OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Article Abstract This article is about breaking modern executable protectors. The target, a crackme known as HyperUnpackMe2, is modern in the sense that it does not follow the standard packer model of yesteryear wherein the contents of the executable in memory, minus the import information, are eventually restored to their original forms.

Modern protectors mutilate the original code section, use virtual machines operating upon polymorphic bytecode languages to slow reverse engineering, and take active measures to frustrate attempts to dump the process. Meanwhile, the complexity of the import protections and the amount of anti-debugging measures has steadily increased.

This article dissects such a protector and offers a static unpacker through the use of an IDA processor module and a custom plugin. The commented IDB files and the processor module source code are included. In addition, an appendix covers IDA processor module construction. In short, this article is an exercise in overkill.

Full Article ...

Printer Friendly ...

Article Comments

nico	Posted: Friday, February 23 2007 13:53.15 CST
Good job Bro, as i told you already when i first read this paper. That was a fun night looking over this Virtual Machine half drunk ;-)

bLaCkeye	Posted: Friday, February 23 2007 19:47.13 CST
Impressive display of reverse engineering and coding skills. Definitely in my favorite tutorials list, hope to see more work from the author in the future. I had a lot to learn from this. A request for the admin: anyway you could make the 'Printer Friendly' option to save as pdf for easier transportation? Thanks

PoincareLei	Posted: Wednesday, April 4 2007 06:26.45 CDT
good analysis.. expecting RolfRolles to write Themida VM analysis!! :)

h4x0r	Posted: Tuesday, May 15 2007 04:15.56 CDT
comprehensive analysis, thanks. for those not familiar with techniques described, there was a honeypot crackme at http://www.honeynet.org/scans/scan33/ back then, pioneering some of the obfuscation techniques described here (vm architecture..)

eirc	Posted: Saturday, October 11 2008 05:00.28 CDT
Wow thanks a lot！

ndaj3	Posted: Friday, September 4 2009 01:25.09 CDT
RolfRolles: Thank you for Writing an Great tutorial. I appreciate your time & efforts. It's an big learning experience for all of us. Thank you for your Great tutorial ndaj3

zhxia	Posted: Tuesday, August 10 2010 01:28.24 CDT
Thank you for Writing an Great tutorial. I appreciate your time & efforts. It's an big learning experience for all of us. url=http://www.eluxurys-store.com/]buy gucci watches[/url] gucci sale louis vuitton

Active in Last 5 Minutes
	j00ru

There are 21,678 total registered users.

Recently Created Topics
PyEmu error when cal...	Sep/02
Restore Themida/Winl...	Sep/02
Anti-olly technique	Aug/30
RAR Password	Aug/29
Heap protection on W...	Aug/23
Why Inline asm in C+...	Aug/20
Bypassing OllyAdvance	Aug/17
Error in logic for g...	Aug/17
Has anyone seen this...	Aug/17
ARM Executable - Pat...	Aug/16

Recent Forum Posts
reverse engineering ...	raiden56
pydbg, memory breakp...	Researc...
RAR Password	Ineedhelp
RAR Password	cod
Heap protection on W...	voila
Heap protection on W...	j00ru
Heap protection on W...	voila
Heap protection on W...	j00ru
Heap protection on W...	psylocn
Why Inline asm in C+...	ronnie2...

Recent Blog Entries
	meshmesh	Sep/01
Is it legal??
	waleedassar	Aug/30
Anti-olly technique
	QvasiModo	Aug/24
WinAppDbg 1.4 is out!
	artemblagodarenko	Aug/18
Dataflow-0.2.0 released. Ne...
	grzonu	Aug/17
Bypassing OllyAdvanced
More ...

Recent Blog Comments
	tosanjay on:	Sep/02
PyEmu 0.0.2
	GynvaelColdwind on:	Sep/01
Is it legal??
	PeterFerrie on:	Aug/31
Anti-olly technique
	dennis on:	Aug/26
Dr. Gadget IDAPython plugin
	halsten on:	Aug/19
Dataflow-0.2.0 released. Ne...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit