OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Article Abstract This article is about breaking modern executable protectors. The target, a crackme known as HyperUnpackMe2, is modern in the sense that it does not follow the standard packer model of yesteryear wherein the contents of the executable in memory, minus the import information, are eventually restored to their original forms.

Modern protectors mutilate the original code section, use virtual machines operating upon polymorphic bytecode languages to slow reverse engineering, and take active measures to frustrate attempts to dump the process. Meanwhile, the complexity of the import protections and the amount of anti-debugging measures has steadily increased.

This article dissects such a protector and offers a static unpacker through the use of an IDA processor module and a custom plugin. The commented IDB files and the processor module source code are included. In addition, an appendix covers IDA processor module construction. In short, this article is an exercise in overkill.

Full Article ...

Printer Friendly ...

Article Comments

nico	Posted: Friday, February 23 2007 13:53.15 CST
Good job Bro, as i told you already when i first read this paper. That was a fun night looking over this Virtual Machine half drunk ;-)

bLaCkeye	Posted: Friday, February 23 2007 19:47.13 CST
Impressive display of reverse engineering and coding skills. Definitely in my favorite tutorials list, hope to see more work from the author in the future. I had a lot to learn from this. A request for the admin: anyway you could make the 'Printer Friendly' option to save as pdf for easier transportation? Thanks

PoincareLei	Posted: Wednesday, April 4 2007 06:26.45 CDT
good analysis.. expecting RolfRolles to write Themida VM analysis!! :)

h4x0r	Posted: Tuesday, May 15 2007 04:15.56 CDT
comprehensive analysis, thanks. for those not familiar with techniques described, there was a honeypot crackme at http://www.honeynet.org/scans/scan33/ back then, pioneering some of the obfuscation techniques described here (vm architecture..)

eirc	Posted: Saturday, October 11 2008 05:00.28 CDT
Wow thanks a lot！

ndaj3	Posted: Friday, September 4 2009 01:25.09 CDT
RolfRolles: Thank you for Writing an Great tutorial. I appreciate your time & efforts. It's an big learning experience for all of us. Thank you for your Great tutorial ndaj3

There are 28,212 total registered users.

Recently Created Topics
Reverse Engineering ...	Jan/23
Career: DoD Agency I...	Jan/22
"Disappearing&q...	Jan/17
Career: Software Sec...	Jan/11
Where is the call st...	Jan/07
IDA Pro 6.1 Breakpoi...	Jan/01
How to create data s...	Dec/30
can i search all mod...	Dec/23
IDA symbol table exp...	Dec/20
An anti-attach trick	Dec/17

Recent Forum Posts
Reverse Engineering ...	NirIzr
"Disappearing&q...	NirIzr
Reverse Engineering ...	charlie
"Disappearing&q...	charlie
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
Looking for value in...	NirIzr

Recent Blog Entries
	Ludwig	Feb/04
chi on sale
	Ludwig	Feb/04
Monster In The Vicinity Of ...
	Ludwig	Feb/04
Supra footwear Online
	waleedassar	Jan/31
Yet Another Anti-Debug Trick
	RolfRolles	Jan/22
Finding Bugs in VMs with a ...
More ...

Recent Blog Comments
	waleedassar on:	Feb/01
Yet Another Anti-Debug Trick
	NirIzr on:	Jan/31
Yet Another Anti-Debug Trick
	jackchen on:	Jan/10
nike mercurial vapor iii
	waleedassar on:	Dec/27
A new Anti-Olly trick.
	PeterFerrie on:	Dec/27
A new Anti-Olly trick.
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit