PIN reverseme by muslimcyber

Problem These days, I am busier with school and other “stuff” and saw this problem. It looked pretty easy, so I decided to give it a go. Let’s start by popping this thing into IDA. .text:00000000004005DE lea rdi, format ; "Masukan PIN = " .text:00000000004005E5 mov eax, 0 .text:00000000004005EA call _printf .text:00000000004005EF lea rax, [rbp+var_4] .text:00000000004005F3 mov rsi, rax .text:00000000004005F6 lea rdi, aD ; "%d" .text:00000000004005FD mov eax, 0 .text:0000000000400602 call ___isoc99_scanf . [Read More]

GraxCode's CrackMe2

CrackMe URL Answer: antidote First, we want to find the entry point. Let’s view META-INF/MANIFEST.MF. Manifest-Version: 1.0 Protected-Notice: AV contact email - [email protected] JAR-Signature: S94EzrNEa9XPP3HJnTSKTHY7H5pMzIkyOckf2zlblNDR1oPS Class-Path: . Protected-By: 3.0.9 Stringer (20170608) Main-Class: jcc.part2.CrackMe Name: jcc/part2/v.class SHA-256-Digest: I+hSWBo3DZwEtTlqVXyzdxRRKW9N/usMoCpOi8gYBUI= Name: jcc/part2/CrackMe.class SHA-256-Digest: REigvNjpIrv3Ht4aGavXQ8xVJp1ltZmarAxOg/XYYpY= Name: hpl/tko/hx.class SHA-256-Digest: HF4KWRh1bmN6zBzytVHEdImHyNHJEOeOYPxFhOLIRlc= Name: hpl/tko/bp.class SHA-256-Digest: CCw/Anec+ntGwgTqnMVgLmA3b09cLlVFMhP5WNnve9Y= Name: jcc/part2/sv.class SHA-256-Digest: TCB0kj/YJHSyY9IbGrbjKW//Rj01GT4B3ittqvr6dh8= Name: hpl/tko/f.class SHA-256-Digest: k4NdPnwzAWbNoeD7S3NuocywgXEp35iTG9ZbvYn6VnA= Name: jcc/part2/f.class SHA-256-Digest: 8BVz0nTL6PWCJTT29yzz2jXhojODAN3MtjZ/XTdqXNM= Oh dear, it’s obfuscated! Sure enough, when we view the main class, there is Zelix exception obfuscation, Zelix flow control obfuscation, Zelix enhanced string encryption, Stringer signing, Stringer string encryption, Stringer hide access obfuscation and who knows what. [Read More]

Is this Prime?

There was an interesting conversation I found on the CodeVision Discord server. Here is a screenshot: $$ 2^{2^{77,232,917}} - 1 $$ Now we have this number, but it’s obviously huge, so we don’t want to calculate all those digits out and figure out if the number is prime. However, it is worth noting that $$ 2^{n} $$ where n is a number greater than or equal to 2 is always a multiple of 4. [Read More]

Unpacking Odin Anticheat

Edit: This JAR was protected with the Paramorphism Java obfuscator by Anthony Som. Edit #2: Removed JAR link at request of the author. While this JAR wasn’t too hard to poke around in and figure out what is going on, I found this one of the more unique obfuscations I have seen in attempting to prevent Java reverse-engineering. In this image, we can see the JAR has duplicated entries. I later found out after attempting to use my own Java obfuscator, Radon, to deobfuscate the JAR using my shrinker transformers, the entry duplication results in the fake classes being written to the JAR instead of the correct ones. [Read More]

Patching Java-AntiDecompiler

Site of Product: Java-AntiDecompiler is an anti-reverse-engineering product by BIS Guard & Co. which encrypts Java classes and decrypts them on runtime and loads them into memory. This writeup is intended to show how the weak anti-attachment mechanism protection in Java-AntiDecompiler can be easily disabled in under 2 minutes with Krakatau allowing for easy access to the classes loaded in memory. First, let’s disassemble the entry point method (main) with Krakatau [Read More]