Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-24-2023, 12:39
Jasi2169's Avatar
Jasi2169 Jasi2169 is offline
Family
 
Join Date: Sep 2015
Location: 127.0.0.1
Posts: 279
Rept. Given: 3
Rept. Rcvd 55 Times in 41 Posts
Thanks Given: 33
Thanks Rcvd at 433 Times in 173 Posts
Jasi2169 Reputation: 55
Techsmith Products Hook

Techsmith Products

Products: Camtasia/Snagit v2023/v2024

OS: Windows

Site: www.techsmith.com

Techsmith software like camtasia/snagit as very good if you want to record the screen/desktop or to make tutorials for reverse engineering or anything.

Download: (HOOK ONLY) Not any products check website for that

https://pixeldrain.com/u/6dbfVB5a

Comments: extract hook dll to installation folder.

Happy recording/teaching/tutorial
Reply With Quote
The Following 6 Users Say Thank You to Jasi2169 For This Useful Post:
Asus (10-26-2023), blue_devil (10-24-2023), mongza (10-26-2023), pnta (10-24-2023), rooster1 (12-11-2023), user_hidden (10-24-2023)
  #2  
Old 10-24-2023, 17:36
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 328
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
Thanks! What about audiate?
Reply With Quote
  #3  
Old 10-25-2023, 14:07
vetgrapje vetgrapje is offline
Guest
 
Join Date: Oct 2023
Location: in a house
Posts: 2
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
vetgrapje Reputation: 0
Exclamation other source binded it with a virus

It took me some time to track down this forum, I would like to thank you for your work. I first downloaded this hook from another source (downloadly.ir) it was working fine, but it seems it has been bundled with a virus and gave me some red flags so I did some digging and eventually found the source of this hook. Below some information about the dirty version.dll.

hybrid analysis red flags: http://www.hybrid-analysis.com/sample/d6670efa10094a946cba5e9e1b8f585836a8e545f854a0b7dcef475db91ccc6a/6527c6fe8727fe055a050a58
SHA265: d6670efa10094a946cba5e9e1b8f585836a8e545f854a0b7dcef475db91ccc6a

I uploaded this assumed VIRUS here, maybe handy for analysis
https://pixeldrain.com/u/qd61uDj3 (watch out virus, only download for analysis)

I would like to know what exactly is added, any tips on how to find this out?

kind regard, T
Reply With Quote
  #4  
Old 10-25-2023, 16:11
Jasi2169's Avatar
Jasi2169 Jasi2169 is offline
Family
 
Join Date: Sep 2015
Location: 127.0.0.1
Posts: 279
Rept. Given: 3
Rept. Rcvd 55 Times in 41 Posts
Thanks Given: 33
Thanks Rcvd at 433 Times in 173 Posts
Jasi2169 Reputation: 55
I usually post on tsrh team forums and thats the only legitimate site to get my releases, have no time to check
Reply With Quote
  #5  
Old 10-26-2023, 18:43
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 452
Rept. Given: 27
Rept. Rcvd 396 Times in 129 Posts
Thanks Given: 21
Thanks Rcvd at 1,803 Times in 347 Posts
CodeCracker Reputation: 300-399 CodeCracker Reputation: 300-399 CodeCracker Reputation: 300-399 CodeCracker Reputation: 300-399
https://www.virustotal.com/gui/file/e4f32d000f0d02380aadbf91785650ca8baee1519baf6becc439b7293d7b4f0b

trojan.scarletflash/themida

Alibaba Packed:Win64/Themida.5b4b1a04
ESET-NOD32 A Variant Of Win64/Packed.Themida.L Su

Com'on!
From what I could tell the file is protected by Themida so this is why is flagged.
Reply With Quote
  #6  
Old 10-26-2023, 21:04
vetgrapje vetgrapje is offline
Guest
 
Join Date: Oct 2023
Location: in a house
Posts: 2
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
vetgrapje Reputation: 0
Quote:
Originally Posted by CodeCracker View Post
https://www.virustotal.com/gui/file/e4f32d000f0d02380aadbf91785650ca8baee1519baf6becc439b7293d7b4f0b

trojan.scarletflash/themida

Alibaba Packed:Win64/Themida.5b4b1a04
ESET-NOD32 A Variant Of Win64/Packed.Themida.L Su

Com'on!
From what I could tell the file is protected by Themida so this is why is flagged.
Thank you for your reply and checking out the file, The version I had downloaded before differs from the original version (This topic). I searched if Jasi2169 released a different version of this hook before, this does not seem to be the case so I assume the version I had downloaded before is bundled with something else. I can't think of a good reason to pack a perfectly functioning hook with something other then a virus.

Thanks Jasi2169 I'll have to check out "tsrh team forums", (I'm not finished reading topics on this forum yet, reserve engineering and patching is very interesting to me, I may have found a new hobby )
Reply With Quote
  #7  
Old 10-27-2023, 00:51
Jasi2169's Avatar
Jasi2169 Jasi2169 is offline
Family
 
Join Date: Sep 2015
Location: 127.0.0.1
Posts: 279
Rept. Given: 3
Rept. Rcvd 55 Times in 41 Posts
Thanks Given: 33
Thanks Rcvd at 433 Times in 173 Posts
Jasi2169 Reputation: 55
Quote:
Originally Posted by CodeCracker View Post
https://www.virustotal.com/gui/file/e4f32d000f0d02380aadbf91785650ca8baee1519baf6becc439b7293d7b4f0b

trojan.scarletflash/themida

Alibaba Packed:Win64/Themida.5b4b1a04
ESET-NOD32 A Variant Of Win64/Packed.Themida.L Su

Com'on!
From what I could tell the file is protected by Themida so this is why is flagged.
Plus leaked themida we all use in scene i guess, i never checked though
Reply With Quote
  #8  
Old 10-27-2023, 08:20
Abdul Moeed Abdul Moeed is offline
Friend
 
Join Date: Sep 2023
Location: Cleveland, Ohio
Posts: 17
Rept. Given: 1
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 3
Thanks Rcvd at 9 Times in 6 Posts
Abdul Moeed Reputation: 2
Quote:
Originally Posted by Jasi2169 View Post
Plus leaked themida we all use in scene i guess, i never checked though
"We all" ? No... Most crackers do not use such leaked packers since they get blacklisted on most of modern windows systems. You can check if you don't believe me.
Reply With Quote
The Following User Says Thank You to Abdul Moeed For This Useful Post:
X0rby (11-28-2023)
  #9  
Old 10-27-2023, 10:27
Jasi2169's Avatar
Jasi2169 Jasi2169 is offline
Family
 
Join Date: Sep 2015
Location: 127.0.0.1
Posts: 279
Rept. Given: 3
Rept. Rcvd 55 Times in 41 Posts
Thanks Given: 33
Thanks Rcvd at 433 Times in 173 Posts
Jasi2169 Reputation: 55
Quote:
Originally Posted by Abdul Moeed View Post
"We all" ? No... Most crackers do not use such leaked packers since they get blacklisted on most of modern windows systems. You can check if you don't believe me.
I dnt know abt ur experience, since last decade i have seen, the releases are packed most of the time, to save its integrity , no one will purchase or use purchased protectors own copies on cracks and stuff.

Some might use open source as well, but once the release is packed most AV companies just mark it as virus false positive without taggent or know publisher tag.

Even mine purchased eazfuscator and it was marked as virus on packed a simple file, just a signature based games
Reply With Quote
  #10  
Old 10-30-2023, 19:14
zen zen is offline
Friend
 
Join Date: Aug 2022
Posts: 10
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 32
Thanks Rcvd at 26 Times in 8 Posts
zen Reputation: 1
> only legitimate site to get my releases
Present company excluded, of course.

It seems likely that @jasi2169 protected the dll files with Themida to preserve his credits popup and prevent modification of the dll. I could not access the Iran site but I looked at the file posted here and it merely cracked the software. It is likely that since I was using a virtual machine the payload, whatever it supposedly is, did not activate. The "dirty" version.dll did not have a popup message from jasi2169 so I'm not sure it was meant to impersonate and abuse his reputation to spread malware, or not. Another consideration is that sometimes Themida itself causes detection in virus scanners. I am not saying this other version is clean but it is an interesting puzzle.

The crack is very simple, forcing a response value of "1" from TSCLicensing::LicenseType (multi-user perpetual license) and could be accomplished in several different ways. It doesn't require a loader. This is true for Camtasia and Snagit, which are native code and use this licensing dll method. I understand that the point of the jasi2169 dll was convenience. Also, for people using this software, you should change these default settings: In the File menu, Capture Preferences, and uncheck "automatically check for updates" and "send anonymous usage data". Still, whether you are using the loader or not, the software sends telemetry to my.nalpeiron.com/shafer2.asmx. This seems to be related to "Zentitle" cloud licensing.

TmC asked about "audiate" which is another Techsmith product. That it is a Electron (NodeJS) application and does not use the same method. It might be that in index.js the variable "activated" needs to be set, I don't actually know I only looked at it briefly.
Reply With Quote
  #11  
Old 10-31-2023, 00:29
Jasi2169's Avatar
Jasi2169 Jasi2169 is offline
Family
 
Join Date: Sep 2015
Location: 127.0.0.1
Posts: 279
Rept. Given: 3
Rept. Rcvd 55 Times in 41 Posts
Thanks Given: 33
Thanks Rcvd at 433 Times in 173 Posts
Jasi2169 Reputation: 55
Quote:
Originally Posted by zen View Post
TmC asked about "audiate" which is another Techsmith product. That it is a Electron (NodeJS) application and does not use the same method. It might be that in index.js the variable "activated" needs to be set, I don't actually know I only looked at it briefly.
Thats true using electron framework for cross platform node javascript, but the file is 150+mb standalone, doesnt load for me waited 15minutes still loading and also in xdbg dont knw why it freezes and then closed it maybe less patience and sometime think my hardware needs upgrade :/ , but i dont use audiate, only camtasia and snagit usually. Well index.js is where everything starts but unfortunately too big in one single exe.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 20:43.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2023 )