Jump to content


B@S Team
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by CodeExplorer

  1. It is a bit hard, and is not patching, mainly you will have to implement save as image from scratch.
  2. The problems got solved in my case. What about yours kao?
  3. LOL, now it doesn't work for me neither:
  4. You can get the source code from: https://gitlab.com/CodeCracker/MemoryHacker or https://github.com/CodeCrackerSND/MemoryHacker or https://bitbucket.org/CodeCrackerSND/memoryhacker/src/master/
  5. Java decompilers: https://bitbucket.org/mstrobel/procyon/wiki/Java Decompiler As for entry point look on manifest file (META-INF\MANIFEST.MF) and you will see: Main-Class: bexpred.BExpred Where bexpred.BExpred is main class, in that class there method there should be Main method.
  6. It is fixed, thanks. Binary (exe) attached to topic start.
  7. Once again I can't upload files: So here is uploaded binary exe): https://www68.zippyshare.com/v/Z1qTF0fg/file.html
  8. Oreans UnVirtualizer v1.8 by Deathway It is hard to find targets for which this Olly plugin works Orean VM section has empty name "": Memory map, item 25 Address=00EFF000 Size=00220000 (2228224.) Owner=LOTOdemo 00400000 Section= Type=Imag 01001002 Access=R Initial access=RWE So first thing to do is search for VMs jumps in code section: In Olly Code Section do right click and choose Orean Unvirtualizer -> Find references As VM Start enter the previous Orean VM section Address = 00EFF000 As VM Size enter the Orean VM section Size = 00220000 After pressing OK it should find Oreans Virtual Machine References We have two more options after "Find references" command: 1. Unvirtualize No Jmp Alt+U 2. Unvirtualize With Jmp Alt+I Those refers to the way to assemble unvirtualized instructions: the recommended one is 1. Unvirtualize No Jmp Alt+U So how we unvirtualize: On Oreans Virtual Machine References list choose a VM jump and right click on it and choose Foolow Enter and that address should be displayed on code Windows, now we right click the address from code Windows and we do Orean Unvirtualizer -> Unvirtualize No Jmp Alt+U Then a new txt windows appears (notepad Cisc_UV_dump.txt) containing unvirtualized instructions and also ask for an Unvirtualized First Memory Address - this is the address of REAL first instruction in notepad Cisc_UV_dump.txt ENTRY POINT: 00FCD78E PUSH DWORD PTR [ESP] 00FCD790 MOV EAX,DWORD PTR [ESP] 00FCD7A7 ADD ESP,0x4 00FCD7CE ADD ESP,0x4 00FCD81E PUSH EBP 00FCD825 MOV EBP,ESP 00FCD842 MOV ECX,0x6 Here Unvirtualized First Memory Address is 00FCD81E right after second ADD ESP,0x4 It must say that finding real first address is a bit tricky, if you see call to code section we know for sure that this is good address called like: 00FDB9A4 CALL 0x40149c 00FDB6C9 ADD ESP,0x4 00FDB6F3 ADD ESP,0x4 00FDB713 MOV ECX,DWORD PTR [ESP] 00FDB726 PUSH EDI 00FDB731 MOV EDI,ESP 00FDB747 ADD EDI,0x4 00FDB794 ADD EDI,0x4 00FDB7CD PUSH DWORD PTR [ESP] 00FDB7CF MOV DWORD PTR [ESP],EDI 00FDB818 POP EDI 00FDB82A MOV ESP,DWORD PTR [ESP] 00FDB849 MOV EDX,DWORD PTR [ESP] 00FDB861 PUSH ESI 00FDB879 MOV ESI,ESP 00FDB88E ADD ESI,0x4 00FDB8F2 ADD ESI,0x4 00FDB939 PUSH DWORD PTR [ESP] 00FDB93B MOV DWORD PTR [ESP],ESI 00FDB98E POP ESI 00FDB992 MOV ESP,DWORD PTR [ESP] 00FDB9A4 CALL 0x40149c // This time real address is 00FDB9A4 @Label_00FDB9D4 00FDBA04 AND EAX,0x80000000 00FDBA3F CMP EAX,0x80000000 00FDBAA4 JMP 0x407ade 00407AE1 8B0C24 MOV ECX,DWORD PTR SS:[ESP] 00407AE4 57 PUSH EDI 00407AE5 89E7 MOV EDI,ESP 00407AE7 83C7 04 ADD EDI,0x4 00407AEA 83C7 04 ADD EDI,0x4 00407AED FF3424 PUSH DWORD PTR SS:[ESP] 00407AF0 893C24 MOV DWORD PTR SS:[ESP],EDI 00407AF3 5F POP EDI 00407AF4 8B2424 MOV ESP,DWORD PTR SS:[ESP] 00407AF7 8B1424 MOV EDX,DWORD PTR SS:[ESP] 00407AFA 56 PUSH ESI 00407AFB 89E6 MOV ESI,ESP 00407AFD 83C6 04 ADD ESI,0x4 00407B00 83C6 04 ADD ESI,0x4 00407B03 FF3424 PUSH DWORD PTR SS:[ESP] 00407B06 893424 MOV DWORD PTR SS:[ESP],ESI 00407B09 5E POP ESI 00407B0A 8B2424 MOV ESP,DWORD PTR SS:[ESP] 00407B0D E8 8A99FFFF CALL 0040149C 00407B12 25 00000080 AND EAX,0x80000000 00407B17 3D 00000080 CMP EAX,0x80000000 00407B1C ^ EB C0 JMP SHORT 00407ADE This time real address is 00407B0D We can also see if the unvirtualized code is right by placing unvirtualized code starting from "VM jump" address and you should see if it matches until you fill out perfectly where last jump leads (JMP SHORT 00407ADE) 00407ADE would be the end of restored instructions: but this will only check if size of instructions matches! Unvirtualized code will always end with a jump: jump back to code section from Oreans VM.
  9. New Beta 6 release: - Fixed a silly bug on "EBFE on EP" AlocLogBeta6.zip
  10. When I try to upload files I get this error: /home/kura/htdocs/uploads/monthly_2019_11 could not be created. Please contact us for assistance.
  11. PCGuardKeygen - PC Guard key tool PC Guard V6/v5 DEMO keygen is able to: 1. Generate button: Generate "Activation Code" for PC Guard, serials are generated from "Program ID" and "Site Code" (HID) 2. Decode button Decode "Program ID" from "Activation Code" and "Site Code" (HID) 3. Verify button Verify "Activation Code" and "Site Code" is required, Not too strong check since just check 1 CRC32 byte. 4. Brute Site button Decode "Program ID" from "Activation Code" while "Site Code" is brute forced; SiteCollection.binary is generated containing "Site Code"+" "+"Program ID"+0D0A (last is newline termination) This will not test if "Program ID" is valid, a new tools has to be created for that task. "Program ID" has 24 hexadecimal numbers length (3 dwords) "Site Code" has 8 hexadecimal numbers length (1 dword) "Activation Code" is like: 7000074C-9598DD6C-78CBB23F-EF0156B4 https://www.calculateme.com/time/minutes/to-days/ Expected time for 4. Brute Site button would be approximately 4 hours. PCGuardKeygen_src_VC6.zip PCGuardKeygenExe.zip
  12. It is not my work, Enigma HWID Patcher Loader Generator is the work of GautamGreat/URET. While Enigma Register Bypasser.rar is the work of BlackVirus.
  13. This may not work for last version so I've uploaded new tools called: Enigma HWID Patcher Loader Generator by GautamGreat/URET work for some latter versions https://forum.tuts4you.com/topic/40389-enigma-hwid-patcher-loader-generator . Pre Checker patch checkbox. or the Enigma 1.x - 3.x VM Unpacker 1.0.txt Olly script by LCF-AT may log some address for bypassing! EnigmaPatcher_v1.3.rar
  14. Enigma Register Bypasser Link: https://crackinggsm.blogspot.com/2016/07/enigma-registration-bypasser.html Enigma Register Bypasser.rar
  15. https://forum.tuts4you.com/topic/37779-netbodycloner/?do=findComment&comment=188862 or attached. NetBodyCloner&NetBodyInjector.zip
  16. Strong Name Remove v2.3 exe attached to first post!
  17. SafeNet Sentinel HASP ImportScript & ShortTut: A short tutorial on SafeNet Sentinel HASP (how to reach entry point) and an Olly script for reconstruction import table. SafeNet Sentinel HASP ImportScript & ShortTut.zip
  18. TurboMutipleExes: Turbo Studio doesn't allow for multiple entry points this program will circumvent this limitation. This program will pass command line arguments to the new entry point (new Turbo Studio entry point) and will start specific executables. On first part the Entry Points (output exes) are new exes created by this program; you should specify their full path on ListBox from which their short name is grabbed and also from full name are grabbed resources: icons and version information. So first browse for exe by choosing "..." button and then click Add button to add it to ListBox. You can clear all ListBox items by Clear All button. The process entries button is optional and only needed for custom entry points paths information will be grabbed from full path ListBox to TextBox - it will get short file name of Entry Points from full path. Start-up exe short file name (Virtualized Turbo output exe) is the only file name which can't be renamed afterwards - you need to stick to the Virtualized Turbo output exe - output as an .dat file is a cool thing to do. If you don't specify "Start-up exe icon and information" resources (icons/version) will be missing from NewEntryPoint.exe file generated; NewEntryPoint.exe should be the new Start-up exe specified in Turbo Studio. The final step is pressing the Create Now button and choose an output directory for new files. TurboMutipleExes.zip
  19. I hope this doesn't means the beginning of the end!
  20. @Kurapica: You are doing forum update now? Since I saw OFFLINE writed.
  21. Where and how you find those articles? :P This state something like all programming languages sucks! Then why doing any programming at all? :huh:
  22. What kind of forum upgrades?
  23. Regarding main exe: BOSS.exe I currently have no ideea: SMD wil do eternal loop when sending to jit the method 02, If I ignore that (add exception) SMD will exit - don't have any ideea on why those problem occurs from first place!
  • Create New...