Posts

Playing with VMProtect - Sample devirtualizeme32_vmp_3.0.9_v2

Update: this blog post has an error, I have mistakenly labeled NOR instruction as NAND, fornication with broken condom ...

Proof courtesy of wolframalpha:
http://www.wolframalpha.com/input/?i=not+a+and+not+b
http://www.wolframalpha.com/input/?i=a+nor+b
They are the representing the same thing, stay tuned for an update.

In this blog post, I'm going to show you the manual approach I used to generate a text based representation of the executed instructions of VMProtect (I've only studied devirtualizeme32_vmp_3.0.9_v2) for a specific function (or code portion?).
The first step was to manually create a file containing all yara rules for all handlers, this will allow us to automatically detect a specific handler and classify it. The automatic handler detection step is essential because it will allow you to save some time when you are dealing with targets, but that approach is not guaranteed to work for every target, because of the (unique?) algorithm used to decrypt the bytecode (that …

CTF.ma - Interesting CTF Challenges

A few days ago I noticed that some people created a platform for CTF challenges that turned out to be very interesting, It looks like that the author is attracted to the kernel ring tather than the user land ring, and I exploited that opportunity to learn more about Windows Drivers, which is something you can say I do for the first time.
I suggest you to try those challenges and try to solve them, and I hope that you will enjoy them, specifically the RE challenges.

CTF website: http://www.ctf.ma

rtcore now is in the leaderboard, I will be very excited to see more people enjoying those challenges.

Ahead PDF Password Remover Keygen

Image
A simple keygen for Ahead PDF Password Remover, written in javascript (even paranoids can use it).

Update: fixed a hidden check after clicking the add files button, the application was closing quickly.

Download

Download (non stable)

PS: It did not take much time to crack the first hash, there are many other hashes but cracking just one is enough.


PPS: A Good to listen audio :D.

Received the Labyrenth 2017 prize

Image
This was the first CTF Challenge I ever tried. So those things mean a lot for me.
Thanks to those mp3, mp3, playing them in loop mode make me don't get tired of stepping.



Why should I play Subway Surfers using mouse ? isn't keyboard cool !

Image
Let's assume that someone forced to work under some circumstances, where no internet access will be available to him (not forever but just for a duration like one week), he will probably click Ctrl+F, write subway, Great, he found a game where he can burn his time.

Let's play for 30 min - 1 hour, probably that person will not be able to reach more high score, his hand will hurt.

I want to make the life of this person easier and better by adding keyboard support to that game (the game is for childs or not that is another story, and not important for me).

I want this feature to become built-in, so the end don't want to do anything other than double click the exe.

Great, It looks like that I'm lucky, UnityEngine is used along with Mono, which is a .NET framework-compatible.

Found something interesting in Assembly-CSharp.dll, Game.HandleControls method, we must add arrow keys support there.


So I modified the IL to get something like that


Great, but unfortunately after runn…

Flare-On 2017

Image
08-09-2017 at night I just knew that flare-on started, solved two challenges and fall asleep.

1- The first challenge is quite easy to solve since the rotate is symmetric:

2 - This a little bit tricky since you will reproduce a small decryption algorithm to do reverse the encryption:

09-09-2017 after-noon, started solving challenge 3.

3 - This challenge requires you to find a byte value that is the key to decrypt an x86 code, given a simple hash function, once this code is decrypted and begin running, it will put the flare-on flag on the stack, so we must do 2 things:


Find the byte key:

Send that byte to the local server at 127.0.0.1:2222 and debug
09-09-2017 - 10-09-2017,

4 - It took me more time to figure out that the challenge uses PE files from last year flare-on challenge (2016). Generally, every PE file contain a 8-byte forming a part of the key, each file will have those bytes at offsets 0x400, 0x410, 0420 or 0x430.

The files should be put at the following folder:


Once the files …

010 Editor v7.0.2 (x64) Crack

Image
It's been a long time I did not wrote a blog post, but now I'm releasing a crack for 010 Editor v7.0.2 (x64), I mainly used windbg for this operation because it is a stable debugger even if using it is like pain in the ass.

Please make sure that original assembly without patch (010Editor.exe) SHA1: aacac5f44623b1ae676757dda2fc38bfa54fc795


Download Crack and RegKey here.

Let me now if you have any problem using this.