anti-unpacking tricks paper released
 Peter Ferrie (PeterFerrie) <peter_ferrie hotmail com> |
Wednesday, May 7 2008 11:54.28 CDT |
From the CARO Workshop 2008.
Examples of anti-dumping, anti-debugging, anti-emulator, anti-interceptor.
Paper and slides at pferrie.tripod.com
Comments
 ero |
Posted: Thursday, May 8 2008 01:54.37 CDT |
|
Thanks! The rest of the workshop's presentation/papers can be downloaded from their website |
|
 smidgeonsoft |
Posted: Thursday, May 8 2008 07:40.25 CDT |
| Thank you for sharing! | |
|
RolfRolles |
Posted: Thursday, May 8 2008 10:06.59 CDT |
|
A few more papers have been published since the first batch from last week, so if you're interested check the CARO site again (and perhaps periodically in the near future). My favorite is Boris Lau's paper. Deobfuscation of x86 and/or VM bytecode based on a combination of a run trace and a compiler optimizer is a very useful idea, not just for VM handlers but for obfuscated code in general. Using a run trace eliminates the major weakness in my previously-presented idea, in that my approach fails if the code cannot be disassembled statically (e.g. being unable to determine instruction boundaries due to them jumping into one another). Another good idea he presents is automated identification of opcode handlers based on their effects on the context structure. Both ideas had occurred to me, but implementing them would have been a major task. Excellent work, Boris! |
|
 vuadapass |
Posted: Friday, May 16 2008 07:26.47 CDT |
| Thank you for sharing. I'm writting a protector engine and want to learn about it. Could i contact you by your ymess ? | |