Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

GCB engine release.

A classroom run by newbies for newbies. Gain valuable reversing experience & skills as we explain the in's and out's of RCE.
User avatar
BanMe
Posts: 515
Joined: Mon Oct 27, 2008 11:05 am
Location: Farmington NH

Hi folks..

Post by BanMe »

I counter-agree with indy and (delta/evaluator) in that,I agree a more accurate description of this is in order but that if you know asm you should be able to tell what it does..

its a length disasm engine with code to data graphing capabilities..

the way its built is like a service

GCBE:: is the 'defaulted to' entry point and it requires eax equals the value of the called function, this can be seen here..

Code: Select all

GCBE::
; GPE Services
	test eax,eax
	jz QueryOpcodeSize
	dec eax
	jz QueryPrefixLength
	dec eax
	jz GpParse
	dec eax
	jz GpTrace
	dec eax
	jz GpFastCheckIpBelongToSnapshot
	dec eax
	jz GpCheckIpBelongToSnapshot
	dec eax
	jz GpFindCallerBelongToSnapshot
	dec eax
	jz GpSearchRoutineEntry
	dec eax
	jz GpQueryRoutineArgsNumber
	dec eax
; GCBE service.
	jz GpBuildGraph
	mov eax,STATUS_INVALID_PARAMETER
	ret
	%GET_GRAPH_REFERENCE
             assume fs:nothing
the test cases are really what illustrate the usage of this functionality and luckily I've been keeping track of good ol Indy ;)

so I will provide what I have..

Test 1..args count and address

Code: Select all

	.686p
	.model flat, stdcall
	option casemap :none
	
	include \masm32\include\ntdll.inc
	includelib \masm32\lib\ntdll.lib

.code

	include Engine.inc

%NTERR macro
	.if Eax
	Int 3
	.endif
endm

; 10 args
_imp__RtlCreateUserThread proto \
	ProcessHandle:HANDLE, \
	SecurityDescriptor:PSECURITY_DESCRIPTOR, \
	CreateSuspended:BOOLEAN, \
	ZeroBits:ULONG, \
	SizeOfStackReserve:ULONG, \
	SizeOfStackCommit:ULONG, \
	InitialEip:ULONG, \
	nitialValueInStack:ULONG, \
	OutThreadHandle:PHANDLE, \
	OutClientId:PCLIENT_ID

$Msg	CHAR "Address: 0x%p, Args: %u", 13, 10, 0

Ep proc
Local GpBase:PVOID, GpSize:ULONG
Local GpLimit:PVOID
Local ArgsCount:ULONG
	mov GpBase,NULL
	mov GpSize,4*X86_PAGE_SIZE
	invoke ZwAllocateVirtualMemory, NtCurrentProcess, addr GpBase, 0, addr GpSize, MEM_COMMIT, PAGE_READWRITE
	%NTERR
	mov ecx,GpBase
	lea edx,GpLimit
	mov ebx,dword ptr [_imp__RtlCreateUserThread]
	mov GpLimit,ecx
	push eax
	push eax
	push eax
	push eax
	push eax
	push eax
	push edx
	push ebx
	mov eax,GP_PARSE;parse the region in question ebx
	Call GP
	%NTERR
	lea ecx,ArgsCount
	push ecx
	push GpBase
	mov eax,GP_QUERY_ROUTINE_ARGS_NUMBER
	Call GP
	%NTERR
	invoke DbgPrint, addr $Msg, Ebx, ArgsCount
	ret
Ep endp
end Ep
Test 2:Whats loading?

Code: Select all

	.686p
	.model flat, stdcall
	option casemap :none
	
	include \masm32\include\ntdll.inc
	includelib \masm32\lib\ntdll.lib

	include \masm32\include\kernel32.inc
	includelib \masm32\lib\kernel32.lib
	
.code GPECODE
	include ..\Bin\Gpe.inc

%NTERR macro
	.if Eax
	Int 3
	.endif
endm

%APIERR macro
	.if !Eax
	Int 3
	.endif
endm

	Public gChainDispatch
	Public gLoadLibraryArg
.data
gSnapshot			GP_SNAPSHOT <>
gChainDispatch		PVOID ?
gLoadLibraryArg	PSTR ?

.code
LoadLibrary2ndDispatch proc C
	pushad
	invoke DbgPrint, gLoadLibraryArg
	popad
	jmp gChainDispatch
LoadLibrary2ndDispatch endp
	
LdrpManifestProberRoutine proc DllBase:PVOID, FullDllPath:PCWSTR, ActivationContext:PVOID
Local Caller:GP_CALLER 
	lea eax,Caller
	push eax
	push UserMode
	push NULL
	push offset gSnapshot
	%GPCALL GP_FIND_CALLER_BELONG_TO_SNAPSHOT
	.if !Eax
	mov edx,Caller.Frame	; ~PspCreateProcess()
	lea ecx,LoadLibrary2ndDispatch
	mov edx,STACK_FRAME.Next[edx]
	xchg STACK_FRAME.Ip[edx],ecx
	mov gChainDispatch,ecx
	mov edx,dword ptr [edx + sizeof(STACK_FRAME)]	; Arg.
	mov gLoadLibraryArg,edx
	.endif
	xor eax,eax
	ret
LdrpManifestProberRoutine endp

LdrSetDllManifestProber proto :PVOID

_imp__LoadLibraryA proto :PSTR

$Dll	CHAR "psapi.dll",0

Ep proc
Local GpSize:ULONG
Local OldProtect:ULONG
	mov gSnapshot.GpBase,NULL
	mov GpSize,1000H * X86_PAGE_SIZE
	invoke ZwAllocateVirtualMemory, NtCurrentProcess, addr gSnapshot.GpBase, 0, addr GpSize, MEM_COMMIT, PAGE_READWRITE
	mov ebx,gSnapshot.GpBase
	%NTERR
	add gSnapshot.GpBase,0FFFH * X86_PAGE_SIZE
	mov GpSize,X86_PAGE_SIZE
	invoke ZwProtectVirtualMemory, NtCurrentProcess, addr gSnapshot.GpBase, addr GpSize, PAGE_NOACCESS, addr OldProtect
	%NTERR
	mov gSnapshot.GpLimit,ebx
	mov gSnapshot.GpBase,ebx
	lea ecx,gSnapshot.GpLimit
	push eax
	push eax
	push eax
	push eax
	push eax
	push 1
	push GCBE_PARSE_SEPARATE
	push ecx
	push dword ptr [_imp__LoadLibraryA]
	%GPCALL GP_PARSE
	%NTERR
	invoke LdrSetDllManifestProber, offset LdrpManifestProberRoutine
	invoke LoadLibrary, addr $Dll
	%APIERR
	ret
Ep endp
end Ep
test :3 Parsing a function to find a undocumented symbol...
exemplifies Parsing Tracing find undocumented entry and num of args..

Code: Select all

	.686p
	.model flat, stdcall
	option casemap :none
	
	include \masm32\include\ntdll.inc
	includelib \masm32\lib\ntdll.lib
	
_imp__LdrLoadDll proto :PWCHAR, :PULONG, :PUNICODE_STRING, :PHANDLE

.code GPECODE
	include ..\Bin\Gpe.inc
	
%NTERR macro
	.if Eax
	Int 3
	.endif
endm

%APIERR macro
	.if !Eax
	Int 3
	.endif
endm

.code
GCBE_PARSE_NL_UNLIMITED	equ -1

TRACE_DATA struct
ScanBase	PVOID ?
ScanLimit	PVOID ?
Message	PSTR ?
MsgLength	ULONG ?
Gp		PVOID ?
TRACE_DATA ends
PTRACE_DATA typedef ptr TRACE_DATA

TraceCallback proc uses ebx esi edi GpEntry:PVOID, TraceData:PTRACE_DATA
    mov eax,GpEntry
    test dword ptr [eax + EhEntryType],TYPE_MASK
    mov ebx,TraceData
    jne Exit    ; !HEADER_TYPE_LINE
    assume eax:PBLOCK_HEADER
    mov esi,[eax].Address
    mov edi,[eax]._Size
    assume ebx:PTRACE_DATA
Ip:
    push esi    ; Ip
    %GPCALL GP_LDE    ; LDE()
    cmp al,5
    jne @f
    cmp byte ptr [esi],68H    ; push imm32
    mov edx,dword ptr [esi + 1]    ; ref.
    jne @f
    cmp [ebx].ScanBase,edx
    ja @f
    cmp [ebx].ScanLimit,edx
    jbe @f
    push esi
    push edi
    mov esi,edx
    mov edi,[ebx].Message
    mov ecx,[ebx].MsgLength
    cld
    repe cmpsb
    pop edi
    pop esi
    jne @f
    mov eax,GpEntry
    mov [ebx].Gp,eax
    jmp Exit    
@@:
    add esi,eax
    sub edi,eax
    ja Ip
Exit:
    xor eax,eax
    ret
TraceCallback endp

$Message	CHAR "LdrpResolveDllName", 0

$Ldrp	CHAR "Def.: LdrpResolveDllName(), Address: 0x%p, Arg's: %x", 13, 10, 0

	assume fs:nothing
Ep proc
Local GpSize:ULONG
Local Snapshot:GP_SNAPSHOT
Local ArgsCount:ULONG
Local OldProtect:ULONG
Local TraceData:TRACE_DATA
Local Gp:PVOID
	mov Snapshot.GpBase,NULL
	mov GpSize,1000H * X86_PAGE_SIZE
	invoke ZwAllocateVirtualMemory, NtCurrentProcess, addr Snapshot.GpBase, 0, addr GpSize, MEM_COMMIT, PAGE_READWRITE
	mov ebx,Snapshot.GpBase
	%NTERR
	add Snapshot.GpBase,0FFFH * X86_PAGE_SIZE
	mov GpSize,X86_PAGE_SIZE
	invoke ZwProtectVirtualMemory, NtCurrentProcess, addr Snapshot.GpBase, addr GpSize, PAGE_NOACCESS, addr OldProtect
	%NTERR
	mov Snapshot.GpLimit,ebx
	mov Snapshot.GpBase,ebx
	lea ecx,Snapshot.GpLimit
	push eax
	push eax
	push eax
	push eax
	push eax
	push GCBE_PARSE_NL_UNLIMITED
	push GCBE_PARSE_DISCLOSURE
	push ecx
	push dword ptr [_imp__LdrLoadDll]
	%GPCALL GP_PARSE
	%NTERR
	mov eax,fs:[TEB.Peb]
	mov eax,PEB.Ldr[eax]
	mov eax,PEB_LDR_DATA.InLoadOrderModuleList.Flink[eax]
	mov eax,LDR_DATA_TABLE_ENTRY.InLoadOrderModuleList.Flink[eax]
	mov esi,LDR_DATA_TABLE_ENTRY.DllBase[eax]	; ntdll.dll
	invoke RtlImageNtHeader, Esi
	%APIERR
	mov ecx,IMAGE_NT_HEADERS.OptionalHeader.BaseOfCode[eax]
	mov edx,IMAGE_NT_HEADERS.OptionalHeader.SizeOfCode[eax]
	mov TraceData.Gp,NULL
	add ecx,esi
	lea edx,[edx + esi - sizeof $Message]
	mov TraceData.Message,offset $Message
	mov TraceData.MsgLength,sizeof $Message
	mov TraceData.ScanBase,ecx
	mov TraceData.ScanLimit,edx
	lea ecx,TraceData
	lea edx,TraceCallback
	push ecx
	push edx
	push ebx
	%GPCALL GP_TRACE
	%NTERR
	.if TraceData.Gp == NULL
	Int 3
	.endif
	lea ecx,Gp
	lea edx,Snapshot
	push ecx
	push eax
	push eax
	push 1
	push eax
	push TraceData.Gp
	push edx
	%GPCALL GP_SEARCH_ROUTINE_ENTRY
	%NTERR
	mov ebx,Gp	; ref.
	mov eax,dword ptr [ebx + EhEntryType]
	and eax,TYPE_MASK
	.if Eax != HEADER_TYPE_CALL
	Int 3
	.endif
	assume ebx:PCALL_HEADER
	
	mov ecx,[ebx].BranchLink
	lea eax,ArgsCount
	and ecx,NOT(TYPE_MASK)
	push eax
	push ecx
	%GPCALL GP_QUERY_ROUTINE_ARGS_NUMBER
	%NTERR
	
	invoke DbgPrint, addr $Ldrp, [ebx].BranchAddress, ArgsCount
	ret
Ep endp
end Ep
test 4:real function length

Code: Select all

	.686p
	.model flat, stdcall
	option casemap :none
	
	include \masm32\include\ntdll.inc
	includelib \masm32\lib\ntdll.lib
	
.code GPECODE
	include ..\Bin\Gpe.inc

GCBE_PARSE_NL_UNLIMITED	equ -1

%NTERR macro
	.if Eax
	Int 3
	.endif
endm

.data
pRoutine		PVOID offset GPE	; Àäðåñ ðàçáèðàåìîé ïðîöåäóðû.
NestingLevel	ULONG GCBE_PARSE_NL_UNLIMITED	; Óðîâåíü âëîæåííîñòè. Äëÿ îäíîé ïðîöåäóðû 1.

.code
$Msg	CHAR "0x%X", 13, 10, 0

	assume fs:nothing
Ep proc
Local GpBase:PVOID, GpLimit:PVOID, GpSize:ULONG
Local OldProtect:ULONG
	mov GpBase,NULL
	mov GpSize,1000H * X86_PAGE_SIZE
	invoke ZwAllocateVirtualMemory, NtCurrentProcess, addr GpBase, 0, addr GpSize, MEM_COMMIT, PAGE_READWRITE
	mov ebx,GpBase
	%NTERR
	add GpBase,0FFFH * X86_PAGE_SIZE
	mov GpSize,X86_PAGE_SIZE
	invoke ZwProtectVirtualMemory, NtCurrentProcess, addr GpBase, addr GpSize, PAGE_NOACCESS, addr OldProtect
	%NTERR
	mov GpLimit,ebx
	mov GpBase,ebx
	lea ecx,GpLimit
	push eax
	push eax
	push eax
	push eax
	push eax
	push NestingLevel
	push GCBE_PARSE_DISCLOSURE
	push ecx
	push pRoutine
	%GPCALL GP_PARSE
	%NTERR

	xor ebx,ebx
	mov esi,GpBase
@@:
	test dword ptr [esi + EhEntryType],TYPE_MASK
	.if Zero?		; Line
	add ebx,dword ptr [esi + EhSize]
	.else
	push dword ptr [esi + EhAddress]
	%GPCALL GP_LDE
	add ebx,eax
	.endif
	add esi,ENTRY_HEADER_SIZE
	cmp GpLimit,esi
	ja @b
	
	invoke DbgPrint, addr $Msg, Ebx
	ret
Ep endp
end Ep
I do agree with indy that no better example of what something does is illustrated in the source, though 'picking' it out for some is difficult..

regards BanMe

also if you didnt read the code be aware that it is from a older version of GCBE called GPE.. but it looks like all that code migrated so it should work with but a few tweaks.. enjoy..
No hate for the lost children;
more love for the paths we walk,
'words' shatter the truth we seek.
from the heart and mind of Me
me, to you.. down and across

No more words from me, to you...
Hate and love shatter the heart and Mind of Me.
For the Lost Children;For the paths we walk; the real truth we seek!
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

GPE is engine creates a basic graph. GCBE an addon it. This part is designed to build the graph. Taken together, the engine allows you to separate the code.
User avatar
BanMe
Posts: 515
Joined: Mon Oct 27, 2008 11:05 am
Location: Farmington NH

Post by BanMe »

It's funny to see what a 'little' interest does to us.

Auspicious code btw Indy :D love it...I picked up asm again, just to understand its full potentials..and I've been working alot, so its taken quite a while...
No hate for the lost children;
more love for the paths we walk,
'words' shatter the truth we seek.
from the heart and mind of Me
me, to you.. down and across

No more words from me, to you...
Hate and love shatter the heart and Mind of Me.
For the Lost Children;For the paths we walk; the real truth we seek!
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

See this example: http://indy-vx.narod.ru/Bin/Ki.zip
You will understand how this powerful technique.
User avatar
BanMe
Posts: 515
Joined: Mon Oct 27, 2008 11:05 am
Location: Farmington NH

Post by BanMe »

also my isp seems to not like that website and denies access maybe a file or direct upload ive had to piece together code and search wasm for this stuff.. :/

a lil help would be great..
No hate for the lost children;
more love for the paths we walk,
'words' shatter the truth we seek.
from the heart and mind of Me
me, to you.. down and across

No more words from me, to you...
Hate and love shatter the heart and Mind of Me.
For the Lost Children;For the paths we walk; the real truth we seek!
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

Оо.. Poor provider, once cut files. Probably because of the signature in the LDE :)

[ATTACH]2367[/ATTACH]
Attachments
Ki.zip
(42.99 KiB) Downloaded 110 times
User avatar
BanMe
Posts: 515
Joined: Mon Oct 27, 2008 11:05 am
Location: Farmington NH

Post by BanMe »

As dElta mentioned above about 'graph theory'.. This is not something I was familiar with :o ..So I decided to look into to this a little,very interesting subject thanks for the mention of it. :yay:

But the mention I think is not enough, to say you know of it is good(escially for me),but to show what it is and how it is described in mathmatical terms and graph(s).

http://www.personal.kent.edu/~rmuhamma/ ... Theory.htm
evaluator wrote: problem not in weapon/not-weapon, but will be you sued for that-thing.

btw, for dld your zip, one must turn off AV. can that behavior avoided?
yes it can as indy mentions it is because of VirXAsm.b that ur av go's off..this is simply a viralized length disasm engine.. its not a virus...so this can be avoided by using some other form of Length disasm Engine.

kind regards BanMe
No hate for the lost children;
more love for the paths we walk,
'words' shatter the truth we seek.
from the heart and mind of Me
me, to you.. down and across

No more words from me, to you...
Hate and love shatter the heart and Mind of Me.
For the Lost Children;For the paths we walk; the real truth we seek!
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

BanMe
Тут сказали что этот семпл палится как Win32: DNSChanger-VJ. Так вот эта сигнатура лежит в дизасме длин(VirXasm32b). Для устранения проблемы добавить Nop по метке xa_no16.
Normally, this code should be morphe. This will break all the signature. You can use the generation of Nop-series in the simplest case.
User avatar
BanMe
Posts: 515
Joined: Mon Oct 27, 2008 11:05 am
Location: Farmington NH

Post by BanMe »

lol I'm not at all worried about it, I know of at least 3 or 4 length disasm engines that could suffice for this purpose.But thats not why Im posting so.. :whoops:

Ive modularized GCBE into a loadable dll and imported its functions into a c++ project, my first step was rewriting the examples and test them..

I started at the Relative Length example in my prior post..

Code: Select all

ULONG GpGetRelativeLength(PVOID Ip)
{
	PVOID GpBase,GpLimit;
	ULONG GpSize = 0;
	ULONG OldProtect;
	ULONG TotalSize = 0;
             //Create The Graph
	GpBase = NULL;
	GpSize = 0x1000 * X86_PAGE_SIZE;
	if(NtAllocateVirtualMemory(NtCurrentProcess(),&GpBase, 0,&GpSize, MEM_COMMIT, PAGE_READWRITE) != STATUS_SUCCESS)
	{
		__asm int 3;
	}
	GpLimit = GpBase;
	GpLimit += 0FFFH * X86_PAGE_SIZE;
	GpSize = X86_PAGE_SIZE
	if(NtProtectVirtualMemory(NtCurrentProcess(),&GpLimit,&GpSize, PAGE_NOACCESS,&OldProtect) != STATUS_SUCCESS)
	{
		__asm int 3;
	}
	GpLimit = GpBase;
	//Parse the function to our graph.
	if(GpParse(Ip,&GpLimit,GCBE_PARSE_DISCLOSURE,0,0,0,0,0,0) != STATUS_SUCCESS)
	{
		__asm int 3;
	}
	GpSize = QueryOpcodeSize(Ip);
	Total Size = 0;
	do
	{
		TotalSize += GpSize;
		Ip = (PVOID)((*ULONG *)Ip +GpSize);
		GpSize = QueryOpcodeSize(Ip);
	}while(Ip > GpLimit);
	return TotalSize;
} 
I hope I got it correct ..

regards BanMe
No hate for the lost children;
more love for the paths we walk,
'words' shatter the truth we seek.
from the heart and mind of Me
me, to you.. down and across

No more words from me, to you...
Hate and love shatter the heart and Mind of Me.
For the Lost Children;For the paths we walk; the real truth we seek!
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

BanMe
I used the best of the existing LDE. The signature is not an issue and will be established immediately for any static vx-code. Moreover we can use the system(Shim) LDE.

PAGE_NOACCESS used to set the limit buffer. When accessing the page buffer extends the same stack. In the examples of the extension is not implemented, and the buffer is used very large.

Each entry in the graph can describe a few instructions. The size of linear block defined in the entry.
User avatar
BanMe
Posts: 515
Joined: Mon Oct 27, 2008 11:05 am
Location: Farmington NH

Post by BanMe »

Maybe a extensible graph is more suitable for some..

Code: Select all

PVOID GpExtendGraph(PVOID VmAddress)
{
	PVOID GpBase,GpLimit;
	ULONG GpSize = 0,OldProtect = 0;
	MEMORY_BASIC_INFORMATION Mbi = {0};
	GpBase = VmAddress;
	if(NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),GpBase,MemoryBasicInformation,&Mbi,sizeof(MEMORY_BASIC_INFORMATION),&GpSize)))
	{
SwProtect:
		switch(Mbi.AllocationProtect)
		{
			case PAGE_NOACCESS:
			{
				GpSize = X86_PAGE_SIZE;
				if(NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),&GpBase,&GpSize,PAGE_READWRITE,&OldProtect)))
				{
					GpLimit = (PVOID)((ULONG)GpBase + GpSize + 1);//next page
					if(NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),&GpLimit,0,&GpSize,MEM_COMMIT,PAGE_NOACCESS)))
					{
						return GpBase;
					}
				}
				break;
			}
			case PAGE_READWRITE:
			{
				GpBase = (PVOID)((ULONG)Mbi.BaseAddress + (ULONG)Mbi.RegionSize + 0x1);//next page
				if(NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),GpBase,MemoryBasicInformation,&Mbi,sizeof(MEMORY_BASIC_INFORMATION),&GpSize)))
				{
					__asm jmp SwProtect;
				}
				break;
			}
			default:
			{
				break;
			}
		}
	}
	return 0;
}
PVOID GpGraphInit(void)
{
	PVOID GpBase = 0, GpLimit = 0;
	ULONG GpSize = X86_PAGE_SIZE * 256, OldProtect = 0;
	if(NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),&GpBase,0,&GpSize,MEM_COMMIT,PAGE_NOACCESS)))
	{
		GpSize = X86_PAGE_SIZE;
		if(NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),&GpBase,&GpSize,PAGE_READWRITE,&OldProtect)))
		{
			return GpBase;
		}
	}
	return 0;
}
Im working on translating the comments in the code to english.

This really is quite the venture Indy, though more documentation of flags and parameters would really be a nice addition to this.
No hate for the lost children;
more love for the paths we walk,
'words' shatter the truth we seek.
from the heart and mind of Me
me, to you.. down and across

No more words from me, to you...
Hate and love shatter the heart and Mind of Me.
For the Lost Children;For the paths we walk; the real truth we seek!
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

BanMe
The memory manager used in IDPE: [ATTACH]2369[/ATTACH]
Attachments
Mm.zip
(14.74 KiB) Downloaded 96 times
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

Generation of Gs-series: [ATTACH]2375[/ATTACH]
Attachments
Gs.zip
(202.23 KiB) Downloaded 107 times
User avatar
evaluator
Posts: 1539
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

"bravo!"

what will your next step?
freeware-malware-cryptor?
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

evaluator
Has no relation to malware.
Locked