The Art of Unpacking

The Art of Unpacking
by Mark Vincent Yason
=====================================================
=====================================================

Abstract: Unpacking is an art—it is a mental challenge and is one of the most exciting mind
games in the reverse engineering field. In some cases, the reverser needs to know the
internals of the operating system in order to identify or solve very difficult anti-reversing tricks
employed by packers/protectors, patience and cleverness are also major factors in a
successful unpack. This challenge involves researchers creating the packers and on the other
side, the researchers that are determined to bypass these protections.

The main purpose of this paper is to present anti-reversing techniques employed by
executable packers/protectors and also discusses techniques and publicly available tools that
can be used to bypass or disable this protections. This information will allow researchers,
especially, malcode analysts to identify these techniques when utilized by packed malicious
code, and then be able decide the next move when these anti-reversing techniques impede
successful analysis. As a secondary purpose, the information presented can also be used by
researchers that are planning to add some level of protection in their software by slowing
down reversers from analyzing their protected code, but of course, nothing will stop a skilled,
informed, and determined reverser.

Continue Reading

IDA + Debug 插件 实现64Bit Exe脱壳

IDA + Debug 插件 实现64Bit Exe脱壳

By :obaby

对于64位的可执行程序已经搞了好长一段时间了,但是却一直没有写点什么东西。前面的两篇文章仅仅是单纯的翻译,个人认为不管是32位还是64位的程序脱壳只要能到达程序的OEP就可以了。现在支持64位加壳的程序貌似也不多,这里以mpress压缩的64位系统下的64位notepad为例进行简单的演示。在《IDA + Bochs 调试器插件进行PE+ 格式DLL脱壳 》一问中提到了可以使用bochs调试器进行DLL文件脱壳。但是却没有办法进行64位EXE文件调试,启动调试之后由于代码完全识别错误,因为会出现异常导致无法调试。要想调试64位可执行程序目前只有通过远程调试的方式,使用Windbg插件同样是无法进行调试的。但是用windbg调试时将会提示如图1所示的信息:

 

图1

Continue Reading

实战IDA PE+ DLL脱壳

IDA + Bochs 调试器插件进行PE+ 格式DLL脱壳

By :obaby

在IDA Pro6.1中我们扩展了Bochs调试器插件,现在已经可以进行64位代码段的调试。在IDA Pro 6.2版本中将有可能实现PE+ 可执行程序的动态调试。由于程序将会在Bochs系统中执行,因而在调试的过程中我们并不需要实际的64位操作系统,因而在实际的调试过程中可以从任何的32位或者64位的Linux,Mac OS 或者Windows操作系统中使用IDA Pro进行64位可执行文件的调试。

为了确认这一项新的功能,我们将进行PE+格式的一个木马程序进行脱壳并且进行一个大体的分析,这个文件是由MATCODE Software公司的mpress进行压缩的。我们将会对讲解DLL文件脱壳,修复输入表并且最终修复数据库来进行分析。

 

Unpacking the DLL

我们的目标文件是一个木马的DLL文件,该文件被杀软识别为“Win32/Giku”。我们从使用idaq64载入DLL文件开始进行分析,载入之后按Ctrl+S键打开区段窗口:

Continue Reading

PECompact 2.x -> Jeremy Collake [Overlay] 脱壳

在脱壳的时候虽然显示的有附加数据,但是我发现脱壳之后并不需要进行修复~

用OD载入之后会中断在下面的入口点处:

00401140 >  B8 D0A19900     mov eax,plistEdi.0099A1D0                ; 入口点
00401145    50              push eax
00401146    64:FF35 0000000>push dword ptr fs:[0]
0040114D    64:8925 0000000>mov dword ptr fs:[0],esp
00401154    33C0            xor eax,eax                              ; 单步执行到此处之后出现SE处理程序
00401156    8908            mov dword ptr ds:[eax],ecx
00401158    50              push eax
00401159    45              inc ebp
0040115A    43              inc ebx
Continue Reading

imp64

Here is one tool to fix imports on x64 target (and to dump them as well). This tool was done almost a year ago. GUI really sucks as I’m not very experienced with GUI programming. However import fixing code should do just fine as it uses 1API = 1IID technique which I described in one of my Blog entries. Good thing is that import scanning/fixing code can be extracted from source without a problem as those are held in separate files.

Hope that someone will find this tool useful, at least source code.
Download link1:http://exelab.ru/download.php?action=get&n=MTAzMA==

Download link2:http://deroko.phearless.org/imp64.rar