Archive for December, 2008

PROTECTiON iD v6.1.3

Posted: December 27, 2008 in PROTECTiON iD v6.1.3, RE Tools


faster, more accurate, still better and no more beta – xmas release #2

Core Code changes:

– new: width-RESIZEABLE main window
– new: user can now choose what protection scans to skip
– new: added in new configuration item allowing the user to specify if iso, ccd, mds
etc modules are to be treated as discs (and therby subject to a sector scan)
– new: ability to scan inside microsoft cab files has been implimented

– update: we are now v0.6.1.3
– update: faster scanning core 🙂
– update: configuration window has a new look
– update: better 64 bit file handling support added
– update: appended data detection tweaked a little
– update: now if pid is running and an exe is scanned from the context menu, the main
window will change to the log window (looks better.. suggested by loki)
– update: lnk file resolving is now complete, if user has selected to resolve links,
the system handles this all automatically
– update: window position is now centred if a previous window location was not recorded
– update: adjusted ia64/x64 vs. machine check portion of code (thx to teddy rogers)
– update: configuration – windows product key showing is now a configuration item
– update: configuration – now ‘themes’ and ‘flat mode’ can not be selected at the same time,
this is how it should be as themes override flatmode etc… so now only one can
be selected, and the other is ‘auto unselected’ (suggested by syk0)
– update: configuration – addedin code to enable/disable the ‘protection report bubble’ after a scan is completed
– update: Memory Optimiser – the progress bar should get to the start again when user
clicked on Optimize and Purge was successful
– update: Memory Optimiser – code heavily updated, to work in chunks (if largest size requested is not available),
so, end result – more reliable, faster and optimised
– update: misc tools – added in quick uninstall tab
– update: misc tools – added in CD/DVD Filter Driver scanner tab
– update: misc tools – added in Windows Error Code Resolver tab
– update: misc tools – added in CPU Info tab
– update: misc tools – added in windows directory in the system info output
– update: misc tools – added in Folder Locations scanner
– update: misc tools – system information window now reports graphic device names (geforce, etc),
username & computername and terminal services availability also reported
– update: misc tools – windows install date (from registry) is now reported in the misc tools ‘system info part’,
windows install date (from folder) is now also reported.
– update: misc tools – tweaked x64 os detection code, so its a lot more reliable
– update: misc tools – windows product key reporting now also handles x64 systems
– update: nfo viewer – extra checking now added – zip, rar and mz executables will NOT be displayed,
instead, a warning message is displayed
– update: process view – added in check for terminate, dump, priority change..
if selected process is pid, the menu items are disabled (for safety and security)
– update: svf checking now reports current offset on the line when processing
– update: sfv processing now works with quoted filenames
– update: winspy – process name is now also reported (if we could obtain it.. )
– update: log window in cd/dvd operations now has a context menu, allowing for…
clear log
copy selection to clipboard
copy log to clipboard
save selection (txt)
save selection (csv)
save log (txt)
save log (csv) – bugfix: admin reflection / reporting was incorrect on 9x/ME systems
– bugfix: ‘admin shield’ icon is now moved, it looked out of place if the other progress bars
showing cpu usage etc were turned off.. (reported by loki)
– bugfix: Export as .txt doesn’t work properly, only the first file does get saved
– bugfix: event bug fixed, which sometimes resulted in pid sticking at about 35% cpu
– bugfix: pause/resume in the queue window was sometimes wrong for the text (reported by r!co)
– bugfix: Fixed SFV bug – Click on make, don’t select any files and press abort.
You can’t use the complete SFV feature as it’s all greyed out (reported by Blazkowicz)
– bugfix: sfv output for large files (mb, gb etc) was VERY wrong, its since corrected
– bugfix: fixed ‘disappearing window’ problem
– bugfix: ‘large icons’ issue fixed in 9x
– bugfix: sfv – abort now works
– bugfix: sfv – output issue should be 110% fixed now (new buffering system used)
– bugfix: task manager -> potential stack bug fixed
– bugfix: configuration – shortcut creation was broken
– bugfix: nfo viewer – fixed potential memory leak on drag/drop
– bugfix: bug in the code checking for digital signatures (found by blazi)
code now performs a sanity check on accessed memory areas

detection additions / changes

– new: check_activemark.asm – added version detection for v6.3.562
– new: check_alawar.asm – added Alawar Try & Buy Activation detection
– new: check_hexalock.asm – added HexaLock Copy Protection detection
– new: check_protectdisc.asm – added more Protect DiSC v8 subversions
– new: check_securom.asm – added in detection for sll modules + SecuROM Matroschka Package
– new: check_acprotect.asm – added ACProtect v2.1, v2.1.1 and v2.1.2 detection
– new: check_angelscrypter.asm – added Angel’s Crypteur v0.2 detection
– new: check_antidote.asm – added AntiDote v1.4 SE detection
– new: check_armadillo.asm – added version detection v6.00 or newer
– new: check_atreprotector.asm – added AT4RE Protector v1.0 detection
– new: check_avlock.asm – added AVLock detection
– new: check_budcrypter.asm – added BUD Crypter detection
– new: check_coolcrypt.asm – added COOLcryptor 0.9 detection
– new: check_cryptwoz.asm – added CryptWOZ v1.0 detection
– new: check_darkcrypt.asm – added DarkCrypt v1.2 (Private Version) detection
– new: check_dcrypt.asm – added DCrypt Private v0.9b detection
– new: check_dotfixniceprotect.asm – added DotFix NiceProtect v1.0 detection
– new: check_dotnetreactor.asm – added dotNet Reactor v3.3 (or newer) detection
– new: check_enigmaprotector.asm – added version grabber for Enigma Protector
– new: check_execrypt.asm – added ExeCRyPT v1.0 [ReBirth] detection
– new: check_exefog.asm – added EXEFog v1.1 detection
– new: check_exewrapper.asm – added ExeWrapper v3.0 (533Soft) detection
– new: check_expressor.asm – added ExPressor v1.6 detection
– new: check_fakuscrypter.asm – added Fakus Crypter detection
– new: check_fastfilecrypt.asm – added FastFileCrypt v1.6 Public detection
– new: check_fatalzcrypt.asm – added Fatalz Crypt v2.14a detection
– new: check_flashbackprot.asm – added Flashback Protector v1.0 detection
– new: check_gieprotector.asm – added Gie Protector v0.2 detection
– new: check_imppacker.asm – added IMP-Packer v1.0 detection
– new: check_kcryptor.asm – added K!Cryptor v0.11 detection
– new: check_kgbcrypter.asm – added KGB Cypter v1.0a detection
– new: check_leetcryptor.asm – added 1337 Cryptor v2 detection
– new: check_lilithcrypter.asm – added Lilith Crypter detection
– new: check_maxtocode.asm – added MaxtoCode .Net Encryption detection
– new: check_minke.asm – added Minke v1.0.1 Executable Crypter detection
– new: check_moneycrypter.asm – added Money Crypter detection
– new: check_morphna.asm – added Morphna Beta 2 detection
– new: check_mortalteamcrypter.asm – added Mortal Team Crypter v2 detection
– new: check_mpress.asm – added MPRESS NET compressor detection
– new: check_mushroomcrypter.asm – added Mu$hr00M CryPtOR v1.0 detection
– new: check_nme.asm – added NME Executable Crypter v1.1 detection
– new: check_npack.asm – added nPack v1.1.500.2008 Beta detections
– new: check_obfuscatornet.asm – added Macrobject Obfuscator.NET detection
– new: check_privateexe.asm – added version detection for v2.00 – v2.25 and v2.30 – v2.70
– new: check_puricrypt.asm – added Puri Crypt v1.2 detection
– new: check_quickpacknt.asm – added QuickPack NT v0.1 detection
– new: check_rcryptor.asm – added RCryptor v1.6d detection
– new: check_rdgpack.asm – added RDG Pack Lite Edition v0.2 detection
– new: check_rdgtejoncrypter.asm – added RDG Tejon Crypter v0.3 detection
– new: check_rlp.asm – added ReversingLabs Protector v0.7.4 beta detection
– new: check_rlpack.asm – added RLPack v1.20 detection
– new: check_roguepack.asm – added RoguePack v3.3 detection
– new: check_russiancryptor.asm – added Russian Cryptor v1.0 detection
– new: check_securepe.asm – added SecurePE v1.5 detection
– new: check_secureshade.asm – added Secure Shade v1.8 detection
– new: check_snoopcrypt.asm – added SnoopCrypt detection
– new: check_thinstall.asm – added THInstall detection
– new: check_tstcrypter.asm – added TsT Crypter detection
– new: check_undergroundcrypter.asm – added UndergroundCrypter v1.0 detection
– new: check_unlimitedcrypter.asm – added UnLimited Crypter v1.0 detection
– new: check_unopix.asm – added UnoPiX v0.94 detection
– new: check_upxlock.asm – added UPX Lock v1.01 – v1.02 detection
– new: check_weruscrypter.asm – added Werus Crypter v1.0 detection
– new: check_wildtangent.asm – added Wild Tangent v2.1 Activation detection
– new: check_windofcrypt.asm – added WindOfCrypt detection
– new: check_wingscrypt.asm – added Wingscrypt v2.0 detection
– new: check_winutilitiesexeprot.asm – added WinUtilities EXE Protector v2.1 detection
– new: check_wlcrypt.asm – added WL-Crypt v1.0 detection
– new: check_xenocode.asm – added XenoCode .NET protector detection
– new: check_xenocode.asm – added XenoCode Postbuild 2007 + 2008 for .NET detection
– new: check_xhackercryptor.asm – added xHacker Cryptor detection
– new: check_xshell.asm – added XShell v1.5 detection
– new: check_zprotect.asm – added ZProtect v1.4.3 detection
– new: check_zylomwrapper.asm – added Zylom Wrapper Crypted Game.exe detection
– new: license_nalpeiron_scan.asm – added Nalpeiron Licensing Service detection
– new: installer_install4y.asm – added Install4j Wizard Module detection
– new: installer_installshield.asm – added InstallShield v12 BETA Version detection
– new: installer_squeezesfx.asm – added Squeeze Self Extractor Module detection
– new: installer_trymediadownload.asm – added Trymedia Systems Download Manager detection
– new: msi and 7zip file type reporting is now done to the log window (similar to the .rar, zip etc reporting)
– new: added in quick detection for starforce protected pdf file
– update: check_aspack.asm – added additional check for ASPack 2.x to avoid a false positive
when scanning a file wrapped by FlashBack with ASPack entrypoint signature
– update: check_codelok.asm – improved detection
– update: check_dotnetreactor.asm – some parts recoded to be more generic & faster
– update: check_execryptor2.asm – improved detection with heuristic checks
– update: check_laserlok.asm – updated to handle older (v3) versions of laserlok
– update: check_passlock2000.asm – improved detection
– update: check_reflexivearcade.asm – executables builds are now reported (if found)
– update: check_safedisc.asm – updated to detect safedisc lite
– update: check_securom.asm – updated to handle VERY old versions & updated to detect a modified paul.dll
– update: check_solidshield.asm – minor modifications, but results in better reporting
– update: check_starforce.asm – updated to handle the new variant (v5.5) and also report bitness of the exe
– update: check_sysiphus.asm – optimized detection
– update: check_themida.asm – updated to handle dll protected Themida files
– update: check_vmprotect.asm – added new generic detection code (catches now dlls we missed before)
– update: check_upx.asm – improved to be ‘more generic’
– update: check_vob.asm.asm – updated to handle older version (4 or less)
– update: dongle_guardant.asm – added reporting of old Guardant Dongle Protections
– update: dongle_hasphlenvelope.asm – improved detection
– update: license_sentinellm – improved for better detection
– update: installer_7zip.asm – improved detection
– bugfix: check_telock.asm – fixed v1.0 detection
– bugfix: check_yzpack.asm – fixed bug resulting in non detections
– bugfix: installer_installshield.asm – fixed possible non detections

CD/DVD/Image file/sector scan

– new: b6i image added into the supported file list
– new: added in ‘Extract Boot Sector’, now the boot sector from the cd/dvd can
be ‘extracted’ to a file.. for use with something else maybe 🙂
– new: cddvd_cactus.scan.asm – Cactus Audio detection added to file scan in cddvd module
– new: cddvd_protectdisc.scan.asm – added in sector scan module for protectdisc / protectcd

– update: if a disk is detected as being protected when making the iso, the user will be prompted to continue or not
– update: sector stuff – updated handler to handle udf format disks (BEA01 header instead of CD001)
– update: sector scan – tweaked sector scan for tages a little
– update: sector scan – tweaked the safedisc detection code
– update: sector scan – updated to now NOT stop if a sector 16 read failure happened
– update: sector scan – securom scan updated to handle version 4.x (and probably lower),
which used a different ‘fingerprint’ and some minor tweaks / fixes
– update: sector scan – starforce + starforce keyless scan was heavily updated..
reducing probability of false positives as well as catching some we missed before
– bugfix: sector scan – codelok scan fixed

Download here:


Posted: December 24, 2008 in OllyDbg Tutorials, OllyDbg tut_14

Một cái đầu lạnh để vững vàng, một trái tim đỏ lửa để yêu và làm việc hết mình!

I. Giới thiệu chung

Khà khà, Giáng sinh rồi … có được chút thời gian rảnh rỗi tôi lại bắt tay vào viết tiếp bộ tutor này. Hi vọng các bạn vẫn còn hứng thú để đọc những gì tôi viết 🙂. Ở phần 13 của loạt tuts về Ollydbg, tôi đã hướng dẫn các bạn cách kiểm tra xem file có bị pack hay không, cách tìm các điểm quan trọng để tiếp cận mục tiêu, phân tích chi tiết hoạt động của Crackme CrueHead thông qua việc trace và analyze code để từ đó tìm ra một real serial cho chuỗi Name nhập vào. Như vậy, qua bài viết đó tôi đã truyền tải tới các bạn những kinh nghiệm thực tế khi làm việc với một crackme đơn giản nhưng cũng sẽ là tiền đề cho các bạn khi gặp các crackme hoặc các chương trình khác sau này….Ở phần 14 này chúng ta sẽ quay lại làm việc với các target do lão Rincardo đưa ra, cụ thể hơn là tập trung vào chủ đề Fishing Serial 😀. N0w….L3t’s G0 !!!!

II. Fishing Serial J

Chà Fishing Serial tức là gì nhỉ? Nghe như kiểu chúng ta đang đi câu cá, giữa một hồ cá rộng và sâu, làm sao ta câu được một con cá ưng ý J… trong ngữ cảnh của Cracking thì ý nghĩa cũng gần như vậy. Fishing Serial ở đây có nghĩa là chúng ta đi câu Serial, mà phải là valid Serial nhé chứ câu lung tung là mệt và dễ stress. Đối với những bạn mới vào nghề thì việc tìm được một valid Serial luôn mang lại một cảm giác lâng lâng khó tả như tìm được một “kho báu” giữa lòng đại dương J. Hồi tôi chập chững lọ mọ đọc tutor và cặm cụi mò theo, cho đến khi tìm được serial hợp lệ tự nhiên cảm thấy sướng khó tả, lúc đó nếu có ai ở bên cạnh chắc tôi sẽ kéo vào và chỉ trỏ để khoe những gì mình đã làm, dù chắc gì người đó đã hiểu mình đang làm gì, có khi lại cho mình đang bị chập lolz.

Trong phần 14 này tôi sẽ hướng dẫn các bạn làm việc với dạng Hardcoded Serial (đây là một dạng cơ bản và đơn giản), có nghĩa là dạng Serial cố định không được tính toán dựa trên Name nhập vào, cũng không thay đổi khi bạn chạy trên bất kì máy nào (tức là Serial đó valid trên mọi máy). Có bạn sẽ cho rằng vậy thì dễ quá, viết làm gì? Nhưng xin thưa, phải có dễ thì mới có khó, phải đi từ basic rồi mới tới advanced. Quan điểm của tôi là cứ từ từ mà tiến, không đi đâu mà phải vội vàng. Ok giờ chúng ta vào thực hành luôn nhé, trong bài này ta sẽ làm việc với hai Crackme của lão RedH@wk (lão này cũng là một thành viên trụ cột trong CrackLatinos).

Download toàn bộ bài viết :


Các target dùng trong bài viết (đổi đuôi pdf thành rar) :


Best Regards


ODBGScript 1.66.3

Posted: December 22, 2008 in OllyDbg Tutorials

Author : SHaG & Epsylon3

Description :

ODbgScript is a plugin for OllyDbg, which is, in our opinion, the best application-mode debugger out there. One of the best features of this debugger is the plugin architecture which allows users to extend its functionality. ODbgScript is a plugin meant to let you automate OllyDbg by writing scripts in an assembly-like language. Many tasks involve a lot of repetitive work just to get to some point in the debugged application. By using my plugin you can write a script once and for all.

Download here: ODBGScript 1.66.3


Msieve 1.39 + GUI 1.1

Posted: December 22, 2008 in Msieve 1.39 + GUI 1.1, RE Tools

Author : Jason Papadopoulos + Anogrganix
Author website:

Factoring is the study (half math, half engineering, half art form) of taking big numbers and expessing them as the product of smaller numbers. If I find out 15 = 3 * 5, I’ve performed an integer factorization on the number 15. As the number to be factored becomes larger, the difficulty involved in completing its factorization explodes, to the point where you can invent secret codes that depend on the difficulty of factoring and reasonably expect your encrypted data to stay safe.

There are plenty of algorithms for performing integer factorization. Allhave a preferred size of number they are best at factoring, and all of themhave plenty of implementations available. Msieve is no exception: it can with high probability find the complete factorization of any input number up to about 125 digits in size. The actual number of digits supported is much higher (up to 164 digits), but problems larger than 125 digits are likely to fail.

Trial division is used on all inputs; if the result is less than 25 digits in size, tiny custom routines do the factoring. For larger numbers, the code switches to more powerful methods. Prior to version 1.04, those methods were limited to the quadratic sieve. From that point on, however, an implementation of the number field sieve is also available. Information specific to the quadratic sieve implementation is contained in Readme.qs, while the number field sieve variant is described in Readme.nfs

Msieve was written with several goals in mind:

– To be as fast as possible. I claim (without proof) that for
completely factoring general inputs between 40 and 100 digits
in size, Msieve is faster than any other code implementing any
other algorithm. I realize that’s a tall order, and that I’ll
probably have to eat those words, but a *lot* of effort has gone
into making Msieve fast.

– To be as portable as possible. The code is written in C and is
completely self contained. It has its own basic multiple precision
library (which can be used in other applications) and is written
in as machine-independent a manner as possible. I’ve verified that
the source code compiles and runs correctly on 32- or 64-bit Intel
x86, 32- and 64-bit PowerPC, and 64-bit Alpha platforms. It’s
reported to work in 32-bit mode on the RS6000. It works in Windows,
Linux (several flavors), Mac OS X, and AIX. Pretty much the only
requirement for building the code is that your compiler have a
native 64-bit data type.

– To be simple to use. The only input is the integer to be factored.
Everything else happens automatically.

– To be free (as in beer). The entire code base is released into the
public domain. This is hobby stuff for me, and the more it’s used
the better.

If you choose to use Msieve, please let me know how it goes. I welcome bug reports, suggestions, optimizations, ports to new platforms, complaints, boasts, whatever.

Download here: Msieve 1.39 + GUI 1.1


Overaly type detector/Extractor/Viewer (PEiD Plugin)

-View Overaly in hex mode.
-Detect Overaly type
-Extract overaly
-4 all program that support PEiD Plugin:)



Download here:

or here: