Jump to content
Tuts 4 You

Packers & Protectors

21 files

  1. Unpacking with Anthracene

    Anthracene 01 - UPX 2.01w
    What is a packer and what does it do How can we identify a packer? How we can unpack a simple packer like UPX Why the dumped file will crash when we run it What we can do to fix this problem by using ImpRec Anthracene 02 - AsPack 2.12
    How to unpack packers by using the ESP trick, theory Anthracene 03 - ASProtect 1.20
    Another example on how to unpack using the ESP trick How and why to set Olly's exception passing options in order to unpack Unpacking a program using the 'exception counting trick' Tracing through the SEH of a protector in order to find the OEP How to use some of the more advanced ImpRec features in order to rebuild imports that aren't fixed straight away. Anthracene 04 - PolyEnE 0.01
    No ESP trick, no exception counting - straight forward logical thinking!

    200 downloads

    0 comments

    Submitted

  2. Themida + WinLicense 1.x - 2.x CRC Fixer

    I created a video tutorial where you can see how to use my script. I also added some UnpackMe's which you can also test. If something not works then post a reply in my topic.

    195 downloads

    0 comments

    Submitted

  3. VMProtect CRC Bypass Methods

    Today I want to show you two ways how you can bypass the CRC checks in VMProtected targets in an easy way. I found two different methods which you can use for this. You can also use these methods for some other protections like TheMida and WinLicense to. I created a large tutorial package for you with three video and one text tutorial and also I have note all important steps on diffrent text files which you can read and follow so that nothing can go wrong if you try this ways by yourself. I created two different MultiASM [M1 & M2] Templates which you can use with the plugin [see tools folder] to write my dynamic patch into your added section. You just need to fill some RVA values.

    180 downloads

    0 comments

    Submitted

  4. VMProtect Defeating the CRC

    A tutorial showing a method of defeating VMProtect's checksum scheme.

    144 downloads

    0 comments

    Submitted

  5. VMProtect Simple Virtual Machine Overview

    A video showing operation and understanding of VMProtect's virtual machine.

    150 downloads

    0 comments

    Submitted

  6. Make Your Own Packer

    You probably all know what a packer is, there are already many, ranging from simple as UPX or FSG for more complex as Themida, Armadillo and many others.
    The purpose of a packer is primarily to compress an executable (which are UPX and FSG) but also to protect it from any person ill-intentioned (or not) wishing your cracker program.
    When the question of why make my own packer when there are many other and probably more advanced than mine, well I would say simply that this project is very interesting because it requires a good knowledge of mechanisms established by the system to perform a task. And so I learned a great deal in the making. My goal then is to make you share.

    84 downloads

    0 comments

    Submitted

  7. Armadillo - ECDSA Patching

    I had a lot of free time to spend and therefore I created a full tutorial about Armadillo ECDSA Public Parameter replacing. I will start from the beginning and put hardware breakpoints and stuff to show you the time-consuming process which reversing can be.

    Tutorial includes an UnPackMe, the text file so you can try stuff yourself and a few useful tools (source available on request).

    42 downloads

    0 comments

    Submitted

  8. Debugging and Unpacking NsPack 3.4 - 3.7

    This document provides instructions on how to unpack NsPack 3.4 and 3.7 using the OllyDbg debugger. The OllyScripts used in this process are included in the appendixes. The custom plug-ins that are used to automate the procedure are provided with the source code. This paper also includes instructions on how to fully restore the import table so the file can be restored to its original state and executed. This is continued further with instructions on how to convert the machine code (assembly language) into a higher level language (in this paper we will use C) so that an analyst can better understand the workings and purpose of the packer.

    Unfortunately, many commercial antivirus vendors have not adequately analyzed the NsPack binary and compression routine. This has led to the unfortunate situation where major anti-malware vendors are misclassifying NsPack (and other PE Packers) as Trojans (figure 3.1). In section 6 we will show through both static analysis and dynamic execution that NsPack is not a Trojan but a simple PE compression utility.

    NsPack remains one of the most common PE Packers with high rates of reported use and discovery. Oberheide, Bailey, & Jahanian (2009) used the Arbor Network’s Arbor Malware Library (AML) to analyze the distribution of PE Packers. The results are displayed in figure 3.2. In these tables we see that NsPack is in the top 10 list for PE Packers used on malware samples stored in the AML database.

    While this paper focuses on NsPack, the general principles are designed to enable the reader to learn how to apply the process to other PE Packers. NsPack 3.x is a simple compressor. It does not support Anti-Debug or Anti-Disassembly features. It used configurable section names (defaulting to .nsp). In this document we will walk through both the NsPack 3.4 and 3.7 versions.

    54 downloads

    0 comments

    Submitted

  9. How To Write Your Own Packer

    Why write your own packer when there are so many existing ones to choose from? Well, aside from making your executables smaller, packing is a good way to quickly and easily obfuscate your work. Existing well-know packers either have an explicit 'unpack' function, or there are readily available procdump scripts for generating an unpacked version.

    54 downloads

    0 comments

    Submitted

  10. Writing Dynamic Unpackers for Fun with TitanEngine

    This tutorial will try to cover some of the functions included in TitanEngine SDK, dynamic, unpackers programming using TitanEngine SDK and FUU [F]aster niversal npacker.

    First of all I would like to comment that this tutorial is going to be about a tool that I met a few years ago from a presentation in BlackHat 2009. Unfortunately I was not lucky enough to go to that conference but I could read the papers that were presented there, one of them took my attention in particular. It was about an SDK designed for File Analysis and Unpacking, called TitanEngine from the people of ReversingLabs among them there is aP0x, (A well known Reverser and author of the famous tool RLPack).

    After we take a look of the Framework we're going to see a little tool that I made which core is based in this framework, I use that to develop unpackers in an easy and quickly way without worrying too much of the functions implementations like dumping, add a section to the binary, etc.; these are the things that the framework does for us.

    28 downloads

    0 comments

    Submitted

  11. Deep Packer Inspection - A Longitudinal Study of the Complexity of Run-Time Packers

    Run-time packers are often used by malware-writers to obfuscate their code and hinder static analysis. The packer problem has been widely studied, and several solutions have been proposed in order to generically unpack protected binaries. Nevertheless, these solutions commonly rely on a number of assumptions that may not necessarily reflect the reality of the packers used in the wild. Moreover, previous solutions fail to provide useful information about the structure of the packer or its complexity. In this paper, we describe a framework for packer analysis and we propose a taxonomy to measure the runtime complexity of packers.

    We evaluated our dynamic analysis system on two datasets, composed of both off-the-shelf packers and custom packed binaries. Based on the results of our experiments, we present several statistics about the packers complexity and their evolution over time.

    29 downloads

    0 comments

    Submitted

  12. Armadillo - Understanding Environment Variables

    In this tutorial I take the watcher on a small trip in Armadillo's Environment Variables. What they are and how to patch them is the general question. The target is a self-compiled unpackme.

    52 downloads

    0 comments

    Submitted

  13. An Analysis of Modern Security Software Protections

    Billions of dollars are lost to software piracy each year, this figure being proportional to our security software. This essay will focus and analysis on current existing protection methods of security software, ranging from anti-dump, anti-trace to virtual machines. It will analyze each protection feature for strengths and weaknesses and present a holistic analysis of modern security protection mechanisms. These protection methods will be tested against modern live analysis tools actively used by the reverse engineering community today. Unorthodox methods may be used as reverse engineers have a variety of options as they are the end-users. The protection schemes will be compared relative to their difficulty of implementation, run-time deficiencies (only applies to virtual machines), and their ability to hinder or stop reverse engineering processes, each of the schemes looked analyzed on an implementation and execution basis. The findings are shocking but in check with our modern markets and community today; it is shown that current software defense methodologies are not up to standards, their protection can be easily circumvented and the exorbitant price tag of software piracy is to be expected.

    37 downloads

    0 comments

    Submitted

  14. x86 Code Compression in kkrunchy

    This is about the "secret ingredient" in my EXE packer kkrunchy, which was used in our (Farbrausch) 64k intros starting from "fr-030: Candytron", and also in a lot of other 64k intros or similarly size-limited productions by other groups including several well-known 64ks from other groups such as Conspiracy, Equinox and Fairlight, I'm happy to add.

    21 downloads

    0 comments

    Submitted

  15. Realizing Import Redirection

    Before I start I would like to say thanks to all the great reversers writing tutorials and explaining the when and whys – it seems that this way of writing got lost somewhere during RE evolution… Also there will be a dedicated section for import reconstruction hindering techniques.

    So, here is a list how to do import redirection in your programs, enjoy.

    29 downloads

    0 comments

    Submitted

  16. PE Packers Opcodes Graphics

    Three info-graphic projects showing the structure of portable executables, packers and opcodes.

    28 downloads

    0 comments

    Submitted

  17. A Study of the Packer Problem and Its Solutions

    An increasing percentage of malware programs distributed in the wild are packed by packers, which are programs that transform an input binary's appearance without affecting its execution semantics, to create new malware variants that can evade signature-based malware detection tools. This paper reports the results of a comprehensive study of the extent of the packer problem based on data collected at Symantec and the effectiveness of existing solutions to this problem. Then the paper presents a generic unpacking solution called Justin (Just-In-Time AV scanning), which is designed to detect the end of unpacking of a packed binary's run and invoke AV scanning against the process image at that time. For accurate end-to-unpacking detection, Justin incorporates the following heuristics: Dirty Page Execution, Unpacker Memory Avoidance, Stack Pointer Check and Command-Line Argument Access. Empirical testing shows that when compared with SymPack, which contains a set of manually created unpackers for a collection of selective packers, Justin's effectiveness is comparable to SymPack for those binaries packed by these supported packers, and is much better than SymPack for binaries packed by those that SymPack does not support.

    29 downloads

    0 comments

    Submitted

  18. Armadillo - Patching Environment Variables at Runtime

    Yesterday evening I was busy on that ArmLvl0.dll (Level 0 Unsigned keys brute forcer) and I discovered that you need to know the EXTRAINFO parameter if you want to properly brute a key... Therefore I decided to take a look in Armadillo's security.dll and I discovered that you can see ALL the environment variables and values (including the custom ones) in the current used certificate. Because I don't want to post a video on this (no time) I decided to write a small essay. Just to describe what I did:

    01. Detach Debug blocker (OpenMutexA or WriteProcessMemory method)
    02. Breakpoint on VirtualProtect
    03. Run
    04. Go to the address that is protected (always quite high). Check my HWID tuts for this
    05. Search for all referenced text strings if you are at that address in the CPU window
    06. Go to the referenced address of ALTUSERNAME (per example, others can be used too)
    07. Search down for the first call after the reference (PUSH (UNICODE)"ALTUSERNAME")
    08. Follow that call and but a HWBP on the entry of the function the call leads to
    09. Run
    10. ESP+4 is the Variable name (including the ones of the customs)
    11. ESP+8 is the value for that variable in the currently used certificate

    This info is nice...BUT the question is: How to modify a variable? Answer: Just change ESP+8 everytime the variable you want to change pops up... (EVERYTIME).

    31 downloads

    0 comments

    Submitted

  19. Standards and Policies on Packer Use

    Packers, whether third-party or bespoke, are still widely used by malware authors in an attempt to evade detection. Conficker, FakeAV, Bredolab and TDSS are but a few examples of malware which make extensive use of packers. The wide variety of packers used for both legitimate and malicious purposes pose a challenge for the anti-virus industry. The anti-virus community has decided, within the framework of the Malware Working Group (MWG) within the Industry Connections Security Group (IEEE ICSG http://standards.ieee.org/prod-serv/indconn/icsg), to address the issue of packers with a common voice.

    In addition, the stigma and the anti-virus detections associated with the use of legitimate packers by malware, along with the performance impact related to scanning benign packed files, are likely to lead to an impact on both the reputation and revenue of the packer vendors involved. Therefore it is in the best interests of both parties to work together to identify and implement solutions to the core issues associated with packers.

    One of the fruits of the collaborative IEEE ICSG sessions, involving representatives from across the anti-virus industry, is a document describing various packer properties and standards for their use. This document is intended to provide a yardstick for the formulation of policy on how to treat different packers and a potential set of best practice guidelines for packer vendors. The specific contents of the document are subject to the outcome of negotiations with packer vendors.

    It is hoped that the guidelines can be used to improve end-user security through the concerted efforts of the anti-virus industry when dealing with packers, and via cooperation and information exchange with packer vendors. Thus it is expected to facilitate a more robust approach to the generic static flagging of suspicious packed files for the beneffit of all (other than the malware authors, of course).

    19 downloads

    0 comments

    Submitted

  20. Collective Classification for Packed Executable Identification

    Malware is any software designed to harm computers. Commercial antivirus are based on signature scanning, which is a technique effective only when the malicious executables have been previously analysed and identified. Malware writers employ several techniques in order to hide their actual behaviour. Executable packing consists in encrypting or hiding the real payload of the executable. Generic unpack­ing techniques do not depend on the packer used, as they execute the binary within an isolated environment (namely "sandbox") to gather the real code of the packed executable. However, this approach is slow and, therefore, a filter step is required to determine when an executable has been packed. To this end, supervised machine learning approaches trained with static features from the executables have been pro­posed. Notwithstanding, supervised learning methods need the identification and labelling of a high number of packed and not packed executables. In this paper, we propose a new method for packed executable detection that adopts a collec­tive learning approach to reduce the labelling requirements of completely supervised approaches. We performed an empirical validation demonstrating that the system maintains a high accuracy rate while the labelling efforts are lower than when using supervised learning.

    17 downloads

    0 comments

    Submitted

  21. Compressing Encrypted Data

    The classical way of transmitting redundant data over a bandwidth constrained insecure channel is to first compress it and then encrypt. This report investigates the novelty of reversing the order of compression and encryption, without compromising either the encryption efficiency or the information secrecy. Although counter intuitive, principles from source coding with side information, can be used to make this reversal possible. In certain scenarios, no more randomness in key is required than the traditional system.

    23 downloads

    0 comments

    Submitted


×
×
  • Create New...