xSRTsect Posted September 10, 2014 Share Posted September 10, 2014 Probably some of you know what I am talking about. I have recently got "PiaoYun_KongDao"'s hex rayz code decompiler release (allegedly the latest hex rayz release). WIthout further ado, I will let you know what caught my eye and my concern - it seems that contrarly to what is normal, this comes with two plugins: The tipical "hexrays.plw" and another one called "PiaoYun_KongDao_F5.plw". Now, I am not even sure what is called first but a fast sight at "PiaoYun_KongDao_F5.plw" - seems that it is packed with ASPack. After strippig out the packer and looking at the unpacked code, one easily notices some virtualized routines with vmprotect. This is strange, what is he hiding? This doesn't look healthy at all. If you are not sure about what is happening either, don't use this release and dont execute his code. Regards. xSRTsect- Link to comment Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now