[ESP] 00407AF7 8B1424 MOV EDX,DWORD PTR SS:[ESP] 00407AFA 56 PUSH ESI 00407AFB 89E6 MOV ESI,ESP 00407AFD 83C6 04 ADD ESI,0x4 00407B00 83C6 04 ADD ESI,0x4 00407B03 FF3424 PUSH DWORD PTR SS:[ESP] 00407B06 893424 MOV DWORD PTR SS:[ESP],ESI 00407B09 5E POP ESI 00407B0A 8B2424 MOV ESP,DWORD PTR SS:[ESP] 00407B0D E8 8A99FFFF CALL 0040149C 00407B12 25 00000080 AND EAX,0x80000000 00407B17 3D 00000080 CMP EAX,0x80000000 00407B1C ^ EB C0 JMP SHORT 00407ADE This time real address is 00407B0D We can also see if the unvirtualized code is right by placing unvirtualized code starting from "VM jump" address and you should see if it matches until you fill out perfectly where last jump leads (JMP SHORT 00407ADE) 00407ADE would be the end of restored instructions: but this will only check if size of instructions matches! Unvirtualized code will always end with a jump: jump back to code section from Oreans VM.
  2. New Beta 6 release: - Fixed a silly bug on "EBFE on EP" AlocLogBeta6.zip
  3. When I try to upload files I get this error: /home/kura/htdocs/uploads/monthly_2019_11 could not be created. Please contact us for assistance.
  4. PCGuardKeygen - PC Guard key tool PC Guard V6/v5 DEMO keygen is able to: 1. Generate button: Generate "Activation Code" for PC Guard, serials are generated from "Program ID" and "Site Code" (HID) 2. Decode button Decode "Program ID" from "Activation Code" and "Site Code" (HID) 3. Verify button Verify "Activation Code" and "Site Code" is required, Not too strong check since just check 1 CRC32 byte. 4. Brute Site button Decode "Program ID" from "Activation Code" while "Site Code" is brute forced; SiteCollection.binary is generated containing "Site Code"+" "+"Program ID"+0D0A (last is newline termination) This will not test if "Program ID" is valid, a new tools has to be created for that task. "Program ID" has 24 hexadecimal numbers length (3 dwords) "Site Code" has 8 hexadecimal numbers length (1 dword) "Activation Code" is like: 7000074C-9598DD6C-78CBB23F-EF0156B4 https://www.calculateme.com/time/minutes/to-days/ Expected time for 4. Brute Site button would be approximately 4 hours. PCGuardKeygen_src_VC6.zip PCGuardKeygenExe.zip
  5. It is not my work, Enigma HWID Patcher Loader Generator is the work of GautamGreat/URET. While Enigma Register Bypasser.rar is the work of BlackVirus.
  6. This may not work for last version so I've uploaded new tools called: Enigma HWID Patcher Loader Generator by GautamGreat/URET work for some latter versions https://forum.tuts4you.com/topic/40389-enigma-hwid-patcher-loader-generator . Pre Checker patch checkbox. or the Enigma 1.x - 3.x VM Unpacker 1.0.txt Olly script by LCF-AT may log some address for bypassing! EnigmaPatcher_v1.3.rar
  7. Enigma Register Bypasser Link: https://crackinggsm.blogspot.com/2016/07/enigma-registration-bypasser.html Enigma Register Bypasser.rar
  8. https://forum.tuts4you.com/topic/37779-netbodycloner/?do=findComment&comment=188862 or attached. NetBodyCloner&NetBodyInjector.zip
  9. Strong Name Remove v2.3 exe attached to first post!
  10. SafeNet Sentinel HASP ImportScript & ShortTut: A short tutorial on SafeNet Sentinel HASP (how to reach entry point) and an Olly script for reconstruction import table. SafeNet Sentinel HASP ImportScript & ShortTut.zip
  11. TurboMutipleExes: Turbo Studio doesn't allow for multiple entry points this program will circumvent this limitation. This program will pass command line arguments to the new entry point (new Turbo Studio entry point) and will start specific executables. On first part the Entry Points (output exes) are new exes created by this program; you should specify their full path on ListBox from which their short name is grabbed and also from full name are grabbed resources: icons and version information. So first browse for exe by choosing "..." button and then click Add button to add it to ListBox. You can clear all ListBox items by Clear All button. The process entries button is optional and only needed for custom entry points paths information will be grabbed from full path ListBox to TextBox - it will get short file name of Entry Points from full path. Start-up exe short file name (Virtualized Turbo output exe) is the only file name which can't be renamed afterwards - you need to stick to the Virtualized Turbo output exe - output as an .dat file is a cool thing to do. If you don't specify "Start-up exe icon and information" resources (icons/version) will be missing from NewEntryPoint.exe file generated; NewEntryPoint.exe should be the new Start-up exe specified in Turbo Studio. The final step is pressing the Create Now button and choose an output directory for new files. TurboMutipleExes.zip
  12. I hope this doesn't means the beginning of the end!
  13. @Kurapica: You are doing forum update now? Since I saw OFFLINE writed.
  14. Where and how you find those articles? :P This state something like all programming languages sucks! Then why doing any programming at all? :huh:
  15. What kind of forum upgrades?
  16. Regarding main exe: BOSS.exe I currently have no ideea: SMD wil do eternal loop when sending to jit the method 02, If I ignore that (add exception) SMD will exit - don't have any ideea on why those problem occurs from first place!
  17. The second time I deobfuscated that file everything worked like it should: de4dot filename --keep-types --dont-rename Here is the assembly with Protector types/fields properly removed: https://www49.zippyshare.com/v/80tVw9AB/file.html
  18. Hi again. So the problem is that de4dot removes protectors types/fields. The only thing I could do is force it to protector unknown (-p un): de4dot filename -p un --dont-rename --strtyp delegate --strtok 060000AF Each class constructor methods call those: static LicenseHelper() { <AgileDotNetRT>.Initialize(); <AgileDotNetRT>.PostInitialize(); } This will restore MSIL for each method. So you also got to change this method to a simple return: internal static void Initialize(); Declaring Type: <AgileDotNetRT> Assembly: SoftDELLicense, Version=2.2.1.0 New cleaned dll: https://www65.zippyshare.com/v/jME1QHQA/file.html
  19. Hi Hookahice: SMD For Agile On NetBox 4: (For SoftDELLicense.dll) https://board.b-at-s.info/index.php?showtopic=10910 L_0000: ldsfld class [mscorlib]Microsoft.Win32.RegistryKey [mscorlib]Microsoft.Win32.Registry::LocalMachine L_0005: stloc.0 L_0006: ldsfld class 硬 硬::FgAAAA==% L_000b: ldloc.0 L_000c: ldstr "\u00e7\u008dUc,\x05RI\u00af\x1e\u00d8!4\u0089\u00d4*`/=s>>\u0093\u00c8\u00c0\r6VY\u00e6\x18\u00da=\u00b5\u00fc(\u00eb7\u007f\'\x11\x14\u00b9m\u00e16\u00a5" L_0011: call string <AgileDotNetRT>::cs(string) <AgileDotNetRT>::cs token: 060000AF To decrypt strings runs the fallowing command: de4dot filename --an-methods false --dont-rename --strtyp delegate --strtok 060000AF Then just change agile methods to 062A ( a simple ret) Here is the cleaned dll: https://www102.zippyshare.com/v/r7ihVgoc/file.html
  20. Any x86 (32 bits) version 7.2 leaked somewhere? This is only 64 bits version!
  21. 0X7C9 posted it originaly. The archive require 7-Zip (2019-02-21) for extracting. I welcome everyone who came to wonder. I would like to publish my collection of very interesting source codes here. This is for everyone interested in protecting .NET programs. And its free! For extracting use olny 7ZIP. http://www.eddy420.mzf.cz/268c4176ece76adfc6744a128f598e26 PWD for archive is: 18s17927rq245q9p8o57r651n9729sr00qqp1004nn90snpoqo092062s4s50298p58712q36s66ps6poq052q427318pqp79qr70927034q45723psn1pp067s62n0q
  22. ILProtectorUnpacker v8 Public attached. I know it is far away for being perfect: like the crush after decryption (the assembly is saved) when ExecuteAssembly is unchecked! ILProtectorUnpacker8Public.zip
  23. ConfuserExConstant: This will get the Confuser Module entry point token and print it. The input assembly has to be an assembly which use .NET module trick (koi module). ConfuserExConstant.zip
  24. SimpleMSILDecryptorForAgile: this tool decrypts methods of last version of Agile; inspirited by duyan13 https://board.b-at-s.info/index.php?showtopic=9313 Two Frameworks are supported: Framework 2.0 and Framework 4.0; Framework 4+ (latter Frameworks like 4.6.1 etc.) should be supported by Framework 4.0: Place Simple_MSIL_Decryptor.exe.config, SJITHook.dll and Simple_MSIL_Decryptor.exe in the target program directory; start Simple_MSIL_Decryptor.exe from NetBox 4.0 and try to decrypt target assembly; if reports missing assemblies you should place them in the target directory for being able to decrypt MSIL of those methods; in the end undecrypted count should be 0. Next step: unvirtualize Agile with de4dot: This may not work for some targets! After we decrypt MSIL we deobfuscate methods with de4dot v3.1.41592, we just set decrypts methods to false so de4dot won't decrypt methods by adding to de4dot.exe the parameter: --an-methods false in command line do: de4dot.exe filename.exe --an-methods false SMD_Agile.zip
×
×
  • Create New...