Quantcast
Channel: Tuts 4 You : Downloads
Viewing all 327 articles
Browse latest View live

LARP 2.0 Ultimate Bypass Hide + IAT Repair + OEP Finder v1.0

February 11, 2013, 6:12 am
$
0
0
This script was developed to assist in unpacking LARP 2.0 Ultimate UnPackMe by Lena151. The script allows you to bypass hide process driver and VMWare detection. This script also repairs import address table (IAT), repairs JMP's, stolen bytes and used to find OEP.

The script was tested under XP SP2/3 with OllyDbg v1.10 using OllyScript v1.83.1 with StrongOD v.4.8.xxx and above.
Search

LARP 2.0 Ultimate (Unpacking)

February 11, 2013, 6:21 am
$
0
0
This protection is one of the strongest I have ever found, it is LARP 2.0 Ultimate by Lena151. She coded several versions from the easiest to the toughest and this one - the Ultimate - is one of the strongest. At first Lena made this protector for teams that was initially a private version, and not commercial, to avoid code stealing from keygens, patches and so on. She has a x64 bit version of this protector but I think this one is for commercial use only.

In the whole internet there is not an unpacking process documented about this protector although there are dumps of different versions. I think it is a way of being respectful to Lena. I had to guide myself around my unpacking experience and mainly a lot of patience to get a working dump of LARP 2.0 Ultimate. Later we will see we are not alone and I am thankful for that.

I have spent many hours and days in the unpacking process but I will try to make a very detailed and enjoyable tutorial about this protector and as I said before this will be the very first documented unpacking process about LARP 2.0 Ultimate. It is an honor for me since my humility to write about it in this document.

OllyID 0.5.0

February 26, 2013, 5:21 pm
$
0
0
OllyID scans the loaded module using the same signature database as PEiD. OllyID is compatible with the latest versions of OllyDbg 2.

Copy OllyID.dll into the Plugins directory. Note: the userdb.txt must be in the same directory as the plugin unless otherwise specified in ollydbg.ini.

I'd like to hear what the community thinks of this. Ideas and constructive criticism is encourages.

Msieve 1.51 + GUI 1.1

February 26, 2013, 5:22 pm
$
0
0
Factoring is the study (half math, half engineering, half art form) of taking big numbers and expessing them as the product of smaller numbers. If I find out 15 = 3 * 5, I've performed an integer factorization on the number 15. As the number to be factored becomes larger, the difficulty involved in completing its factorization explodes, to the point where you can invent secret codes that depend on the difficulty of factoring and reasonably expect your encrypted data to stay safe.

There are plenty of algorithms for performing integer factorization. Allhave a preferred size of number they are best at factoring, and all of themhave plenty of implementations available. Msieve is no exception: it can with high probability find the complete factorization of any input number up to about 125 digits in size. The actual number of digits supported is much higher (up to 164 digits), but problems larger than 125 digits are likely to fail.

Trial division is used on all inputs; if the result is less than 25 digits in size, tiny custom routines do the factoring. For larger numbers, the code switches to more powerful methods. Prior to version 1.04, those methods were limited to the quadratic sieve. From that point on, however, an implementation of the number field sieve is also available. Information specific to the quadratic sieve implementation is contained in Readme.qs, while the number field sieve variant is described in Readme.nfs

Msieve was written with several goals in mind:

- To be as fast as possible. I claim (without proof) that for completely factoring general inputs between 40 and 100 digits in size, Msieve is faster than any other code implementing any other algorithm. I realize that's a tall order, and that I'll probably have to eat those words, but a *lot* of effort has gone into making Msieve fast.

- To be as portable as possible. The code is written in C and is completely self contained. It has its own basic multiple precision library (which can be used in other applications) and is written in as machine-independent a manner as possible. I've verified that the source code compiles and runs correctly on 32- or 64-bit Intel x86, 32- and 64-bit PowerPC, and 64-bit Alpha platforms. It's reported to work in 32-bit mode on the RS6000. It works in Windows, Linux (several flavors), Mac OS X, and AIX. Pretty much the only requirement for building the code is that your compiler have a native 64-bit data type.

- To be simple to use. The only input is the integer to be factored. Everything else happens automatically.

- To be free (as in beer). The entire code base is released into the public domain. This is hobby stuff for me, and the more it's used the better.

If you choose to use Msieve, please let me know how it goes. I welcome bug reports, suggestions, optimizations, ports to new platforms, complaints, boasts, whatever.

ImportStudio 1.0.1

February 26, 2013, 5:22 pm
$
0
0
ImportStudio is a plugin for OllyDbg to help trace and rebuild imports during the unpacking process using the TitanEngine. Also includes a dump tool for dumping images and processes as well as a PE rebuilder. ImportStudio takes advantage of ImpREC plugins for tracing imports in advanced and custom packer/protectors.

Package contains a tutorials and examples on how to use the plugin.

Enigma Protector 1.90 - 3.xx Alternativ Unpacker v1.0

February 26, 2013, 5:41 pm
$
0
0
This script can unpack almost any protected ENIGMA file and will dump the external Virtual Memory. You can watch my movies on how to use this script here: http://tuts4you.com/download.php?view.3440

Features of the script:

( 1.) Unpacking of ENIGMA 1.90 - 3.130+
( 2.) RegSheme Bypass & HWID Changer
( 3.) Enigma CheckUp Killer
( 4.) VirtualMemory Dumper 1.90 - 3.x+ & SC Fixer M1
( 5.) UIF Tool Necessary Sometimes!
( 6.) Enigma Intern Export & VM Scan + Log
( 7.) Improved Import Emulation Fixer
( 8.) Supports Exe & Dll Files [dll at EP!]

Environment: WinXP, OllyDbg v1.10, OllyScript v1.82.x

Enigma Protector 1.90 - 3.xx Alternativ Unpacker

February 26, 2013, 7:00 pm
$
0
0
Today I release an unpacker script for Enigma Protector. Maybe you know that I created another unpacker script for Enigma in the past which no-longer works for protected Enigma files greater than 3.70+ and this is the reason why I wrote a new script, Enigma Alternativ Unpacker 1.0.

So what is new in this script? This script will unpack your Enigma protected files and dump the used outer virtual machine. This means you do not need to use the DV / Enigma plugin which is used in my other script. Of course the virtual machine will be still virtualized but your unpacked files will work. It is not the best solution but for the moment it is a good "alternativ" and a working solution.

Features of the script:

( 1.) Unpacking of ENIGMA 1.90 - 3.130+
( 2.) RegSheme Bypass & HWID Changer
( 3.) Enigma CheckUp Killer
( 4.) VirtualMemory Dumper 1.90 - 3.x+ & SC Fixer M1
( 5.) UIF Tool Necessary Sometimes!
( 6.) Enigma Intern Export & VM Scan + Log
( 7.) Improved Import Emulation Fixer
( 8.) Supports Exe & Dll Files [dll at EP!]

This new script again covers almost all the protection features of Enigma Protector like my other script but it has been improved and I have added some extra things that you will see when you get to use it.

I have created four video tutorials for you where you can see what you have to do in some of the different situations you may experience. Be sure that you "watch the videos" before you use the script to prevent some unnecessary questions where you can already find the answers if you watch them and then read my added text files. I also made an UnpackMe set with six different protected files (watch videos how to unpack all of them).

If something does not work for you or if you get any trouble or have any questions then just post a reply on the topic (linked above) to get an answer.

PECOFF Revision 8.3

February 27, 2013, 5:43 am
$
0
0
This specification describes the structure of executable (image) files and object files under the Windows family of operating systems. These files are referred to as Portable Executable (PE) and Common Object File Format (COFF) files, respectively.

[bold]Note:[/bold] This document is provided to aid in the development of tools and applications for Windows but is not guaranteed to be a complete specification in all respects. Microsoft reserves the right to alter this document without notice.

This revision of the Microsoft Portable Executable and Common Object File Format Specification replaces Revision 6.0 of this specification.

This information applies for the following operating systems:

Windows 8
Windows 7
Windows Server 2008
Windows Vista
Windows Server 2003
Windows XP
Windows 2000

What's New in Revision 8.3:

Added new ARMv8 (64-bit) definitions for UEFI usage
Search

OllyPath 0.1

March 1, 2013, 5:36 am
$
0
0
When using OllyDbg as a portable version (eg. on an USB stick) there are always problems with the UDD/Plugin path not being set correctly. The 'trick' to use ".\" as path works, but because Olly calls GetCurrentDirectory and not some custom function that retrieves the process directory the shell extension for example would not work.

I'm using this code for quite some time now, but I thought it would be nice to share a little for later users.

The features:

* DLL, which sets Plugins, UDD and win32.hlp paths automatically
* Dummy export so it's easy to add the DLL to your olly mod
* Open source


Attached is DLL + Source, I hope it's useful for somebody. Feel free to modify to your needs, just credit where you think it's needed.

P.S. To add the dll to your mod: Use CFF explorer to add the import "dummy" (which does nothing) to ollydbg.exe, this will execute the DllMain function (which can be considered illegal) and set the paths in the INI file.

IDA Pro Disassembler 6.4 (Windows, Linux, Mac)

March 15, 2013, 4:03 am
$
0
0
IDA Pro is a programmable, interactive, multi-processor disassembler combined with a local and remote debugger and augmented by a complete plugin programming environment.

IDA Pro is in many ways unique. Its interactivity allows you to improve disassemblies in real time. Its multi-processor support is unmatched. Yet, two of our technologies are truly unique, have never been implemented under any form in any real-life disassemblers and, more importantly, are incredible time savers.

IDA Pro is a disassembler.

As a disassembler, IDA Pro explores binary programs, for which source code isn't always available, to create maps of their execution. The real interest of a disassembler is that it shows the instructions that are actually executed by the processor in a symbolic representation called assembly language. If the friendly screen saver you have just installed is spying on your e-banking session or logging your e-mails, a disassembler can reveal it. However, assembly language is hard to make sense of. That's why advanced techniques have been implemented into IDA Pro to make that code more readable, in some cases, quite close to the original source code that produced the binary program. The map of the program's code then be postprocessed for further investigations. Some people have used it as the root of a genomic classification of viruses. (digital genome mapping advanced malware analysis)

IDA Pro is a debugger.

But, in real life, things aren't always simple. Hostile code usually does not cooperate with the analyst. Viruses, worms and trojans are often armoured and obfuscated. More powerful tools are required.

The debugger in IDA Pro complements the static analysis capabilities of the disassembler: by allowing to single step through the code being investigated, the debugger often bypasses the obfuscation and helps obtain data that the more powerful static disassembler will be able to process in depth. IDA Pro can be used as a local and as a remote debugger on the 80x86 (typically Windows/Linux) and the ARM plaform (typically Windows CE PDAs). Remote debuggers are very useful when one wants to safely dissect potentially harmful programs.

IDA Pro is interactive.

Because no computer can currently beat the human brain when it comes to exploring the unknown, IDA Pro is fully interactive. In sharp contrast with its predecessors, IDA always allows the human analyst to override its decisions or to provide hints. Interactivity culminates in a built-in programming language and an open plugin architecture.

IDA Pro is programmable

IDA Pro contains a complete development environment that consists of a very powerful macro-like language that can be used to automate simple to medium complexity tasks. For more advanced tasks, our open plugin architecture puts no limits on what external developers can do to enhance IDA Pro's functionality. One could, for example, extend IDA Pro with a MP3 player and make malware sing. However, we suspect our governmental customers are involved in more serious projects.

Abstract, Safe, Timely, and Efficient Binary Modification

March 16, 2013, 11:38 pm
$
0
0
Program binaries are commonly held to be an execute-only program form: rigid, lacking in clear structure, complex to extend and difficult to modify. However, there are several benefits to be gained from modifying binaries rather than another program form: the effects of the compiler upon the program are clearly present; binary modification does not require access to source code, which may be unavailable; and users may manipulate programs while they execute, which is impossible with other forms of program modification.

In this dissertation, we develop and refine four desired properties of a binary modification toolkit: abstraction, safety, timeliness, and efficiency. By abstraction, we mean that a user should operate in terms of familiar structural representations, such as functions, loops, or basic blocks, instead of directly on instructions. By safety, we mean that modification should preserve the visible behavior of code that was not explicitly modified and the structural validity of the binary as a whole. By timeliness, we mean that a toolkit should allow modification of a binary at any time in its execution continuum, from a file on disk to actively executing code. By efficiency, we mean that modification should impose cost that is both low and proportional to the amount of modified code and the frequency with which it is executed.

We then describe three techniques that allow us to achieve these properties. First, we demonstrate that the CFG, an abstraction that represents the binary program’s structure, can also be used to modify this structure and thus the binary as a whole. By leveraging the CFG, we allow users to operate in terms of familiar and natural constructs rather than requiring them to understand the idiosyncrasies of particular instruction sets. Second, we further refine techniques for code replacement, allowing us to modify a program binary at any time in its execution continuum while preserving proportional cost. Third, we present a technique based on a formal understanding of the characteristics of binary code that allows us to modify the structure of the binary without changing its user-visible behavior, even when the binary attempts to detect such modifications.

Automatic Reverse Engineering of Malware Emulators

March 16, 2013, 11:40 pm
$
0
0
Malware authors have recently begun using emulation technology to obfuscate their code. They convert native malware binaries into bytecode programs written in a randomly generated instruction set and paired with a native binary emulator that interprets the bytecode. No existing malware analysis can reliably reverse this obfuscation technique. In this paper, we present the first work in automatic reverse engineering of malware emulators. Our algorithms are based on dynamic analysis. We execute the emulated malware in a protected environment and record the entire x86 instruction trace generated by the emulator. We then use dynamic dataflow and taint analysis over the trace to identify data buffers containing the bytecode program and extract the syntactic and semantic information about the bytecode instruction set. With these analysis outputs, we are able to generate data structures, such as control flow graphs, that provide the foundation for subsequent malware analysis. We implemented a proof-of-concept system called Rotalum´e and evaluated it using both legitimate programs and malware emulated by VMProtect and Code Virtualizer. The results show that Rotalum´e accurately reveals the syntax and semantics of emulated instruction sets and reconstructs execution paths of original programs from their bytecode representations.

De-obfuscation and Detection of Malicious PDF Files with High Accuracy

March 16, 2013, 11:42 pm
$
0
0
Due to its high popularity and rich functionality, the Portable Document Format (PDF) has become a major vector for malware propagation. To detect malicious PDF files, the first step is to extract and de-obfuscate JavaScript codes from the document, for which an effective technique is yet to be created. However, existing static methods cannot de-obfuscate JavaScript codes, existing dynamic methods bring high overhead, and existing hybrid methods introduce high false negatives.

Therefore, in this paper, we present MPScan, a scanner that combines dynamic JavaScript de-obfuscation and static malware detection. By hooking the Adobe Reader’s native JavaScript engine, JavaScript source code and opcode can be extracted on the fly after the source code is parsed and then executed. We also perform a multilevel analysis on the resulting JavaScript strings and opcode to detect malware. Our evaluation shows that regardless of obfuscation techniques, MPScan can effectively de-obfuscate and detect 98% malicious PDF samples.

PhantOm Plugin 1.79

March 16, 2013, 11:43 pm
$
0
0
Plug-in for concealment of OllyDbg (plugin with the driver). Helps being detected using the following methods of detection:

// driver - extremehide.sys

[+] NtQueryInformationProcess.
[+] SetUnhandledExceptionFilter.
[+] OpenProcess.
[+] Invalid Handle.
[+] NtSetInformationThread.
[+] RDTSC.
[+] NtYieldExecution.
[+] NtQueryObject.
[+] NtQuerySystemInformation.
[+] Windows hide.
[+] GetProcessTimes.
[+] NtSetContextThread.
[+] NtSetDebugFilterState

// plugin - PhantOm.dll

[+] PEB BeingDebugged.
[+] PEB NtGlobalFlag.
[+] GetStartupInfo.
[+] Process Heaps.
[+] GetTickCount.
[+] OutputDebugString
[!] Protect DRx.
[!] Hide DRx.
[!] Fake Windows version.
[!] Custom Handler.
[+] BlockInput.
[+] INT 2d.
[+] Single-step bug.
[+] OutputDebugString.
[+] TraceFlag hide.

BugDbg x64 0.7.5

March 16, 2013, 11:44 pm
$
0
0
BugDbg x64 is a user-land debugger designed to debug native 64-bit applications.

BugDbg is released as Freeware.

BugDbg is owned and copyrighted by C'bob. You must treat the software and its associated documentation like any other copyrighted material.
Search

Dealing with Funny Checksum

March 16, 2013, 11:44 pm
$
0
0
After a while, I’ve decided to write about something interesting which I’ve found while unpacking one protection, and it will be also nice introduction to one of my tools which I have wrote for fun of it.

However, I won’t mention application name here, but to demonstrate checksum check which I have found I will be using one test application, thus you will get idea what happened, and how checksum is defeated. I will also introduce one tool I wrote, which served me well in this particular case. Tool should come with this document, thus I won’t describe tool, and it’s internals as source code should be well commented.

Certified Self-Modifying Code

March 16, 2013, 11:47 pm
$
0
0
Self-modifying code (SMC), in this paper, broadly refers to any program that loads, generates, or mutates code at runtime. It is widely used in many of the world’s critical software systems to support runtime code generation and optimization, dynamic loading and linking, OS boot loader, just-in-time compilation, binary translation, or dynamic code encryption and obfuscation. Unfortunately, SMC is also extremely difficult to reason about: existing formal verification techniques - including Hoare logic and type system — consistently assume that program code stored in memory is fixed and immutable; this severely limits their applicability and power.

This paper presents a simple but novel Hoare-logic-like framework that supports modular verification of general von-Neumann machine code with runtime code manipulation. By dropping the assumption that code memory is fixed and immutable, we are forced to apply local reasoning and separation logic at the very beginning, and treat program code uniformly as regular data structure. We address the interaction between separation and code memory and show how to establish the frame rules for local reasoning even in the presence of SMC. Our framework is realistic, but designed to be highly generic, so that it can support assembly code under all modern CPUs (including both x86 and MIPS). Our system is expressive and fully mechanized. We prove its soundness in the Coq proof assistant and demonstrate its power by certifying a series of realistic examples and applications—all of which can directly run on the SPIM simulator or any stock x86 hardware.

OllyDbg - OllyPortable 0.1

March 17, 2013, 6:00 am
$
0
0
OllyPortable is my portable version of OllyDbg extended with plugins and patches for a good looking and decently working debugger environment.

Main features:
- Good looking buttons (thanks to the author of Olly Shadow)
- Full portability (OllyPath.dll, source is included)
- Tested & working on both XP SP3 and Win7 x64
- Manifest to make olly look less Win98
- Useful plugins, sometimes with custom patches

Plugin descriptions:
- analyzeThis: Analyze code outside the code section of the debugged program.
- Asm2Clipboard: Quickly copy ASM code (with labels) to the clipboard.
- ClearUDD: Plugin to clear the UDD directory from within olly.
- CmdBar: Command bar to quickly set breakpoints/registers etc.
- DataRipper: Rip selected data in various formats.
- HiddenThreads: Plugin that finds hidden threads.
- ICanAttach2: Plugin that fixed anti-attach tricks.
- ida_sigs: Plugin to import IDA signatures to the debugged file.
- IDAFicator: Great plugin with many features, check the manual.
- MnemonicHelp: Simply plugin that loads a help file for the selected mnemonic.
- ModuleBCL: Import&Export labels, comments and breakpoints.
- multiasm_odbg: Extremely useful plugin for writing code caves.
- ODbgScript: Script OllyDbg (Patched by me)
- ODBJscript: Script OllyDbg using javascript
- oDump: Fixed version of OllyDump that bypasses anti-dump techniques.
- OllyCopy: Great plugin to copy addresses, bytes and patterns to the clipboard.
- OllyFlow: Generate an IDA graph from analyzed code.
- OllyWow64_0.2: Compatibility plugin for WOW64
- RemoveCriticality: Plugin that fixes an exploit that could crash the system when debugging.
- SehSpy: Show the SEH context before the reached exception.
- SigMaker: Easily make patterns and signatures.
- StollyStruct: Plugin that allows viewing memory in structure form (Patched by me)
- StrongOD: Hide & Bugfix plugin (Patched by me)
- TLSCatch: Plugin that sets a breakpoint on TLS callbacks (when found)
- X_CRYPTO: Plugin to hash bytes or text inside olly.

I also included the help files for ODbgScript, ODBJScript, Multiasm, Win32 API and x86 opcodes.

OllyGraph 0.1.0

March 18, 2013, 7:03 am
$
0
0
Based off of the original OllyGraph by Joe Stewart, here is the initial release for OllyDbg 2.xx. So far all that is implemented is the function flowchart. I'll start adding more functionality as time/job permits.

Quick Introduction to Reverse Engineering for Beginners 0.6

March 18, 2013, 7:24 am
$
0
0
Here (will be) some of my notes about reverse engineering in English and Russian language for those beginners who like to learn to understand x86 code created by C/C++ compilers (which is a most large mass of all executable software in the world).

There are two most used compilers: MSVC and GCC, these we will use for experiments.

There are two most used x86 assembler syntax: Intel (most used in DOS/Windows) and AT&T (used in *NIX) 1. Here we use Intel syntax. IDA 5 produce Intel syntax listings too.

http://en.wikipedia.org/wiki/X86_assembly_language#Syntax
Viewing all 327 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>