Archive for February, 2009

ARTeam: A Tales of Reversing & Keygenning Two MD5 Registration Schemas

Hi all,
this is a nice release, a twofold tutorial about reversing and keygenning an MD5 based registration schema. The tutorial as I said is twofold because it’s the union of two tutorials made by 2KAD and Nieylana.

The result is quite interesting because tutorials describing the complete process of reversing and keygenning an MD5 based registration schema are not so common, of are rather old.

Least but not last the sources (delphi and ASM) of the keygens are added to the distribution so as you’ll be able to look at them also. What do you want more?

Another fine release from ARTeam!

Get it here:

ExeCryptor Internals : Tutorials + Tools
Author : Zool@nder of AT4RE
This package is intended to fill the vacuousness that turns around
the great ExeCryptor.
It’s was born as an essay to understand EC internals and how it
greatly do its job.
This whole project was initiated by a dummy-extremely important
article about the PRN generating and tools coding. (I’ll not go out
of any one’s way by my chitchat so just forget this).

Ok, now the turn of interesting things, The whole stuff will a
series, and will be divided to 3 or 4 parts due to time impediments.
And I’ll publish in each part what I accomplish and comment.

You will find in this package the following files:
+ EC LDE : EC length disasm internal engine.
+ EC_LIB_API_PROCS : Various procedures used by EC to protect API
and LIBS use. It contains:
– EC_GETKERNEL32HANDLE -> The way it grabs kernel32 lib image
– EC_GETPROCADDRESS -> The way it gets API addresses.
– EC_REDIR_BP_CHECKER -> The technique it uses to check API BP
and redir.
+ EC_VIRTUAL_MACHINE : The MUST, it’s EC Virtual Machine Engine and
some tools to reverse it.
+ STRINGS DECRYP-RECRYPTER : EC method to not leave string traces
in code.

With every project you will find tutorial, source code, and tools
so you can study what you want.

Download here:

Author : Jason Raber + Brian Krumheuer
Author website :

For a Reverse Engineer, rebuilding a large Import Address Table (IAT) can be a very time-consuming and tedious process. When the IAT has been sufficiently hashed or munged and current IAT rebuilders fail to resolve any of the calls, there is little other choice than to rebuild it by hand. Depending on the size, it can take days or even weeks. Also, doing anything by hand is prone to mistakes. QuietRIATT is an IDA Pro plug-in which automates the process of rebuilding the IAT when it can’t be done by current IAT tools. Not only can it greatly reduce the amount of time spent rebuilding by hand, it also removes the element of human error.

Download here:

Decompilers and Beyond

Author : Ilfak Guilfanov
Author website :

Disassemblers and debuggers are the two tools that allow reverse engineers to examine binary applications. Without them, binary codes are just sequences of hexadecimal numbers. Since humans are notoriously bad with digits, only superficial analysis can be done without these tools.

Basically, the job of a disassembler is very simple: it just maps hexadecimal numbers to instruction mnemonics. The output of such a basic disassembler is a listing with instructions. While this mapping is a big step forward and allows the user to decipher the logic of simple programs, it does not scale well. Analysis of any file bigger than a few kilobytes is problematic because instruction mnemonics are not enough to hold higher level information: labels and comments are needed, as well as facilities to change the representation on the fly.

Download here:

Best Regards

Once again, it’s that time of the year… The Remote Exploit Dev team are working hard on BackTrack 4 … and it will be released in the very near future…

We have taken huge conceptual leaps with BackTrack 4, and have some new and exciting features.The most significant of these changes is our expansion from the realm of a Pentesting LiveCD to a full blown “Distribution”.Now based on Debian core packages and utilizing the Ubuntu software repositories, BackTrack 4 can be used both as a Live CD, or installed on hard disk as a full distribution. By syncing with our BackTrack repositories, you will regularly get security tool updates soon after they are released.


The BackTrack kernel is now in sync with upstream kernels – so you always get the latest hardware support.Kernel upgrades including the latest hardware support will be periodically available.

Working out of the box:

* Native support for Pico e12 and e16 cards is now fully functional, making BackTrack the first pentesting distro to fully utilize these awesome tiny machines.

* Support for PXE Boot – Boot BackTrack over the network with PXE supported cards!

* SAINT EXPLOIT – kindly provided by SAINT corporation for our users with a limited number of free IPs.

* MALTEGO – The guys over at Paterva did outstanding work with Maltego 2.0.2 – which is featured in BackTrack as a community edition.

* The latest mac80211 wireless injection pacthes are applied, with several custom patches for rtl8187 injection speed enhancements. Wireless injection support has never been so broad and functional.

* Unicornscan – Fully functional with postgress logging support and a web front end.

* RFID support (thanks to Adam Laurie)

* Possibly CUDA support…

* New and updated tools – the list is endless!


With all these changes, PLUS the usual goodies and surprises we have in BackTrack, we are truly excited about this new release.

More screenshots :

Maltego :

Unicornscan FE :

W3af :


PatchDiff2 – A patch analysis plugin for IDA

News :
02/12/2009: PatchDiff 2.0.6 released:

* Switchs to graph call for checksum instead of instruction frequency
* Removes invalid C++ classes/structs flagged as functions

08/19/2008: PatchDiff 2.0.5 released:

* Adds string references to the signature
* Fixes IPC close when option is disabled

07/22/2008:PatchDiff 2.0.4 released:

* Requires at least IDA 5.2
* Adds save backup results to IDB
* Adds Unmatch/Set match/Switch match submenus
* Adds “pipe” support to keep second IDA instance open
o menu Options/PatchDiff2 to disable/enable it per IDB
o registry HKLM\SOFTWARE\Tenable\PatchDiff2 IPC (DWORD) for the default setting
* Uses demangled function names
* Ignores duplicated names

07/07/2008:PatchDiff 2.0.3 released:

* Adds support for C++ classes in the signature engine (improves results against c++ targets)
* No longer relies on IDA code refs (due to bad references)
* x86: merges inc reg and dec reg to one instruction
* x86: handles jmp $2/$5
* x86: stops block tracing on int3
* Bugfix: Does not try to display graphs that IDA can’t handle

07/02/2008:PatchDiff 2.0.2 released – now supports IDA 5.1 and 5.2
06/27/2008:PatchDiff 2.0.1 released

PatchDiff2 is a plugin for the Windows version of the IDA dissassembler that can analyze two IDB files and find the differences between both. PatchDiff2 is free and fully integrates with the latest version of IDA (5.2).
The plugin can perform the following tasks :

* Display the list of identical functions
* Display the list of matched functions
* Display the list of unmatched functions (with the CRC)
* Display a flow graph for identical and matched functions

The main purpose of this plugin is to be fast and give accurate results when working on a security patch or a hotfix. Therefore this tool is not made to find similar functions between two different programs.
Patchdiff2 supports all processors that IDA can handle and is available in two versions: 32 bit and a 64 bit.

patchdiff2 is freely distributed to the community by Tenable Network Security in the hope it will be useful to you and help research engineers to better analyze different patches. However, Tenable does not provide support for this tool and offers no garantee regarding its use or output. Please read the end-user license agreement before using this program.


View here :

How to use it
PatchDiff2 can be launched through the plugins menu or by the keyboard shortcut ‘CTRL+8’. When the analysis is done, Identical, unmatched and matched functions are displayed in separate lists.
Flow graphs of matched and identical functions can be displayed by doing a rigth click on the given functions and by clicking on ‘Display graphs’.
Graph nodes can be synchronized by double clicking on a given node. Graphs use the following colors:

* white: identical nodes
* grey: unmatched nodes
* red: matched nodes
* tan: identical nodes (different crc)

Copy the files “patchdiff2.plw” and “patchdiff2.p64” into the IDA plugins directory (usually C:\Program Files\IDA\plugins) and restart IDA.

You can download PatchDiff2 2.0.6 :

Universal Import Fixer (UIF) v1.2 (FINAL)

Use this tool for fixing Import Elimination, Directly Imports and Shuffled, Disordered, Scattered Imports.

So you can use this tool for changing IAT Base Address and Sorting IATs in New (other) Address.

Tested on:


and any protector with Import Elimination, Directly Imports and Shuffled, Disordered, Scattered Imports.

This tool is an Import Fixer (not Import Rebuilder ImpRec etc) and Just work in memory of target process (Just for 32 bit processes).
Always first use UIF then Dump target process.

UIF can fix actual APIs, dont use it for fixing Emulated/Redirected APIs to protector’s must use UIF After fixing Magic IAT jump (or use any methods) to convert Emulated/Redirected APIs to Actual APIs.


Armadillo : Import Elimination
ASProtect : Directly Imports
Enigma : Shuffled, Disordered, Scattered Imports
ExeCryptor : Scattered Imports in Protector Stub
eXPressor : Directly Imports
PeSpin : Directly, Shuffled, Disordered, Scattered Imports
RlPack : Shuffled, Disordered, Scattered Imports
VMProtect : Directly Imports
TheMida : Directly Imports
WinLicense : Directly Imports

for Fast Speed:
-After Click on you can Minimize UIF to the taskbar.
-Just enter Code section start and end (.text section etc).
-Dont check “Fix Directly Imports” if you dont need to it.


Update (2008.12.31):
+Code improved for better processing invalid ImageBase,ImageSize and invalid PE.
+Some small changes for more Compatibility/Stability.
-PSAPI library removed from UIF engine (shit library with many bugs).

v1.2 FINAL update (2008.06.15):
+Code Optimized again for better result.
+UIF.dll released (for using UIF in other applications).
Coded with pure Api,very fast and small size.

v1.2 FINAL update (2008.04.24):
+Fast Speed option added.

v1.2 FINAL (2008.04.19):
+Now UIF can process Ring0 Hooked APIs (KAV,ZoneAlarm,… etc).
-Minor Bugs fixed.

v1.2 Stable (2008.04.04):
+Algorithm improved for Fast Speed.
-Option ‘Main exe Exports’ removed (now UIF can detect it automatically)
-Option ‘Fix NtDll to Kernel32’ removed (now UIF can detect it automatically)
-Minor Bugs fixed.

v1.0 Final+ (2008.03.21):
+Code Optimized for Fast Speed.
+Always OnTop Added.
+Tested again on many targets:
-Bug fixed in Fixing Directly Imports in Delphi,BCB,VC(MFC) Applications.

v1.0 Final update (2008.02.23):
+Algorithm improved for better fixing Directly imports.
+Show modules count and progress in StatusBar.
-GUI bug fixed on large fonts >=120 dpi.

v1.0 Final update (2008.01.15):
-Some small bugs fixed.
+Algorithm improved for very big IAT size.
+Auto fill improved for detecting dlls correctly.

v1.0 Public (2008.01.12):
First public release…

v1.0 Private (2005.02.23):
For personal use…

download (~190 kb) :