Tuesday, September 19, 2017

PE Appended Data Viewer 1.02



PE Appended Data Viewer is a tool designed to view and save the overlay of a PE file.

Features:
  • x86 and x64 support
  • Save Data or Data Selection
  • Xor Decryption
  • Begin and End Selection
  • Data Interpreter

New in 1.02:
  • Added Entropy Testing
  • Added Hashing/CRC-32
  • Added Ability to Register Shell Extension
  • Added Hex Values to Data Interpreter
  • Added Select Range Form
  • Added Ability to Load Appended Data Using Virtual Size
  • Fixed Memory Leak on Drag and Drop of New File

Downloads:

v1.01:

Monday, July 31, 2017

JexePack Unpacker


JexePack Unpacker is a freeware utility that unpacks JexePack wrapped java applications.










 Download:

exe4j Unpacker


exe4j Unpacker is a freeware utility that unpacks exe4j wrapped java applications.











Download:
Please consider making a donation if used within a commercial environment.

Thursday, July 13, 2017

Launch4J Unpacker: Updated 07/26/2017

Launch4J Unpacker is a free utility to extract the embedded jar archive from a Launch4J wrapped java program.










07/26/2017: Version 1.01 Released:
  • Added Support for Launch4j applications signed with sign4j.

Download:
Version 1.01:
http://j.gs/9gSN

Version: 1.0:

Clicklocker Unpacker/Removal Tool

Clicklocker Unpacker is a free DRM removal utility which automatically extracts the original unprotected file from a Clicklocker protected application, ebook, image, or video.










Download:

Wednesday, July 12, 2017

Base64 Tool


Base64 Tool is a simple freeware utility that allows you to base64 encode AnsiStrings, WideStrings, and hexadecimal values as well as decode them to their original format.
 
 













Features:
  • Encode ASCII/AnsiStrings to Base64 
  • Encode Unicode/WideStrings to Base64
  • Decode Base64 to Hex, Unicode, or Ansistring
  • Decode Base64 to a file
  • Download and Decode or Encode a URL


Download:

Inline Patching: Get the Image Base of the Main Module Without Calling GetModuleHandle

When doing an inline, whether it be from a DLL or inside the main module itself, getting the image base of the main module can be tricky in some circumstances. It often involves obtaining the address of GetModuleHandle in order to pass it a NULL parameter to get the base of the main module. However, with a simple trick, you can actually read it directly from the Process Environment Block/PEB using the following ASM instructions:

x32:
MOV EAX,DWORD PTR FS:[30]
MOV EAX,DWORD PTR DS:[EAX+8]

x64:
MOV RAX,QWORD PTR GS:[60]
MOV RAX,QWORD PTR DS:[RAX+0x10]


Here, we can see the 32 bit version in action:












After executing the two instructions in this example, you can see that the image base is contained in ECX. This has saved me significant headache and code space when working on complicated inline patches.

While this technique works on every current version of windows, it is important to note that according to the Microsoft documentation on the PEB Structure, the layout of this structure may change in future versions of the operating system. However, due to its wide use in many debugging tools, I have significant doubt that Microsoft will change this structure anytime soon.