Flag: Tornado! Hurricane!


Article Abstract This article is about breaking modern executable protectors. The target, a crackme known as HyperUnpackMe2, is modern in the sense that it does not follow the standard packer model of yesteryear wherein the contents of the executable in memory, minus the import information, are eventually restored to their original forms.

Modern protectors mutilate the original code section, use virtual machines operating upon polymorphic bytecode languages to slow reverse engineering, and take active measures to frustrate attempts to dump the process. Meanwhile, the complexity of the import protections and the amount of anti-debugging measures has steadily increased.

This article dissects such a protector and offers a static unpacker through the use of an IDA processor module and a custom plugin. The commented IDB files and the processor module source code are included. In addition, an appendix covers IDA processor module construction. In short, this article is an exercise in overkill.

Full Article ...    Printer Friendly ...

Article Comments
nico Posted: Friday, February 23 2007 13:53.15 CST
Good job Bro, as i told you already when i first read this paper. That was a fun night looking over this Virtual Machine half drunk ;-)

bLaCkeye Posted: Friday, February 23 2007 19:47.13 CST
Impressive display of reverse engineering and coding skills.
Definitely in my favorite tutorials list, hope to see more work from the author in the future.
I had a lot to learn from this.

A request for the admin: anyway you could make the 'Printer Friendly' option to save as pdf for easier transportation?

Thanks

PoincareLei Posted: Wednesday, April 4 2007 06:26.45 CDT
good analysis..

expecting RolfRolles  to write Themida VM analysis!!

:)

h4x0r Posted: Tuesday, May 15 2007 04:15.56 CDT
comprehensive analysis, thanks.

for those not familiar with techniques described, there was a honeypot crackme at http://www.honeynet.org/scans/scan33/ back then, pioneering some of the obfuscation techniques described here (vm architecture..)

eirc Posted: Saturday, October 11 2008 05:00.28 CDT
Wow thanks a lotŁĄ

ndaj3 Posted: Friday, September 4 2009 01:25.09 CDT
RolfRolles: Thank you for Writing an Great tutorial. I appreciate your time & efforts. It's an big learning experience for all of us.

Thank you for your Great tutorial
ndaj3


Add New Comment
Comment:










There are 31,026 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit