About Articles Store Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

OpenRCE Articles

The Molecular Virology of Lexotan32: Metamorphism Illustrated Created: Thursday, August 16 2007 16:58.00 CDT
Author: orr # Views: 7853

This paper is a direct descendent of my previous one regarding the metamorphic engine of the W32.Evol virus. I advise you to take a look at it before reading this one, or at least be acquainted with the subject of metamorphism. The focus of this paper is the special engine of the Lexotan32 virus.

The virus was released in 29A#6 Virus Magazine in 2002, the Annus Mirabilis of metamorphic viruses. The virus was created by the prolific VX coder, Vecna, and was one of the last complex creations of this kind. I could further elaborate on the genealogy of this virus, but I think it is sufficient to say that this virus is a culmination of many of the techniques developed throughout the author's career.

Full Article ...    Printer Friendly ...    Write Comment    |    View Complete Comments

    Username Comment Excerpt Date
c0ck3dpist0l it's cool! Thanks for sharing! Tuesday, April 29 2008 07:54.10 CDT
adityaks nicely driven , very well Sunday, September 23 2007 23:40.22 CDT
  vecna Congratulations for the article - its exact Thursday, August 23 2007 20:03.45 CDT
baibhav Gud work ! Thanks for sharing ! Friday, August 17 2007 10:48.22 CDT
MohammadHosein alot of details ...great work . Friday, August 17 2007 10:47.15 CDT

Defeating HyperUnpackMe2 With an IDA Processor Module Created: Thursday, February 22 2007 19:21.58 CST
Author: RolfRolles # Views: 15605

This article is about breaking modern executable protectors. The target, a crackme known as HyperUnpackMe2, is modern in the sense that it does not follow the standard packer model of yesteryear wherein the contents of the executable in memory, minus the import information, are eventually restored to their original forms.

Modern protectors mutilate the original code section, use virtual machines operating upon polymorphic bytecode languages to slow reverse engineering, and take active measures to frustrate attempts to dump the process. Meanwhile, the complexity of the import protections and the amount of anti-debugging measures has steadily increased.

This article dissects such a protector and offers a static unpacker through the use of an IDA processor module and a custom plugin. The commented IDB files and the processor module source code are included. In addition, an appendix covers IDA processor module construction. In short, this article is an exercise in overkill.

Full Article ...    Printer Friendly ...    Write Comment    |    View Complete Comments

    Username Comment Excerpt Date
h4x0r comprehensive analysis, thanks. for those no... Tuesday, May 15 2007 04:15.56 CDT
  PoincareLei good analysis.. expecting RolfRolles to wri... Wednesday, April 4 2007 06:26.45 CDT
bLaCkeye Impressive display of reverse engineering and c... Friday, February 23 2007 19:47.13 CST
nico Good job Bro, as i told you already when i firs... Friday, February 23 2007 13:53.15 CST

The Viral Darwinism of W32.Evol Created: Tuesday, February 6 2007 14:26.08 CST
Author: Orr # Views: 16731

The W32.Evol virus was discovered around July 2000. Its name is derived from a string found in the virus, but much more can be implied from the name. Up until then, most of the viruses were using Polymorphic engines in order to hide themselves from Anti-Virus scanners. The engine would encrypt the virus with a different key on every generation, and would generate a small, variant decryptor that would consist of different operations but remain functionally equivalent. This technique was beginning to wear out as AV scanners would trace virus-decryption until it was decrypted in memory, visible and clear.

This article explores the features and functionality of the metamorphic engine of the Evol virus, the first virus to utilize a 'true' metamorphic engine according to Symantec.

Full Article ...    Printer Friendly ...    Write Comment    |    View Complete Comments

    Username Comment Excerpt Date
adityaks nice one man Wednesday, June 20 2007 06:07.58 CDT
Orr The mistake is in the paper and not in the engi... Friday, April 6 2007 16:02.00 CDT
eraser You are right MazeGen. [code] EB cb JMP cb ... Wednesday, April 4 2007 13:33.07 CDT
MazeGen Very interesting article, thanks. There's on... Friday, March 30 2007 02:57.38 CDT
eraser Many thanks for your valuable contribution. Monday, March 12 2007 11:13.59 CDT

Kernel User-Mode Debugging Support (Dbgk) Created: Wednesday, January 31 2007 12:05.10 CST
Author: AlexIonescu # Views: 10809

In part three of this three part article series, the kernel-mode interface to Windows debugging is dissected in detail. The reader is expected to have some basic knowledge of C and general NT Kernel architecture and semantics. Also, this is not an introduction on what debugging is or how to write a debugger. It is meant as a reference for experienced debugger writers, or curious security experts. The reader is expected to have some basic knowledge of C and general NT Kernel architecture and semantics. Also, this is not an introduction on what debugging is or how to write a debugger. It is meant as a reference for experienced debugger writers, or curious security experts.

Full Article ...    Printer Friendly ...    Write Comment    |    View Complete Comments

    Username Comment Excerpt Date
flyingkisser very good,very powerful!So,where is part I and ... Tuesday, January 15 2008 20:17.43 CST
anonymouse so this is how some of the functions in syser o... Thursday, February 1 2007 23:35.29 CST
MohammadHosein thank you for these excellent series of articles Thursday, February 1 2007 15:29.03 CST
JasonGeffner Awesome job! I want a "part four"! :) Thursday, February 1 2007 13:56.34 CST

Windows Native Debugging Internals Created: Monday, November 13 2006 13:14.18 CST
Author: AlexIonescu # Views: 8033

In part two of this three part article series, the native interface to Windows debugging is dissected in detail. The reader is expected to have some basic knowledge of C and general NT Kernel architecture and semantics. Also, this is not an introduction on what debugging is or how to write a debugger. It is meant as a reference for experienced debugger writers, or curious security experts.

Full Article ...    Printer Friendly ...    Write Comment    |    View Complete Comments

    Username Comment Excerpt Date
halsten Thanks for sharing this! Keep it up (Y). -- ... Monday, January 22 2007 01:55.32 CST
msuiche That's a very pretty paper you wrote again ther... Monday, November 13 2006 15:40.46 CST

Windows User Mode Debugging Internals Created: Tuesday, October 31 2006 18:02.31 CST
Author: AlexIonescu # Views: 9700

The internal mechanisms of what allows user-mode debugging to work have rarely ever been fully explained. Even worse, these mechanisms have radically changed in Windows XP, when much of the support was re-written, as well as made more subsystem portable by including most of the routines in ntdll, as part of the Native API. This three part series will explain this functionality, starting from the Win32 (kernel32) viewpoint all the way down (or up) to the NT Kernel (ntoskrnl) component responsible for this support, called Dbgk, while taking a stop to the NT System Library (ntdll) and its DbgUi component.

The reader is expected to have some basic knowledge of C and general NT Kernel architecture and semantics. Also, this is not an introduction on what debugging is or how to write a debugger. It is meant as a reference for experienced debugger writers, or curious security experts.

Full Article ...    Printer Friendly ...    Write Comment    |    View Complete Comments

    Username Comment Excerpt Date
NeOXQuiCk Nice,thx for sharing.. its helped me a lot.. ... Tuesday, April 3 2007 17:55.47 CDT
tinybyte Nice stuff! Waiting for the sequels :) Friday, December 8 2006 15:25.33 CST
chip Thanks, It's great Monday, November 20 2006 01:07.46 CST
mxatone I start making userland tracer using PaiMei fra... Friday, November 10 2006 02:29.04 CST
mugg Thanks for the great article! Wednesday, November 1 2006 10:45.07 CST

Reversing Microsoft Visual C++ Part II: Classes, Methods and RTTI Created: Thursday, September 21 2006 15:56.06 CDT
Author: igorsk # Views: 16840

Microsoft Visual C++ is the most widely used compiler for Win32 so it is important for the Win32 reverser to be familiar with its inner working. Being able to recognize the compiler-generated glue code helps to quickly concentrate on the actual code written by the programmer. It also helps in recovering the high-level structure of the program.

In part II of this 2-part article (see also: Part I: Exception Handling), I will cover how C++ machinery is implemented in MSVC, including classes layout, virtual functions, RTTI. Familiarity with basic C++ and assembly language is assumed.

Full Article ...    Printer Friendly ...    Write Comment    |    View Complete Comments

    Username Comment Excerpt Date
igorsk Well, I was disassembling c1xx to check how it ... Friday, September 22 2006 16:30.48 CDT
MohammadHosein actually didnt read the whole article yet , but... Friday, September 22 2006 15:23.54 CDT
linestyle great work!!:) Thursday, September 21 2006 20:02.11 CDT

Archived Articles

Archived
Title   Author # Views Publish Date
Microsoft Patching Internals EliCZ 10752 April 26 2006
Reversing Microsoft Visual C++ Part I: Exception Handling igorsk 27152 March 6 2006
Technical Analysis of MS06-001 stephanc 6616 February 6 2006
FUTo peter 9797 January 5 2006
Plausible Deniability joestewart 7390 November 17 2005
Reverse Engineering Microsoft OLE joestewart 12360 September 12 2005
File Format Reversing - EverQuest II VPK daeken 15067 September 6 2005
WINLDRA.EXE: Reversing a Basic Encryption Algorithm Gerry 15397 August 23 2005
Reversing HDSpoof - A Tutorial smidgeonsoft 21767 August 2 2005
Creating IDA Plug-ins with C# or VB6 dzzie 14403 July 15 2005
Process Stalker vs. MS05-030 pedram 18121 July 6 2005
Introduction to IDAPython ero 14921 June 24 2005
OpenRCE Site Launch pedram 4378 June 17 2005
Active in Last 5 Minutes
Wannabe
zhzhtst

There are 7,453 total registered users.


Recently Created Topics
IDAPerl version 0.1
May/09
# Syser causes BSOD
May/09
Kraken: Botnet Analysis
May/06
How to avoid getting...
May/05
Problem In Programmi...
May/04
More Info Needed In ...
May/04
creating win32 api == ?
May/04
Implementing Custom...
May/04
Automaticly Generati...
May/01
# solution: how to l...
May/01


Recent Forum Posts
2 Questions
memo5
2 Questions
cseagle
# a new(?) bug in Olly
nezumi
# free IDA Pro training
Externa...
# free IDA Pro training
nezumi
2 Questions
memo5
2 Questions
x0rr0x
# free IDA Pro training
Externa...
How to avoid getting...
igorsk
# free IDA Pro training
abuse007


Recent Blog Entries
PeterFerrie
May/07
anti-unpacking tricks paper...
apridgen
May/06
Basic tutorial about how to...
sp
May/04
Release of Hexer 1.2.0
halvar
Apr/28


EliCZ
Apr/25
Integer overflow
More ...


Recent Blog Comments
RolfRolles on:
May/08
anti-unpacking tricks paper...
smidgeonsoft on:
May/08
anti-unpacking tricks paper...
ero on:
May/08
anti-unpacking tricks paper...
thierryzoller on:
May/07
Build Your Own Botnet with RDP
MazeGen on:
May/07
Opcode execution cost
More ...


Imagery
Immunity Debugger on the Run!
Aug 9, 2007

[+] expand

View Gallery (10) / Submit