From Collaborative RCE Knowledge Library

Jump to: navigation, search

Unpacking Articles


Item name: Silver Needle in the Skype
Rating: 4.0 (1 vote)
Author: Philippe Biondi, Fabrice Desclaux                        
Home URL: http://www.secdev.org
Last updated: March 2, 2006
Version (if appl.):
Direct D/L link: http://www.secdev.org/conf/skype_BHEU06.pdf
Description: Phillipe Biondi and Patrice Desclaux from EADS completely reversed Skype.
In 3 steps (binary analysis, network analysis, advanced skype manipulation) they show you the beast and how clever it was designed. But it also shows negative points: a security policy with skype is nearly impossible, it can be exploited as a botnet, it is very difficult to monitor its traffic to prevent the bad from the rest. A must read.
Also listed in: Generic Anti Reversing Articles, Generic Protection Technique Articles, Generic Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Anti-Anti Dump and Nonintrusive Tracers
Rating: 0.0 (0 votes)
Author: deroko                        
Home URL: http://www.accessroot.com/
Last updated:
Version (if appl.):
Direct D/L link: http://185.62.190.110/accessroot/arteam/site/download.php?view.10
Description: "A novel method to manage new anti-dump buffer-based protections used by latest protectors as AsProtect SKE, Armadillo etc (sources included)"
Also listed in: Windows Anti Reversing Articles, Windows Internals Articles, Windows Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Beginners Guide to Basic Linux Anti Anti Debugging Techniques
Rating: 0.0 (0 votes)
Author: M. Schallner                        
Home URL: http://home.pages.at/f001/
Last updated: May 2006
Version (if appl.):
Direct D/L link: http://www.codebreakers-journal.com/downloads/cbj/2006/CBM_3_1_2006_Schallner_Beginners_Guide_to_Basic_Linux_Anti_Anti_Debugging_Techniques.pdf
Description: This article from CodeBreaker's Journal is inspired from _mammon's tales and Silvio Cesare's work.

"Anti-debugging techniques are a common method for protecting software applications. Meanwhile such kind of protection tricks are often used, several approaches work against such kind of protection. One known method are anti-anti tricks which circumvent the mentioned protection schemes. This paper confines to techniques and methods used for Linux platform applications, especially dealing with the operation platforms specific tools."
Also listed in: Linux Anti Reversing Articles, Linux Protection Technique Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Creating Keygens for Cocoa Applications
Rating: 0.0 (0 votes)
Author: whimsy                        
Home URL: N/A
Last updated: 2006
Version (if appl.):
Direct D/L link: Locally archived copy
Description: "This document is an attempt at giving the reader an overview of basic keygen
techniques as they apply to Cocoa applications on the Macintosh. To accomplish
this, we will go through the steps necessary to create a keygen for the
"Pixadex" application, version 1.5.5, which is like iPhoto for icons."
Also listed in: Mac OS Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Linux anti-debugging techniques (fooling the debugger)
Rating: 0.0 (0 votes)
Author: Silvio Cesare                        
Home URL: http://virus.beergrave.net
Last updated: January 1999
Version (if appl.):
Direct D/L link: http://www.phiral.net/other/linux-anti-debugging.txt
Description: TABLE OF CONTENTS
-----------------

INTRODUCTION
FALSE DISASSEMBLY
DETECTING BREAKPOINTS
SETTING UP FALSE BREAKPOINTS
DETECTING DEBUGGING


"This article describes anti debugger techniques for x86/Linux (though some of
these techniques are not x86 specific). That is techniques to either fool,
stop, or modify the process of debugging the target program. This can be
useful to the development of viruses and also to those implementing software
protection."
Also listed in: Linux Anti Reversing Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Process Dump and Binary Reconstruction
Rating: 0.0 (0 votes)
Author: ilo                        
Home URL: http://www.phrack.com
Last updated:
Version (if appl.):
Direct D/L link: http://www.phrack.com/issues.html?issue=63&id=12&mode=txt
Description: This article describes process dumping and binary reconstruction, through the coding of a tool called PD.

"PD is a proof of concept tool being released to help rebuilding
or recovering a binary file from a running process, even if the file never
existed in the disk. Computer Forensics, reverse engineering, intruders,
administrators, software protection, all share the same piece of the puzzle
in a computer."
Also listed in: Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Resolving ELF Relocation Name / Symbols
Rating: 0.0 (0 votes)
Author: Chris Rohlf                        
Home URL: http://em386.blogspot.com
Last updated: October 7, 2007
Version (if appl.):
Direct D/L link: http://em386.blogspot.com/2006/10/resolving-elf-relocation-name-symbols.html
Description: This article explains how relocation is done for names and symbols

"From the ELF 1.2 standard:

"Relocation is the process of connecting symbolic references with symbolic definitions. For example, when a program calls a function, the associated call instruction must transfer control to the proper destination address at execution. In other words, relocatable files must have information that describes how to modify their section contents, thus allowing executable and shared object files to hold the right information for a process's program image. Relocation entries are these data.""
Also listed in: Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Stepping with GDB during PLT uses and .GOT fixup
Rating: 0.0 (0 votes)
Author: mayhem                        
Home URL: http://www.eresi-project.org
Last updated:
Version (if appl.):
Direct D/L link: http://s.eresi-project.org/inc/articles/elf-runtime-fixup.txt
Description: "This text is a GDB tutorial about runtime process fixup using the Procedure
Linkage Table section (.plt) and the Global Offset Table section (.got) .
If you dont know what is ELF, you should read the ELF ultimate documentation
you can find easily on google .

Some basic ASM knowledge may be requested .

This text has not been written for ELF specialists . This tutorial is an
alternative , interactive way to understand the PLT mechanisms. "
Also listed in: Linux ELF Articles, Linux Internals Articles, Linux Tool Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Using Memory Breakpoints with your Loaders
Rating: 0.0 (0 votes)
Author: Shub-Nigurrath                        
Home URL: http://www.accessroot.com
Last updated:
Version (if appl.):
Direct D/L link: http://www.accessroot.com/arteam/site/files/video/Using_Memory_Breakpoints_by_Shub-Nigurrath_preview.pdf
Description: "This tutorial will discuss how memory breakpoints work and how to use them for you own loaders. It's an ideal prosecution of the already published Beginner's Tutorial #8 [1], where I already covered hardware and software breakpoints quite extensively (at beginner's level of course)."
Also listed in: Windows Internals Articles, Windows Tool Articles, Windows Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Win32 Portable Executable Packing Uncovered
Rating: 0.0 (0 votes)
Author: Websense                        
Home URL: http://securitylabs.websense.com/content/Assets/HistoryofPackingTechnology.pdf
Last updated:
Version (if appl.):
Direct D/L link: Locally archived copy
Description: This paper introduces Win32 Portable Executable (PE) packing from a technical perspective. This includes PE file manipulation, compression, obfuscation, anti-dumping, import protection, and more. The paper describes various protection techniques, and presents a brief history of packers. Note that the most advanced techniques are found in commercial protection systems, and therefore are not presented here.
This paper provides enough information to understand the inner workings of executable packers: most packers are based on what is described here. Almost all custom packers (which means real packers, not loaders) seen in malware are based on the packing theory presented in this document.

The paper aims to explain how packers work internally. The most advanced techniques were left out on purpose, because they are used in commercial protection systems. Most custom packers found in malware are usually quite simple, and rely heavily on the techniques presented here. Sometimes, malware is protected using what people tend to call a packer, when they are actually just loaders (an executable is embedded in the “packed” malware, and executed in memory without being dropped on disk). Since they are not packers per se, they were not included in this paper.
Also listed in: Windows Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Writing a loader for an application packed with an unknown packer:
Rating: 0.0 (0 votes)
Author: Shub-Nigurrath                        
Home URL: http://www.accessroot.com
Last updated: September 2005
Version (if appl.):
Direct D/L link: http://www.accessroot.com/arteam/site/download.php?view.180
Description: "The question this tutorial tries to address is how to write a loader for an application which is packed with an unknown packer, what events to trace and how to proceed in order to faster get a working loader, able to patch the target."
Also listed in: Windows Internals Articles, Windows Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)




RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 5 subcategories to this category.




No items can be added directly to this category, please rather select one of its sub-categories above to submit an item!

Views