Jump to content
Tuts 4 You

PiaoYun_KongDao friend or foe?


Recommended Posts

Probably some of you know what I am talking about. I have recently got "PiaoYun_KongDao"'s hex rayz code decompiler release (allegedly the latest hex rayz release). WIthout further ado, I will let you know what caught my eye and my concern - it seems that contrarly to what is normal, this comes with two plugins: The tipical "hexrays.plw" and another one called "PiaoYun_KongDao_F5.plw". Now, I am not even sure what is called first but a fast sight at "PiaoYun_KongDao_F5.plw" - seems that it is packed with ASPack. After strippig out the packer and looking at the unpacked code, one easily notices some virtualized routines with vmprotect. This is strange, what is he hiding? This doesn't look healthy at all. If you are not sure about what is happening either, don't use this release and dont execute his code.






Link to comment
Share on other sites

I agree there wouldent be any good reason , why such file would be packed .

I didnt noticed this release. Have you checked if the packed area conserns the license area.would be right after the non crypted license name.there should be a sha1 hash that cant be hexedited.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...