Understanding what API-functions are used in EXECryptor October 31, 2007
Posted by reversengineering in OTHER, TOOLS.add a comment
FROM:
http://kioresk.wordpress.com/2007/10/20/execryptor_api_hashs/#more-9
Here you will find how list of API-functions and their hashs can be usefull in researching EXECryptor.
As you may knew, StrongBit recently released new version of EXECryptor – 2.4.1 with improved antidebugg and antitrace features. While unpacking console part of it, i’ve noticed that it detects my debugger (patched OllyDbg with FantOm plugin).
So let’s imagine that we are trying to understand this new antidebug trick. We’ll unpack console part (EXECrypt.exe) or just dump it running and then start to analyze it in Ida.
PhantOm consist of 2 drivers named FRDTSC and EXTREMEHIDE, that are loaded and used to hide OllyDbg. So, first of all we’ll try to search this strings in Ida and of cource we will find them. Ok, then we will look where this strings are used and find interesting procedure that is used with PhantOm driver’s names…….
Download it from http://www.box.net/shared/pnqxu5nvq6 (7-Zip, 50 kB).
Hope, it will be usefull for you.
Modified PhantOm 1.0.4 plugin for EXECryptor 2.4.1 October 31, 2007
Posted by reversengineering in OLLY'S PLUGINS, TOOLS.add a comment
FROM:http://kioresk.wordpress.com/
“While Hellspawn in working on new version of PhantOm plugin, you can use modified one to debug applications protected with EXECryptor 2.4.1.
There is nothing extraordinary in it, i’ve changed names of both drivers and their checksums.
Currently, i’m using previous version of PhantOm plugin – 1.0.4 instead of last one (1.1.5), so if you need last version – modify it yourself (don’t forget to change both ascii and unicode names).
Download modified version of PhantOm 1.0.4 plugin from http://www.box.net/shared/8eabhv5sre (7-Zip, 42 kB)”
RACEVB6 v 4.0 October 31, 2007
Posted by reversengineering in OTHER, TOOLS.2 comments
RACEVB6(©) is designed to analyze a VB6 program and extract the graphic information it contains. This includes not only the various graphic images, but, since FORMs and CONTROLs are graphic entities in VB6, their properties are extracted as well.
10/07 RACE 4.0
Updated many opcodes
Added new opcodes
Includes bug fix of 3.9
Added FormMenu to intrinsic control method naming (forgot it in 3.7!)
Added improved error handling for invalid opcodes occurring in unused/incomplete/non-functioning procedures
link:
or
Trial Reset 3.2 October 30, 2007
Posted by reversengineering in OTHER, TOOLS.6 comments
What’s new v3.2 (Public):
-Updated support for PCGuard 5.02
-Add Autocleaning at Startup
-Fixed ExeCryptor 2.x bug
-Minor bugs fixes
http://letitbit.net/download/879a63351440/Trial-Reset-32.rar.html
Unpacker ExeCryptor 2.x.x. beta 2 October 30, 2007
Posted by reversengineering in TOOLS, UNPACKERS.6 comments
updated
http://letitbit.net/download/b056cc127114/unpacker-execryptor-2xx-beta-2.rar.html
RDG Packer Detector v0.6.5 Beta October 30, 2007
Posted by reversengineering in DETECTOR, TOOLS.add a comment
hi
another detector tool, it’s stronger than peid specially in fake signature….
Web:
or
http://rapidshare.com/files/66345625/RDG_Packer_Detector_v0.6.5_Beta.rar
2 new modified olly added to page of debugger October 30, 2007
Posted by reversengineering in DEBUGGER, TOOLS.2 comments
fast link:
1-for execryptor
http://rapidshare.com/files/66345462/OllyDbg_v1.10_Bronco.rar
2-YPOGEiOS DOX DiViSiON no other info about that
http://rapidshare.com/files/66345700/YGS-DOX_OllyDBG.v1.10.Mod-YPOGEiOS.rar
ANTY TRIAL ! October 29, 2007
Posted by reversengineering in OTHER, TOOLS.3 comments
hi
site:
http://free.of.pl/n/neokwinto/
link dl:
http://rapidshare.com/files/65963726/ANTY_TRIAL_neokwinto_2007-10_.exe
ASProtect version detector V0.15.by PE_Kill October 29, 2007
Posted by reversengineering in DETECTOR, OTHER, TOOLS.add a comment
ASProtect 1.1
ASProtect 1.1b
ASProtect 1.11c
ASProtect 1.2
ASProtect 1.23 Beta 18
ASProtect 1.23 RC1
ASProtect 1.23 RC4 build 08.07 Release
ASProtect 1.30 build 08.24 beta
ASProtect 1.31 build 04.19 Beta
ASProtect 1.31 build 04.27 Beta
ASProtect 1.31 build 05.18 RC
ASProtect 1.31 build 6.14 Release
ASProtect 1.32 build 10.04 Beta
ASProtect 1.32 build 10.20 Beta
ASProtect 1.33 build 03.07 Release
ASProtect 1.35 build 01.06 Release
ASProtect 1.35 build 01.14 Release
ASProtect 1.35 build 01.26 Release
ASProtect 1.35 build 04.25 Release
ASProtect 1.35 build 06.26 Release
ASProtect 1.4 build 01.14 Beta
ASProtect 1.4 build 01.26 Beta
ASProtect 2.00 build 01.13 Release
ASProtect 2.00 build 06.23 Alpha
ASProtect 2.00 build 10.04 Beta
ASProtect 2.00 build 10.20 Beta
AsProtect 2.1 build 02.19 Release
ASProtect 2.11 SKE build 03.13 Release
ASProtect 2.11 SKE build 04.27 Trial
ASProtect 2.2 SKE build 01.06 Release
ASProtect 2.2 SKE build 01.14 Release
ASProtect 2.2 SKE build 03.05 Release
ASProtect 2.2 SKE build 06.05 Release
ASProtect 2.2 SKE build 04.25 Release
ASProtect 2.3 SKE build 03.05 Beta
ASProtect 2.3 SKE build 03.19 Beta
ASProtect 2.3 SKE build 04.23 Beta
ASProtect 2.3 SKE build 04.25 Beta
ASProtect 2.3 SKE build 04.26 Beta
ASProtect 2.3 SKE build 05.14 Beta
ASProtect 2.3 SKE build 06.26 Beta
PlugIn for DiE and PEiD
link:
WCRPatcher v 1.2 RC5 October 29, 2007
Posted by reversengineering in OTHER, TOOLS.add a comment
Whats new in 1.2 RC5
Added support of external user main patch window. See ”Options”. res file with standart dialog resource in archive.
link:
OllyCallTrace October 29, 2007
Posted by reversengineering in OLLY'S PLUGINS, TOOLS.add a comment
from:http://www.harmonysecurity.com/OllyCallTrace.html
About
OllyCallTrace is a plugin for OllyDbg (version 1.10) to trace the call chain of a thread allowing you to monitor it for irregularities to aid in the debugging of stack based buffer overflows as well as to quickly plot the execution flow of a program you are reversing.
Usage
Simply install the plugin and set a breakpoint on a location you want to trace from, e.g. ReadFile() or WSARecv(). When this breakpoint is hit, activate OllyCallTrace and press F7 to begin the automated single stepping and recording of the call chain. When you are finished tracing the code, pause execution or disable OllyCallTrace and view the OllyCallTrace Log to see the recorded call chain.
Double clicking on any Call/Return instruction in the OllyCallTrace Log window will bring you to that location in the OllyDbg disassembly window. The recorded call chain is highlighted with blue being for the main module, yellow for system modules and green for all other modules. The call chain is also displayed in a nested format to make it easier to read. All irregularities are marked in red.
Example
This example shows how OllyCallTrace handles the recording of a stack based buffer overflow. In the screenshot below we can see where an overflow occurred when returning from the function at 0×00401198 and an attempt was made to return to 0×41414141. We can see that the return address should have been 0x0040120E which was originally called from 0×00401209. We can also note that the memset operation before the stack smash is suspicious and probably the cause of the vulnerability. This information would not have been available without OllyCallTrace recording the call chain as the stack is destroyed after the overflow.
Sysinternals Suite October 28, 2007
Posted by reversengineering in MONITORING, OTHER, TOOLS.add a comment
Sysinternals Suite
By Mark Russinovich
Published: October 26, 2007
Introduction
The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools. This file contains the individual troubleshooting tools and help files. It does not contain non-troubleshooting tools like the BSOD Screen Saver or NotMyFault.
The Suite is a bundling of the following selected Sysinternals Utilities:
AccessChk
AccessEnum
AdExplorer
AdRestore
Autologon
Autoruns
BgInfo
CacheSet
ClockRes
Contig
Ctrl2Cap
DebugView
DiskExt
Diskmon
DiskView
DU
EFSDump
Filemon
Handle
Hex2dec
Junction
LdmDump
ListDlls
LiveKd
LoadOrder
LogonSessions
NewSid
NtfsInfo
PageDefrag
PendMoves
Portmon
ProcessExplorer
ProcessMonitor
ProcFeatures
PsExec
PsFile
PsGetSid
PsInfo
PsKill
PsList
PsLoggedOn
PsLogList
PsPasswd
PsService
PsShutdown
PsSuspend
RegDelNull
RegJump
RegMon
RootkitRevealer
SDelete
ShareEnum
SigCheck
Streams
Strings
Sync
TcpView
VolumeId
WhoIs
WinObj
ZoomIt
link:
http://rapidshare.com/files/65722157/SysinternalsSuite.zip
new olly added October 28, 2007
Posted by reversengineering in DEBUGGER, TOOLS.add a comment
hi
this is new olly modified for themida 1.9.5
link:
http://rapidshare.com/files/65716863/O_ll_y_Dbg_modify_for_themida1.9.5.EXE
Hidedbg For themida1.9.5 October 28, 2007
Posted by reversengineering in OLLY'S PLUGINS, TOOLS.1 comment so far
Hide OllyDBG Plugin V1.02
Functions:
1.Hide IsDebuggerPresent
2.Hide NtGlobalFlag
3.Hide ProcessHeapFlag
4.Patch ZwQueryInformationProcess (==patch UnhandledExceptionFilter)
5.Patch ZwSetInformationThread
6.Patch CheckRemoteDebuggerPresent
7.Patch OutputDebugStringA
8.Anti heap-checking (For themida1.9.5.0)
V1.02:
! Fixed the bug of patching ZwSetInformationThread (For themida 1.9.5.0)
+ ADD heap-checking.
Debug themida1.9.5
1.Modify window caption in the file ollydbg.exe (CPU,OLLYDBG…)
2.Click “Hide ALL” (choose HideDBG plugin)
dl this !!
Registry Workshop version 3.1.0 October 28, 2007
Posted by reversengineering in OTHER, TOOLS.add a comment
Registry Workshop version 3.1.0
- Added support for opening registry URLs using the reg: URL protocol.
- Added support for scrolling in conjunction with each other
when scroll horizontally in one of the compare results list.
- Added support for using key name as default file name when exporting a registry key.
- Added Windows XP/Vista visual styles support.
- Fixed a bug in importing .reg file into another .reg file.
- Fixed a bug when searching registry on 64-bit Windows.
link:
DILE v0.2.6 October 28, 2007
Posted by reversengineering in .NET, NEWS, TOOLS.add a comment
hi
source: http://pzsolt.blogspot.com/
i have uploaded a new version of DILE on to Sourceforge.
zip file (x86): dile_v0_2_6_x86.zip
zip file (x64): dile_v0_2_6_x64.zip
readme.txt: readme.txt
license.txt: license.txt
change_log.txt: change_log.txt
There are four main improvements besides several small ones and bug fixes (see the change_log.txt for more details):
- Generics (type parameters) are now completely supported, which means that the Object Viewer window can inspect and display such types perfectly and expressions that contain type parameters can be evaluated during debugging as well.
- .NET 2.0 permission sets are now displayed correctly. Earlier I could not find the specification of these; and thus I just displayed the binary content which often resulted in ugly unicode characters. Eventually, I could find the specification and this problem is fixed now.
- Events are disassembled. This was my mistake, I simply forgot about events… In the Project Explorer the tree now contains an “Events” node where a class’ events are collected.
- Enums are also parsed now and can be used in expressions. However, my implementation differs from Visual Studio’s. Mine is not so strict, which means that enum values don’t have to be converted to int or their other underlying type. E.g.: TestApplication.TestClass.TestMethod(TestApplication.TestEnum.TestField) is accepted by DILE, it’s not necessary to cast the TestApplication.TestEnum.TestFiled to int.
NetDasm October 28, 2007
Posted by reversengineering in .NET, TOOLS.1 comment so far
NetDasm – A tool for disassemble and patch .Net assemblies
link:
only for test ! October 28, 2007
Posted by reversengineering in TOOLS.add a comment
hi
i find these links and put here for testing only
if u like it buy it 
http://rapidshare.com/files/60917995/WinLicense-1.8.5.5.rar
http://rapidshare.com/files/22279402/Themida_1.8.5.5.rar
YOU SHOULD NOT USE THEM TO MAKE MONEY OR USE IT FOR COMMERCIAL PURPOSE. I WILL NOT BE HELD RESPONSIBLE FOR THESE.HERE IS NOT THE WAREZ BLOG .
THNX
The Reverse Code Engineering Video (ida) October 28, 2007
Posted by reversengineering in NEWS, RCE.1 comment so far
hi
1-Visual Debugging with IDA – The Interactive Disassembler
2-Remote Debugging with IDA Pro
3-Debugging a buggy Application with IDA Pro
4-How to solve Crackmes for Dummies in Video
Author: TiGa [+Sign Student]
link:
http://rapidshare.com/files/65528665/TiGa-vid1.zip
http://rapidshare.com/files/65528639/TiGa-vid2.zip
http://rapidshare.com/files/65528629/TiGa-vid3.zip
http://rapidshare.com/files/65528612/TiGa-vid4.zip
DE Decompiler Lite Beta October 26, 2007
Posted by reversengineering in Decompilers, NEWS, TOOLS.3 comments
another tool for decompiling delphi but i think he need more time for developing this i hope he do this
good luck Gpch
DE Decompiler Lite BetaURL: http://www.de-decompiler.com/files/de_decompiler_lite.zip
features :
1. All versions of Delphi…
2. Automatic unpack if it packed (thanx to Archer’);
Code emulation in LITE cutted 
C++ Builder doesn’t support (menas support but with some bugs).
FULL costs 99$ (single) 199$ (company)
Gpch says that you can get FULL if you’ll write a plugins
2 mp3′s (chiptone) for dup October 26, 2007
Posted by reversengineering in www.fun.here!.add a comment
hi
i created these file for dup ( only for fun;) )
these files have large size becuze they like as a mp3 file
with songer and….
test it:
http://rapidshare.com/files/61820471/Stoned__Deep_Dish_Mix__by_jik_sanieh.it
http://rapidshare.com/files/61819892/Ian_van_Dahl_-_Reason_by_jik_sanieh.it
do u like it
A step-by-step guide to unlocking the iPhone October 26, 2007
Posted by reversengineering in www.fun.here!.add a comment
A step-by-step guide to unlocking the iPhone
http://rapidshare.com/files/62137261/i_P_h_o_n_e.Hardware.Unlock.Guide.rar
ArtMoney.Pro.v.7.2.7 October 26, 2007
Posted by reversengineering in OTHER, TOOLS.1 comment so far
• New transfer protocol with program “Spyware Process Detector” version 3.03 or higher. You can open any hidden process and a process that blocks opening. We recommend to use “Spyware Process Detector” instead of standard Windows Task Manager with your anti-virus together. You can download and install it from our site http://www.systemsoftlab.com.
• New option “ArtMoney Asks you to save the table with unsaved changes when you exit”.
• Updated emulators options. New emulators options for MSX.
• Fixed bug with detection of process filename.
• Fixed bug when you running ArtMoney for the first time on Windows Vista.
• [PRO] Fixed bug when ArtMoney saves table and stealth mode is enabled.
• [PRO] Fixed bug with blue screen when you run two different versions of ArtMoney Pro.
link:
all tuts by sina_dir (my friend in UnReal-rce Team) October 26, 2007
Posted by reversengineering in MUPS, other protectors and packers, RCE.add a comment
| Tutorial Name | Language | Download | Size | |
| How To Make a Trainer For Resident Evil 3 (New) | Farsi-Persian | Download Now | 582.1 KB | |
| Manual Unpacking WinUpack 0.3x | English | Download Now | 675.9 KB | |
| Manual Unpacking ExeShield 3.8.5.2 | English | Download Now | 1.47 MB | |
| Removing Yahoo! Games NagScreen & TimeTrial | Farsi-Persian | Download Now | 297.8 KB | |
| Manual Unpacking ACProtector 1.41 | English | Download Now | 561.4 KB | |
| Manual Unpacking AntiCrack Protector 1.0 | English | Download Now | 457.1 KB | |
| Manual Unpacking SLVc0deProtector 1.12 | English | Download Now | 577.8 KB | |
| Manual Unpacking SLVc0deProtector 1.12 | Farsi-Persian | Download Now | 544.4 KB | |
| Manual Unpacking MEW11 SE 1.2 | Farsi-Persian | Download Now | 925.9 KB | |
| Manual UnPacking SPLayer 0.08 | Farsi-Persian | Download Now | 670.9 KB | |
dup 2.17 beta 5 October 26, 2007
Posted by reversengineering in NEWS.add a comment
diablo2oo2′s Universal Patcher [dUP]
************************************
Version: 2.17
Features:
-multiple file patcher
-create Offset and Search&Replace patch/loader
-compare files (RawOffset and VirtualAddress) with different filesize
-registry patcher, also for loaders
-attach files to patcher
-get filepaths from registry
-usage of CRC32 and filesize checks
-patching packed files
-compress patcher with your favorite packer
-saving projects
-use custom skin in your patcher
-add music (Tracker Modules: xm,mod,it,s3m,mtm,umx,v2m,ahx) to patcher
-and many more…
Homepage
——–
http://navig8.to/diablo2oo2
http://diablo2oo2.cjb.net
http://kickme.to/diablo2oo2
http://zor.org/d2k2
2 new olly October 22, 2007
Posted by reversengineering in NEWS.add a comment
2 new olly dbg added to debuggers page check it out 
Trial Reset V3.0.1 Final October 22, 2007
Posted by reversengineering in OTHER, TOOLS.add a comment
HI
new version updated
link:
http://rapidshare.com/files/64344221/Trial_Reset_V3.0.1_Final.rar
TRIAL RESET 3.0 FINAL October 14, 2007
Posted by reversengineering in OTHER, TOOLS.18 comments
What’s new v3.0 Final (Public):
-Update Backup command
-Updated support for Obsidium 1.3x
-Minor bugs fixes
LINK:
http://letitbit.net/download/1b8398148323/Trial-Reset-V3.0-Final.By.theboss.rar.html
Exeinfo PE 0.0.1.7 B October 11, 2007
Posted by reversengineering in DETECTOR, TOOLS.add a comment
04.10.2007 – Corrected & optimized few procedures , bugs removed , added new sign.
Protected: IDA.P.A.v5.1.0.899.FIX – UNiQUE October 11, 2007
Posted by reversengineering in NEWS, TOOLS.Enter your password to view comments.
