Flag: Tornado! Hurricane!

OpenRCE Article Comments: Reversing HDSpoof - A Tutorial

Article Abstract How often have you thought about what is happening under the covers when you launch an executable on your Windows system? In these days of malicious activity, i.e. viruses, worms, spyware, caused by seemingly innocent programs and attachments the question becomes more pressing and important. If you are confident that if needed you could debug (reverse-engineer) a suspicious program, what happens if you encounter a program that was specifically created to frustrate and defeat your analysis attempts? Should you persevere in such a circumstance, you should be aware ahead of time of some tricks and traps that can be employed in an attempt to thwart your best intentions. This article will attempt to introduce you to some of these and, perhaps, fire your own curiosity on topics such as code obfuscation, protection and anti-reverse-engineering.

Full Article ...    Printer Friendly ...

Article Comments
OpsMan Posted: Tuesday, August 2 2005 21:38.41 CDT
  Wow! What a wild ride. Thanks for posting this exciting piece. Has to be a Charles Dickens of RCE tutorials.

nico Posted: Wednesday, August 3 2005 00:09.34 CDT
Hi,

Nice article.
Looks like those people have read my paper: Anti Reverse Engineering Uncovered, i selected some values randomly in the headers, and they picked the EXACT Same ones to mess with Soft ICE (see my vuln report in the article) and ollydbg.

They just copy pasted my work heh:

http://honeynet.org/scans/scan33/
lots of write ups, and my official one:

http://honeynet.org/scans/scan33/nico/index.html

They use my RDTSC trick with the BPM cleaning stuff as well.
The headers thingy are the best proof though, i picked up one of those numbers randomly, and the other one was tied to my binary, to get soft ICE to crash.
Fun :)

Well, i think they took most of my work and used it in their program to me :)

Cheers,

Nico

anonymouse Posted: Wednesday, August 3 2005 09:45.48 CDT
wow pretty excellent write up
pretty exhaustive and informative article

i just would like to point out one little feature of ollydbg which comes in handy for such obfuscated code
its runtrace feature hit ctrl+f11 and the deobfuscated
listing (the actual execution path that was taken)just shows up including register values and you can even navigate the path backwards

i simply ripped the opcodes from your listing 2 and binary pasted it into ollydbg and ran runtrace
and i am pasting the runtrace list here as you could see
one can just see the jbe or sub eax,[esp] and cmp eax,0xfff


Address  Thread   Command           ; Registers and comments
00401007 Main     JMP SHORT 00401003
00401003 Main     JMP SHORT 00401009
00401009 Main     CALL 00401018
00401018 Main     CALL 0040100F
0040100F Main     JMP SHORT 0040101D
0040101D Main     ADD ESP,8
00401020 Main     JE SHORT 00401026
00401022 Main     JNZ SHORT 00401026
00401026 Main     JMP SHORT 00401029
00401029 Main     CALL 00401038
00401038 Main     CALL 0040102F
0040102F Main     JMP SHORT 0040103D
0040103D Main     ADD ESP,8
00401040 Main     JE SHORT 00401046
00401042 Main     JNZ SHORT 00401046
00401046 Main     JMP SHORT 00401049
00401049 Main     PUSH EAX
0040104A Main     CALL 00401051
00401051 Main     POP EAX                 ; EAX=0040104F
00401052 Main     IMUL EAX,EAX,3          ; EAX=00C030ED
00401055 Main     CALL 0040105C
0040105C Main     ADD ESP,4
0040105F Main     POP EAX                 ; EAX=00000000
00401060 Main     JE SHORT 00401066
00401062 Main     JNZ SHORT 00401066
00401066 Main     JMP SHORT 00401069
00401069 Main     RDTSC         ; EAX=8AD0BE24, EDX=000053DA
0040106B Main     PUSH EAX
0040106C Main     RDTSC         ; EAX=8ADA1B18
0040106E Main     CALL 0040107D
0040107D Main     CALL 00401074
00401074 Main     JMP SHORT 00401082
00401082 Main     ADD ESP,8
00401085 Main     SUB EAX,[ESP]        ; EAX=00095CF4
00401088 Main     JE SHORT 0040108E
0040108A Main     JNZ SHORT 0040108E
0040108E Main     JMP SHORT 00401091
00401091 Main     ADD ESP,4
00401094 Main     CALL 004010A3
004010A3 Main     CALL 0040109A
0040109A Main     JMP SHORT 004010A8
004010A8 Main     ADD ESP,8
004010AB Main     CMP EAX,0FFF
004010B0 Main     JMP SHORT 004010B3
004010B3 Main     JMP SHORT 004010B7
004010B7 Main     JMP SHORT 004010BA
004010BA Main     JBE SHORT 004010D7
004010BC Main     JMP SHORT 004010BF
004010BF Main     JMP SHORT 004010C3
004010C3 Main     JMP SHORT 004010C6
004010C6 Main     INT3
    INT3 command at smidge.004010C6
End of session




:thumbsup for taking time to write such clear articles

HiPPiEkiLLeR Posted: Sunday, August 14 2005 17:32.32 CDT
Good article, however this bit:
---------
PID: 0x574 TID: 0x9CC %s%s

Not much interesting happening here except perhaps some leftover debugging code.
--------

OutputDebugStringA("%s%s") is code to crash Ollydbg, not leftover code.. :)



Vex Posted: Wednesday, August 31 2005 21:19.58 CDT
Wicked

GAMerritt Posted: Thursday, November 18 2010 10:34.16 CST
Why hasn't anyone commented on this incredible article for five years?

Donner2011 Posted: Wednesday, December 21 2011 04:12.42 CST
Your posts are so helpful and detailed. The links you feature are also maternity wedding dresses
Pregnancy wedding dresses
maternity dresses for weddings
chiffon maternity wedding dresses
short maternity wedding dresses
plus size maternity wedding dresses
christmas costumes very useful too. Thanks a lot!


Add New Comment
Comment:










There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit