PiaoYun_KongDao friend or foe?

[xSRTsect]

Probably some of you know what I am talking about. I have recently got "PiaoYun_KongDao"'s hex rayz code decompiler release (allegedly the latest hex rayz release). WIthout further ado, I will let you know what caught my eye and my concern - it seems that contrarly to what is normal, this comes with two plugins: The tipical "hexrays.plw" and another one called "PiaoYun_KongDao_F5.plw". Now, I am not even sure what is called first but a fast sight at "PiaoYun_KongDao_F5.plw" - seems that it is packed with ASPack. After strippig out the packer and looking at the unpacked code, one easily notices some virtualized routines with vmprotect. This is strange, what is he hiding? This doesn't look healthy at all. If you are not sure about what is happening either, don't use this release and dont execute his code.

 

 

Regards.

 

xSRTsect-

[zadow]

I agree there wouldent be any good reason , why such file would be packed .

I didnt noticed this release. Have you checked if the packed area conserns the license area.would be right after the non crypted license name.there should be a sha1 hash that cant be hexedited.

[xSRTsect]

I hardly think that is the case.

 

https://www.sendspace.com/file/matan9

[zadow]

what is the password for original package ?

Never mind its just esets 1.5 decompiler.

Edited September 11, 2014 by zadow