OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Error: Authentication required to access requested resource.

Article Abstract This article is about breaking modern executable protectors. The target, a crackme known as HyperUnpackMe2, is modern in the sense that it does not follow the standard packer model of yesteryear wherein the contents of the executable in memory, minus the import information, are eventually restored to their original forms.

Modern protectors mutilate the original code section, use virtual machines operating upon polymorphic bytecode languages to slow reverse engineering, and take active measures to frustrate attempts to dump the process. Meanwhile, the complexity of the import protections and the amount of anti-debugging measures has steadily increased.

This article dissects such a protector and offers a static unpacker through the use of an IDA processor module and a custom plugin. The commented IDB files and the processor module source code are included. In addition, an appendix covers IDA processor module construction. In short, this article is an exercise in overkill.

Full Article ...

Printer Friendly ...

Article Comments

nico	Posted: Friday, February 23 2007 13:53.15 CST
Good job Bro, as i told you already when i first read this paper. That was a fun night looking over this Virtual Machine half drunk ;-)

bLaCkeye	Posted: Friday, February 23 2007 19:47.13 CST
Impressive display of reverse engineering and coding skills. Definitely in my favorite tutorials list, hope to see more work from the author in the future. I had a lot to learn from this. A request for the admin: anyway you could make the 'Printer Friendly' option to save as pdf for easier transportation? Thanks

PoincareLei	Posted: Wednesday, April 4 2007 06:26.45 CDT
good analysis.. expecting RolfRolles to write Themida VM analysis!! :)

h4x0r	Posted: Tuesday, May 15 2007 04:15.56 CDT
comprehensive analysis, thanks. for those not familiar with techniques described, there was a honeypot crackme at http://www.honeynet.org/scans/scan33/ back then, pioneering some of the obfuscation techniques described here (vm architecture..)

eirc	Posted: Saturday, October 11 2008 05:00.28 CDT
Wow thanks a lot！

ndaj3	Posted: Friday, September 4 2009 01:25.09 CDT
RolfRolles: Thank you for Writing an Great tutorial. I appreciate your time & efforts. It's an big learning experience for all of us. Thank you for your Great tutorial ndaj3

Active in Last 5 Minutes
	elreport

There are 16,656 total registered users.

Recently Created Topics
SSL keyfindert plugi...	Mar/15
ApiHooks.com down	Mar/15
how to crate a PATC...	Mar/10
wsnpoem audio.dll	Mar/09
suggestions - RE tra...	Mar/09
Requesting Suggestio...	Mar/06
Force enable debug p...	Mar/05
upgrading new image ...	Mar/03
upgrading new image ...	Mar/03
upgrading new image ...	Mar/03

Recent Forum Posts
how to crate a PATC...	comrade
ApiHooks.com down	comrade
suggestions - RE tra...	enm16
wsnpoem audio.dll	zhane
suggestions - RE tra...	Silkut
how to crate a PATC...	Silkut
suggestions - RE tra...	RolfRolles
wsnpoem audio.dll	debbie
Requesting Suggestio...	secursig
Requesting Suggestio...	phn1x

Recent Blog Entries
	RolfRolles	Mar/08
Compiler Optimizations for ...
	ReWolf	Mar/04
When memory management goes...
	thesprawler	Feb/20
log1949.txt -- Wondering ho...
	thesprawler	Feb/20
log1949.log -- created on C...
	thesprawler	Feb/17
Trying to reverse the firmw...
More ...

Recent Blog Comments
	Boken on:	Mar/12
Compiler Optimizations for ...
	wildinto on:	Mar/10
Compiler Optimizations for ...
	Orr on:	Mar/10
Compiler Optimizations for ...
	bughoho on:	Mar/09
Compiler Optimizations for ...
	cliffwolf on:	Mar/08
Compiler Optimizations for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit