Quantcast
Channel: Tuts 4 You : Downloads
Viewing all 327 articles
Browse latest View live

Oreans UnVirtualizer 1.8

February 5, 2014, 5:22 am
$
0
0
This tool will help conversion VirtualOpcodes -> Assembly Instruction. Restoring the original code of your virtualized application, the basic engine was from CodeUnvirtualizer, my other tool.

[Features]

- Supports WinLicense/Themida/CodeVirtualizer Cisc/Risc Machines
- Supports almost all common opcodes
- Supports CHECK_MACRO_PROTECTION on CISC machines
- Supppots MultiBranch Tech

[Use]

- Right-click on the jump leading to the Virtual Machine Area and press Unvirtualize (If machine isn't found you have to click again, after checking that the full machine was correctly deofuscated)
Search

OllyExt 1.7

February 5, 2014, 5:23 am
$
0
0
The main intention of this plugin is to provide the biggest anti-anti debugging features and bugfixes for Olly 2.xx. Updates will come...

VMProtect support!

The currently available commands are the following:
- Code Rip to Clipboard
- Code Rip to Clipboard Recursive
- Data Rip to Clipboard

The currently supported protections are the following:
- IsDebuggerPresent
- NtGlobalFlag
- HeapFlag
- ForceFlag
- CheckRemoteDebuggerPresent
- OutputDebugString
- CloseHandle
- SeDebugPrivilege
- BlockInput
- ProcessDebugFlags
- ProcessDebugObjectHandle
- TerminateProcess
- NtSetInformationThread
- NtQueryObject
- FindWindow
- NtOpenProcess
- Process32First
- Process32Next
- ParentProcess
- GetTickCount
- timeGetTime
- QueryPerformanceCounter
- ZwGetContextThread
- NtSetContextThread
- KdDebuggerNotPresent
- KdDebuggerEnabled
- NtSetDebugFilterState
- ProtectDRX
- HideDRX
- DbgPrompt
- CreateThread

The currently supported bugfixes are the following:
- Caption change
- Kill Anti-Attach ( dll integrity check )

Requirements:
- Microsoft Visual C++ 2010 Redistributable Package (x86)

OS support:
- WinXP x32
- WinXP WoW64
- Win7 x32
- Win7 WoW64

Limitations:
- Because of missing PDK function data ripping is ONLY on 2.01 latest supported

If you have any problem just notify me.

MIPS ROP Plugin 0.1

February 5, 2014, 5:23 am
$
0
0
IDA plugin for identifying ROP gadgets in Linux MIPS binaries. Allows you to search for suitable ROP gadgets in MIPS executable code. Built-in methods to search for common ROP gadgets.

Just copy mipsrop.py into your IDA plugins directory.

Introduction to Modern Code Virtualization

February 5, 2014, 5:27 am
$
0
0
This paper describes how code protection is done via “virtual machines” and techniques used in popular virtual machines, giving a considerable level of understanding of such virtual machines for readers from beginners to professionals.

IDACompare 0.1

February 5, 2014, 5:29 am
$
0
0
IDACompare is a plugin for IDA which is designed to help you line up functions across two separate disassemblies. IDACompare also contains a signature scanner, where you can save known functions and then scan new disassemblies against them looking for key functions.

It has tools for sequentially renaming matched functions, as well as porting user specified names across disassemblies.

This plugin has been designed with Malcode analysis in mind. It should work equally well for patch analysis.

See readme.chm for more details.

Scylla - x64/x86 Imports Reconstruction 0.9.4 (Final)

February 5, 2014, 6:03 am
$
0
0
ImpREC, CHimpREC, Imports Fixer... this are all great tools to rebuild an import table, but they all have some major disadvantages, so I decided to create my own tool for this job.

Scylla's key benefits are:

- x64 and x86 support
- full unicode support (probably some Russian or Chinese will like this :-) )
- written in C/C++
- plugin support
- works great with Windows 7

This tool was designed to be used with Windows 7 x64, so it is recommend to use this operating system. But it may work with XP and Vista, too.

Source code is licensed under GNU GENERAL PUBLIC LICENSE v3.0


Known Bugs
----------

### Only Windows XP x64:

Windows XP x64 has some API bugs. 100% correct imports reconstruction is impossible. If you still want to use XP x64, here are some hints:

* EncodePointer/DecodePointer exported by kernel32.dll have both the same VA.
Scylla, CHimpREC and other tools cannot know which API is correct. You need to fix this manually.
Your fixed dump will probably run fine on XP but crash on Vista/7.

### ImpREC plugin support:

Some ImpREC Plugins don't work with Windows Vista/7 because they don't "return 1" in the DllMain function.

Detect It Easy 0.81

February 5, 2014, 6:08 am
$
0
0
Detect It Easy, or abbreviated “DIE” is a program for determining types of files.

“DIE” is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.

Many programs of the kind (PEID, PE tools) allow to use third-party signatures. Unfortunately, those signatures scan only bytes by the pre-set mask, and it is not possible to specify additional parameters. As the result, false triggering often occur. More complicated algorithms are usually strictly set in the program itself. Hence, to add a new complex detect one needs to recompile the entire project. No one, except the authors themselves, can change the algorithm of a detect. As time passes, such programs lose relevance without the constant support.

Detect It Easy has totally open architecture of signatures. You can easily add your own algorithms of detects or modify those that already exist. This is achieved by using scripts. The script language is very similar to JavaScript and any person, who understands the basics of programming, will understand easily how it works. Possibly, someone may decide the scripts are working very slow. Indeed, scripts run slower than compiled code, but, thanks to the good optimization of Script Engine, this doesn't cause any special inconvenience. The possibilities of open architecture compensate these limitations.

DIE exists in three versions. Basic version (“DIE”), Lite version (“DIEL”) and console version (“DIEC”). All the three use the same signatures, which are located in the folder “db”. If you open this folder, nested sub-folders will be found (“Binary”, “PE” and others). The names of sub-folders correspond to the types of files. First, DIE determines the type of file, and then sequentially loads all the signatures, which lie in the corresponding folder. Currently the program defines the following types:

• MSDOS executable files MS-DOS
• PE executable files Windows
• ELF executable files Linux
• Binary all other files

WinLicense x64 2.2.7.0 (Unpacking)

February 5, 2014, 6:14 am
$
0
0
A quick tutorial showing a method of unpacking WinLicense x64 2.2.7.0, protected using the lowest protection options, and unpacked using IDA 6.1 and Scylla.
Search

Multiline Ultimate Assembler 2.2.1 (2)

March 17, 2014, 7:25 am
$
0
0
Multiline Ultimate Assembler (formerly MUltimate Assembler) is a multiline (and ultimate) assembler (and disassembler) plugin for OllyDbg. It's a perfect tool for modifying and extending a compiled executable functionality, writing code caves, etc.

General:

- MUltimate Assembler is a multiline (and ultimate) assembler (and disassembler)
- To disassemble code, select it, and choose "MUltimate Assembler" from the right click menu
- To assemble code, click the Assemble button in the assembler window

Rules:

- You must define the address your code should be assembled on, like this: <00401000>- You can use any asm commands that OllyDbg can assemble
- You can use RVA (relative virtual) addressess with a module name, like this: $module.1000 or $"module".1000, or $$1000 to use the module of the address definition (e.g. <$m.1000>PUSH $$3 is the same as <$m.1000>PUSH $m.3)
- You can use labels, that must begin with a '@', and contain only letters, numbers, and _
- You can use anonymous labels, which are defined as '@@' and are referenced to as @b (or @r) for the preceding label and @f for the following label
- You can use C-style strings for text and binary data (use the L prefix for unicode)

Example:

<00401000>    NOP ; This is a nop
    JMP SHORT @f

@str:
    "Hello World!\0"
    ; L"Hello World!\0" ; for unicode

@@:
    PUSH @str
    CALL @print_str
    RET

<00401030>@print_str:
    RET 4 ; TODO: Write the function

Multiline Ultimate Assembler 2.2.1 (1)

March 17, 2014, 7:25 am
$
0
0
Multiline Ultimate Assembler (formerly MUltimate Assembler) is a multiline (and ultimate) assembler (and disassembler) plugin for OllyDbg. It's a perfect tool for modifying and extending a compiled executable functionality, writing code caves, etc.

General:

- MUltimate Assembler is a multiline (and ultimate) assembler (and disassembler)
- To disassemble code, select it, and choose "MUltimate Assembler" from the right click menu
- To assemble code, click the Assemble button in the assembler window

Rules:

- You must define the address your code should be assembled on, like this: <00401000>- You can use any asm commands that OllyDbg can assemble
- You can use RVA (relative virtual) addressess with a module name, like this: $module.1000 or $"module".1000, or $$1000 to use the module of the address definition (e.g. <$m.1000>PUSH $$3 is the same as <$m.1000>PUSH $m.3)
- You can use labels, that must begin with a '@', and contain only letters, numbers, and _
- You can use anonymous labels, which are defined as '@@' and are referenced to as @b (or @r) for the preceding label and @f for the following label
- You can use C-style strings for text and binary data (use the L prefix for unicode)

Example:

<00401000>    NOP ; This is a nop
    JMP SHORT @f

@str:
    "Hello World!\0"
    ; L"Hello World!\0" ; for unicode

@@:
    PUSH @str
    CALL @print_str
    RET

<00401030>@print_str:
    RET 4 ; TODO: Write the function

Multiline Ultimate Assembler 2.2.1

March 17, 2014, 7:25 am
$
0
0
Multiline Ultimate Assembler (formerly MUltimate Assembler) is a multiline (and ultimate) assembler (and disassembler) plugin for OllyDbg. It's a perfect tool for modifying and extending a compiled executable functionality, writing code caves, etc.

General:

- MUltimate Assembler is a multiline (and ultimate) assembler (and disassembler)
- To disassemble code, select it, and choose "MUltimate Assembler" from the right click menu
- To assemble code, click the Assemble button in the assembler window

Rules:

- You must define the address your code should be assembled on, like this: <00401000>- You can use any asm commands that OllyDbg can assemble
- You can use RVA (relative virtual) addressess with a module name, like this: $module.1000 or $"module".1000, or $$1000 to use the module of the address definition (e.g. <$m.1000>PUSH $$3 is the same as <$m.1000>PUSH $m.3)
- You can use labels, that must begin with a '@', and contain only letters, numbers, and _
- You can use anonymous labels, which are defined as '@@' and are referenced to as @b (or @r) for the preceding label and @f for the following label
- You can use C-style strings for text and binary data (use the L prefix for unicode)

Example:

<00401000>    NOP ; This is a nop
    JMP SHORT @f

@str:
    "Hello World!\0"
    ; L"Hello World!\0" ; for unicode

@@:
    PUSH @str
    CALL @print_str
    RET

<00401030>@print_str:
    RET 4 ; TODO: Write the function

OllyDeobfuscator 1.0

March 17, 2014, 7:25 am
$
0
0
I want to share a plugin I've written for OllyDbg 1.10, OllyDeobfuscator.

Features:

1. Move NOPs in selected code to bottom.
- Select the code and start the operation to move NOPs to the bottom of the code.

2. Deobfuscate selected code.
- Select the code you want to deobfuscate and it will try to remove unnecessary instructions.

3. Smart deobfuscation.
- This is useful if you want to grab code with jumps to different locations.

You need to provide the start address and a stop condition. Also you can get the code from the run trace or the selected code. Once the code is grabbed, you can deobfuscate it and write it to a location.

A problem is that there are not so much instructions supported.

OllyPlgn 1.2

March 20, 2014, 7:05 am
$
0
0
OllyPlgn is a plugin for OllyDbg 2.xx

+ Menu:

1. Copy to Clipboard:
- Code (Masm syntax)
- Code (Nasm syntax)
- ASCII string
- Unicode string
- Asm array
- C/C++ array
- Pascal array
- BYTE
- WORD
- DWORD
- VA
- RVA
- Offset

2. Tools:
- Notepad
- Calculator
- Hash Tool
- Import Reconstructor

3. Set Hardware Breakpoint [ESP]

IDA Patcher 0.1

March 23, 2014, 2:03 am
$
0
0
IDA Patcher is a plugin for Hex-Ray's IDA Pro disassembler designed to enhance IDA's ability to patch binary files and memory. The plugin is useful for tasks related to malware analysis, exploit development as well as bug patching. IDA Patcher blends into the standard IDA user interface through the addition of a subview and several menu items.

Simply copy idapatcher.py into IDA's plugins folder. The plugin will be automatically loaded the next time you start IDA Pro.

The plugin uses pure IDA Python API, so it should be compatible with all versions of IDA on different platforms. However, it was only extensively tested on IDA Pro 6.5 for Windows with x86, x86-64 and ARM binaries.

Thwarting Virtual Machine Detection

April 5, 2014, 10:14 pm
$
0
0
Hello, and welcome to our presentation on virtual machine detection, and some possible methods for thwarting the types of detection currently in use by malware in the wild.

We’ll start things off with an overview of some of the methods being used to detect the use of virtual machine environments – how they work and what exactly they are detecting. Finally, we’ll pass along some tips for making use of a virtualized environment more difficult for the bad guys to detect.
Search

R4ndom’s Beginning Reverse Engineering Tutorials

April 5, 2014, 10:15 pm
$
0
0
R4ndom’s Beginning Reverse Engineering Tutorials - the complete collection all in one handy archive!

Tutorial #1 - What is reverse engineering?
Tutorial #2 - Introducing OllyDBG
Tutorial #3 - Using OllyDBG, Part 1
Tutorial #4 - Using OllyDBG, Part 2
Tutorial #5 - Our First (Sort Of) Crack
Tutorial #6 - Our First (True) Crack
Tutorial #7 - More Crackmes
Tutorial #8 - Frame Of Reference
Tutorial #9 - No Strings Attached
Tutorial #10 - The Levels of Patching
Tutorial #11 - Breaking In Our Noob Skills
Tutorial #12 - A Tougher NOOBy Example
Tutorial #13 - Cracking a Real Program
Tutorial #14 - How to remove nag screens
Tutorial #15 - Using the Call Stack.
Tutorial #16A - Dealing with Windows Messages.
Tutorial #16B - Self Modifying Code.
Tutorial #16C - Bruteforcing.
Tutorial #17 - Working with Delphi Binaries.
Tutorial #18 - Time Trials and Hardware Breakpoints.
Tutorial #19 - Creating patchers.
Tutorial #20A - Dealing with Visual Basic Binaries, Part 1.
Tutorial #20B - Dealing with Visual Basic Binaries, Part 2.
Tutorial #21 - Anti-Debugging Techniques.
Tutorial #22 - Code Caves and PE Sections.
Tutorial #23 - TLS Callbacks.

Modifying Binaries For Fun And Profit

Adding a Splash Screen - Creating a code cave to show a custom splash on an application
Adding a Menu Item - Adding a menu item to an existing binary.
Making a Window Non-Closeable - Making a Window Non-Closeable.
The Never Ending Program - Opening message boxes every time a user tries to close a program.
DLL Injection 1 - Adding an opening message box through DLL injection.
DLL Injection 2 - Adding a splash bitmap through DLL injection.

R4ndom’s Guide to RadASM

Installing and setting up - Installing RadASM and configuring the environment.
Creating our first project - Creating our first project.
Adding an Icon and Menu - Adding an Icon and Menu.

Miscellaneous

The Reverse Engineer’s Toolkit - Tools every reverse engineer should know about.
Shrinking C++ Binaries - Shrinking binaries through Visual Studio.

Other Tutorials

Author Tutorial
XOR06 Cracking DriverFinder
nwokiller Unpacking PELock v1.06
XOR06 Bypassing a keyfile
XOR06 Bypassing a Serial and server Check
XOR06 Bypassing a Serial in a Delphi Binary
XOR06 Finding a serial using bitmaps.
XOR06 Easy unpacking.
XOR06 Where and How to pacth a serial routine.
XOR06 Patching a server check, 30 day time trial, and a nag.
XOR06 Serialfishing a correct serial.
XOR06 Another way of finding the patch.
XOR06 Why it’s so important to search for pointers.
XOR06 .NET Crackme with tutorial
XOR06 .NET Crackme (no tutorial)

The Impossibility of Obfuscation with a Universal Simulator

April 5, 2014, 10:20 pm
$
0
0
We show that indistinguishability obfuscation implies that all functions with sufficient “pseudo­entropy” cannot be obfuscated under a virtual black box definition with a universal simulator. Let F = {fs} be a circuit family with super-polynomial pseudo-entropy, and suppose O is a candidate obfuscator with universal simulator S. We demonstrate the existence of an adversary A that, given the obfuscation O(fs), learns a predicate the simulator S cannot learn from the code of A and black-box access to fs. Furthermore, this is true in a strong sense: for any secret predicate P that is not learnable from black-box access to fs, there exists an adversary that given O(fs) efficiently recovers P (s), whereas given oracle access to fs and given the code of the adversary, it is computationally hard to recover P (s).

We obtain this result by exploiting a connection between obfuscation with a universal simulator and obfuscation with auxiliary inputs, and by showing new impossibility results for obfuscation with auxiliary inputs.

Sequential Dumper

April 5, 2014, 10:21 pm
$
0
0
It’s really annoying when you have to deal with the initialization part of a malware, most of the time a malicious executable follows the same alloc/decrypt/jump_to_decrypted_code scheme. So, I decided to write something to ease and automate the initial process investigation of a malware.

The idea behind the plugin is simple, Sequential Dumper is conceptually able to dump blocks of memory in sequence: it monitors the flow of the malware code trying to dump all the new allocated/decrypted parts in different memory areas containing code of the malware itself.

The real malware is obtained after some tedious steps: a runtime allocated buffer is used like a bridge between the original and the real malware. The original malicious file is just used to decrypt a piece of code, and then this particular code will create the real malware replacing the old original file.

Can I use Sequential Dumper with this kind of malwares? Yes you can!

Usage:

Sequential Dumper is a two states plugin: enable or disable. In this first release the menu has two items only, the ‘About’ item and the other one which is used to activate the plugin. It’s not necessary to enable the plugin at the first instruction of the malware, you can activate it whenever you want.

As you might guess everything relies on Ollydbg trace system, you have to run the debuggee in trace mode otherwise it fails catching a memory switch.

Ollydbg is not allowed to trace system DLL code by default, but I would suggest you to change this setting.

The malware uses CallWindowProc to run a snippet from somewhere else, in this specific case the new code resides at 0×3900060. The address is outside the original exe and if you don’t allow Ollydbg to trace into system DLL the plugin won’t catch anything from the *hidden* snippet. I think you can understand why you might need to allow Ollydbg to trace system DLL. It’s not a rule but it might help.

Final notes:

Sequential Dumper produces a sort of chronicle of the malware execution. It comes from a simple idea and it was born in few hours so don’t expect too much. Take in mind it’s the very first release and it may be exposed to bug. Just in case don’t hesitate to send a mail with detailed information about the bug.

The plugin has some limitations but it could be helpful for someone, what do you think?

Plugin tested on Ollydbg v2.01

OllyGraph 0.2.0

April 5, 2014, 10:24 pm
$
0
0
Based off of the original OllyGraph by Joe Stewart, here is the initial release for OllyDbg 2.xx. So far all that is implemented is the function flowchart. I'll start adding more functionality as time/job permits.

OllyDBG Backup 0.1

April 5, 2014, 10:26 pm
$
0
0
This simple plugin allows saving the loaded executable labels and comments to a CSV file and later loading them back in. You can store, share, modify and merge your notes with ease and never lose your notes because OllyDbg flipped and threw them all out (it can happen).

The CSV file structure is as follows:

RVA,label,comment

Output files are compatible with more feature rich *pyudd* which was the inspiration for this plugin. Kudos to *libcsv* for easy to use CSV library for the C programming language.
Viewing all 327 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>