From Collaborative RCE Knowledge Library

Jump to: navigation, search

Unpacking


Item name: Silver Needle in the Skype
Rating: 4.0 (1 vote)
Author: Philippe Biondi, Fabrice Desclaux                        
Home URL: http://www.secdev.org
Last updated: March 2, 2006
Version (if appl.):
Direct D/L link: http://www.secdev.org/conf/skype_BHEU06.pdf
Description: Phillipe Biondi and Patrice Desclaux from EADS completely reversed Skype.
In 3 steps (binary analysis, network analysis, advanced skype manipulation) they show you the beast and how clever it was designed. But it also shows negative points: a security policy with skype is nearly impossible, it can be exploited as a botnet, it is very difficult to monitor its traffic to prevent the bad from the rest. A must read.
Also listed in: Generic Anti Reversing Articles, Generic Protection Technique Articles, Generic Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Alien Autopsy rev. 2008
Rating: 0.0 (0 votes)
Author: TiGa                        
Home URL: http://www.woodmann.com/TiGa/
Last updated:
Version (if appl.):
Direct D/L link: http://www.woodmann.com/TiGa/videos/TiGa-vid9.htm
Description: This video tutorial will teach you how to reverse a Windows crackme under Linux with IDA Pro.
Also listed in: Linux Tool Tutorials, Linux Unpacking Tutorials, Windows Tool Tutorials, Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Anti-Anti Dump and Nonintrusive Tracers
Rating: 0.0 (0 votes)
Author: deroko                        
Home URL: http://www.accessroot.com/
Last updated:
Version (if appl.):
Direct D/L link: http://185.62.190.110/accessroot/arteam/site/download.php?view.10
Description: "A novel method to manage new anti-dump buffer-based protections used by latest protectors as AsProtect SKE, Armadillo etc (sources included)"
Also listed in: Windows Anti Reversing Articles, Windows Internals Articles, Windows Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Beginners Guide to Basic Linux Anti Anti Debugging Techniques
Rating: 0.0 (0 votes)
Author: M. Schallner                        
Home URL: http://home.pages.at/f001/
Last updated: May 2006
Version (if appl.):
Direct D/L link: http://www.codebreakers-journal.com/downloads/cbj/2006/CBM_3_1_2006_Schallner_Beginners_Guide_to_Basic_Linux_Anti_Anti_Debugging_Techniques.pdf
Description: This article from CodeBreaker's Journal is inspired from _mammon's tales and Silvio Cesare's work.

"Anti-debugging techniques are a common method for protecting software applications. Meanwhile such kind of protection tricks are often used, several approaches work against such kind of protection. One known method are anti-anti tricks which circumvent the mentioned protection schemes. This paper confines to techniques and methods used for Linux platform applications, especially dealing with the operation platforms specific tools."
Also listed in: Linux Anti Reversing Articles, Linux Protection Technique Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Creating Keygens for Cocoa Applications
Rating: 0.0 (0 votes)
Author: whimsy                        
Home URL: N/A
Last updated: 2006
Version (if appl.):
Direct D/L link: Locally archived copy
Description: "This document is an attempt at giving the reader an overview of basic keygen
techniques as they apply to Cocoa applications on the Macintosh. To accomplish
this, we will go through the steps necessary to create a keygen for the
"Pixadex" application, version 1.5.5, which is like iPhoto for icons."
Also listed in: Mac OS Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: How to Solve Crackmes for Dummies in Video
Rating: 0.0 (0 votes)
Author: TiGa                        
Home URL: http://www.woodmann.com/TiGa/
Last updated:
Version (if appl.):
Direct D/L link: http://www.woodmann.com/TiGa/videos/TiGa-vid4_part1.htm
Description: This video tutorial will teach you how to solve crackmes with IDA Pro in a first part, and keygenning in a second part (the secon part video is linked below).
Also listed in: Windows Tool Tutorials, Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Linux anti-debugging techniques (fooling the debugger)
Rating: 0.0 (0 votes)
Author: Silvio Cesare                        
Home URL: http://virus.beergrave.net
Last updated: January 1999
Version (if appl.):
Direct D/L link: http://www.phiral.net/other/linux-anti-debugging.txt
Description: TABLE OF CONTENTS
-----------------

INTRODUCTION
FALSE DISASSEMBLY
DETECTING BREAKPOINTS
SETTING UP FALSE BREAKPOINTS
DETECTING DEBUGGING


"This article describes anti debugger techniques for x86/Linux (though some of
these techniques are not x86 specific). That is techniques to either fool,
stop, or modify the process of debugging the target program. This can be
useful to the development of viruses and also to those implementing software
protection."
Also listed in: Linux Anti Reversing Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: OSX Cracking 101
Rating: 0.0 (0 votes)
Author: Corsec                        
Home URL: www.corruptfire.com
Last updated:
Version (if appl.):
Direct D/L link: Locally archived copy
Description: "There are a few ways to crack apps. One of them we will be doing in this app, but other should be covered in the future. This process can be used on some shareware apps, but most shareware developers are smarter then
this one, and dont code a serial generating function right into the app. This is rare, and for any of you developers out there, DONT DO THIS! Its VERY VERY BAD!"
Also listed in: Mac OS Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: OSX cracking 102
Rating: 0.0 (0 votes)
Author: Corsec                        
Home URL: www.corruptfire.com
Last updated:
Version (if appl.):
Direct D/L link: Locally archived copy
Description: "This document will cover simple Nop (No operation) cracks and is slightly more practical in the real world. Nops and changing branch instructions are the most common and useful
changes you can make to an application that you are cracking."
Also listed in: Mac OS Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: OSX cracking 103
Rating: 0.0 (0 votes)
Author: Corsec                        
Home URL: www.corruptfire.com
Last updated:
Version (if appl.):
Direct D/L link: Locally archived copy
Description: "Lets start off with a little disclaimer. Please note that this is for educational purposes only. It will teach someone how to remove protections from programs, but not encourage it for
illegal purposes. The idea, in the guide is to show how people add protections onto software, and how you can use your skills as a computer expert to undo those protections, etc... I am
not responsible for how you use this information. Once you know this stuff, its out of my hands and i have no control what you do, weather it be to use it for illegal activities or go
masturbate. Don't Crack Software, Stealing is Wrong! With that said, lets get Started :D"
Also listed in: Mac OS Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Process Dump and Binary Reconstruction
Rating: 0.0 (0 votes)
Author: ilo                        
Home URL: http://www.phrack.com
Last updated:
Version (if appl.):
Direct D/L link: http://www.phrack.com/issues.html?issue=63&id=12&mode=txt
Description: This article describes process dumping and binary reconstruction, through the coding of a tool called PD.

"PD is a proof of concept tool being released to help rebuilding
or recovering a binary file from a running process, even if the file never
existed in the disk. Computer Forensics, reverse engineering, intruders,
administrators, software protection, all share the same piece of the puzzle
in a computer."
Also listed in: Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Resolving ELF Relocation Name / Symbols
Rating: 0.0 (0 votes)
Author: Chris Rohlf                        
Home URL: http://em386.blogspot.com
Last updated: October 7, 2007
Version (if appl.):
Direct D/L link: http://em386.blogspot.com/2006/10/resolving-elf-relocation-name-symbols.html
Description: This article explains how relocation is done for names and symbols

"From the ELF 1.2 standard:

"Relocation is the process of connecting symbolic references with symbolic definitions. For example, when a program calls a function, the associated call instruction must transfer control to the proper destination address at execution. In other words, relocatable files must have information that describes how to modify their section contents, thus allowing executable and shared object files to hold the right information for a process's program image. Relocation entries are these data.""
Also listed in: Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Solving 4 easy unpackmes
Rating: 0.0 (0 votes)
Author: NullPointerException (aka AttonRand)                        
Home URL: N/A
Last updated: May 30, 2010
Version (if appl.): N/A
Direct D/L link: Locally archived copy
Description: I wrote this tutorial a month ago for CrackLatinos and i received a good feedback. That's why i decided to release it to public.
It will show you how to unpack 4 easy unpackmes; one of them uses an interesting driver protection (FishPE).
For completeness check another approach to the same target by [CLS]Guan by following the link below.
The tutorial is in text format.
Also listed in: Windows Unpacking Crackmes
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Solving pnluck's x64 CrackMe
Rating: 0.0 (0 votes)
Author: TiGa                        
Home URL: http://www.woodmann.com/TiGa/
Last updated:
Version (if appl.):
Direct D/L link: http://www.woodmann.com/TiGa/videos/TiGa-vid11.htm
Description: This video tutorial will teach you how to solve Pnluck's x64 crackme with IDA Pro.
Also listed in: Windows Tool Tutorials, Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Stepping with GDB during PLT uses and .GOT fixup
Rating: 0.0 (0 votes)
Author: mayhem                        
Home URL: http://www.eresi-project.org
Last updated:
Version (if appl.):
Direct D/L link: http://s.eresi-project.org/inc/articles/elf-runtime-fixup.txt
Description: "This text is a GDB tutorial about runtime process fixup using the Procedure
Linkage Table section (.plt) and the Global Offset Table section (.got) .
If you dont know what is ELF, you should read the ELF ultimate documentation
you can find easily on google .

Some basic ASM knowledge may be requested .

This text has not been written for ELF specialists . This tutorial is an
alternative , interactive way to understand the PLT mechanisms. "
Also listed in: Linux ELF Articles, Linux Internals Articles, Linux Tool Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Stop fishing and start keygenning!
Rating: 0.0 (0 votes)
Author: TiGa                        
Home URL: http://www.woodmann.com/TiGa/
Last updated:
Version (if appl.):
Direct D/L link: http://www.woodmann.com/TiGa/videos/TiGa-vid8_part1.htm
Description: This video tutorial will introduce you to the fine art of keygenning with the help of IDA Pro.
(Don't miss the second video, about serial generation).
Also listed in: Windows Tool Tutorials, Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: TLS-CallBacks and preventing debugger detection with IDA Pro
Rating: 0.0 (0 votes)
Author: TiGa                        
Home URL: http://www.woodmann.com/TiGa/
Last updated:
Version (if appl.):
Direct D/L link: http://www.woodmann.com/TiGa/videos/TiGa-vid6.htm
Description: This video tutorial will inform you about TLS callbacks and anti anti debugging with IDA Pro.
Also listed in: Windows Internals Tutorials, Windows Tool Tutorials, Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: The Life of Binaries
Rating: 0.0 (0 votes)
Author: Xeno Kovah                        
Home URL: http://opensecuritytraining.info/
Last updated: September 6, 2011
Version (if appl.):
Direct D/L link: http://opensecuritytraining.info/LifeOfBinaries.html
Description: This is a 2 day class which is freely available to watch. You can also take the materials and use them to teach your own classes.

--


Topics include but are not limited to:
• Scanning and tokenizing source code.
• Parsing a grammar.
• Different targets for x86 assembly object files generation. (E.g. relocatable vs. position independent code).
• Linking object files together to create a well-formed binary.
• Detailed descriptions of the high level similarities and low level differences between the Windows PE and Linux ELF binary formats. (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)
• How an OS loads a binary into memory and links it on the fly before executing it.

Along the way we discuss the relevance of security at different stages of a binary’s life, from the tricks that can be played by a malicious compiler, to how viruses really work, to the way which malware “packers” duplicate OS process execution functionality, to the benefit of a security-enhanced OS loader which implements address space layout randomization (ASLR).

Lab work includes:
• Manipulating compiler options to change the type of assembly which is output
• Manipulating linker options to change the structure of binary formats
• Reading and understanding PE files with PEView
• Reading and understanding ELF files with Readelf (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)
• Using WinDbg and/or GDB to watch the loader dynamically link an executable
• Using Thread Local Storage (TLS) to obfuscate control flow and serve as a basic anti-debug mechanism
• Creating a simple example virus for PE
• Analyze the changes made to the binary format when a file is packed with UPX
• Using the rootkit technique of Import Address Table (IAT) hooking to subvert the integrity of a program’s calls to external libraries, allowing files to be hidden.

Knowledge of this material is recommended, but not required, for future classes such as Rootkits, but is required for reverse engineering. (Both also at http://opensecuritytraining.info/Training.html)
Also listed in: Generic Malware Analysis Tutorials, Generic Protection Technique Tutorials, Generic Reversing Technique Tutorials, Linux ELF Articles, Windows Internals Tutorials, Windows Malware Analysis Tutorials, Windows Reversing Technique Tutorials, Windows Tool Tutorials, Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Unpacking MPRESS 1.07 (x64)
Rating: 0.0 (0 votes)
Author: TiGa                        
Home URL: http://www.woodmann.com/TiGa/
Last updated:
Version (if appl.):
Direct D/L link: http://www.woodmann.com/TiGa/videos/MPRESS-64.htm
Description: This video tutorial will teach you to quickly unpack MPRESS 1.07 for x64.
(This video require a Flash player plugin for your Web browser)
Also listed in: Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Unpacking PESpin x64 Pre-Alpha
Rating: 0.0 (0 votes)
Author: TiGa                        
Home URL: http://www.woodmann.com/TiGa/
Last updated:
Version (if appl.):
Direct D/L link: http://www.woodmann.com/TiGa/videos/PESpin-64.htm
Description: This video tutorial will learn you to quickly unpack PESpin Pre-Alpha version for x64.

(The video require a Flash plugin to work in your browser)
Also listed in: Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Unpacking deroko's x64 UnpackMe
Rating: 0.0 (0 votes)
Author: TiGa                        
Home URL: http://www.woodmann.com/TiGa/
Last updated:
Version (if appl.):
Direct D/L link: http://www.woodmann.com/TiGa/videos/TiGa-vid10.htm
Description: This video tutorial will teach you how to unpack Deroko's x64 unpackme with IDA Pro.
Also listed in: Windows Tool Tutorials, Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Unwrapping a Flash Video Executable (exe2swf)
Rating: 0.0 (0 votes)
Author: TiGa                        
Home URL: http://www.woodmann.com/TiGa/
Last updated:
Version (if appl.):
Direct D/L link: http://www.woodmann.com/TiGa/videos/TiGa-vid7.htm
Description: This video tutorial will teach you how to unwrap a flash video from an PE file with IDA Pro.
Also listed in: Windows Tool Tutorials, Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Using Memory Breakpoints with your Loaders
Rating: 0.0 (0 votes)
Author: Shub-Nigurrath                        
Home URL: http://www.accessroot.com
Last updated:
Version (if appl.):
Direct D/L link: http://www.accessroot.com/arteam/site/files/video/Using_Memory_Breakpoints_by_Shub-Nigurrath_preview.pdf
Description: "This tutorial will discuss how memory breakpoints work and how to use them for you own loaders. It's an ideal prosecution of the already published Beginner's Tutorial #8 [1], where I already covered hardware and software breakpoints quite extensively (at beginner's level of course)."
Also listed in: Windows Internals Articles, Windows Tool Articles, Windows Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Visual Debugging with IDA - The Interactive Disassembler
Rating: 0.0 (0 votes)
Author: TiGa                        
Home URL: http://www.woodmann.com/TiGa/
Last updated:
Version (if appl.):
Direct D/L link: http://www.woodmann.com/TiGa/videos/TiGa-vid1.htm
Description: This video tutorial will introduce the visual debugging feature available on IDA Pro.
Also listed in: Windows Tool Tutorials, Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Win32 Portable Executable Packing Uncovered
Rating: 0.0 (0 votes)
Author: Websense                        
Home URL: http://securitylabs.websense.com/content/Assets/HistoryofPackingTechnology.pdf
Last updated:
Version (if appl.):
Direct D/L link: Locally archived copy
Description: This paper introduces Win32 Portable Executable (PE) packing from a technical perspective. This includes PE file manipulation, compression, obfuscation, anti-dumping, import protection, and more. The paper describes various protection techniques, and presents a brief history of packers. Note that the most advanced techniques are found in commercial protection systems, and therefore are not presented here.
This paper provides enough information to understand the inner workings of executable packers: most packers are based on what is described here. Almost all custom packers (which means real packers, not loaders) seen in malware are based on the packing theory presented in this document.

The paper aims to explain how packers work internally. The most advanced techniques were left out on purpose, because they are used in commercial protection systems. Most custom packers found in malware are usually quite simple, and rely heavily on the techniques presented here. Sometimes, malware is protected using what people tend to call a packer, when they are actually just loaders (an executable is embedded in the “packed” malware, and executed in memory without being dropped on disk). Since they are not packers per se, they were not included in this paper.
Also listed in: Windows Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Writing a loader for an application packed with an unknown packer:
Rating: 0.0 (0 votes)
Author: Shub-Nigurrath                        
Home URL: http://www.accessroot.com
Last updated: September 2005
Version (if appl.):
Direct D/L link: http://www.accessroot.com/arteam/site/download.php?view.180
Description: "The question this tutorial tries to address is how to write a loader for an application which is packed with an unknown packer, what events to trace and how to proceed in order to faster get a working loader, able to patch the target."
Also listed in: Windows Internals Articles, Windows Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: x64 Disassembling Primer and fixing obfuscated APIs
Rating: 0.0 (0 votes)
Author: TiGa                        
Home URL: http://www.woodmann.com/TiGa/
Last updated:
Version (if appl.):
Direct D/L link: http://www.woodmann.com/TiGa/videos/TiGa-vid5.htm
Description: This video tutorial will teach you disassembly under x64 as well as fixing obfuscated API.
Also listed in: Windows Internals Tutorials, Windows Tool Tutorials, Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)




RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 4 subcategories to this category.




No items can be added directly to this category, please rather select one of its sub-categories above to submit an item!

Views