Download The Art of Unpacking - Part 1 PDF

TitleThe Art of Unpacking - Part 1
File Size2.3 MB
Total Pages73
Document Text Contents
Page 1

IBM Global Services

© Copyright IBM Corporation 2007

IBM Internet Security Systems
Ahead of the threat.™

The Art of Unpacking

Mark Vincent Yason
Malcode Analyst
X-Force Research & Development

Revision 4.0

Page 2

IBM Internet Security Systems

© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force – The Art Of Unpacking

The Art Of Unpacking

Packers are one of the most interesting puzzles to
solve in the Reverse Engineering field

Packers are created to protect legitimate applications,
but they are also used by malcode

Overtime, new anti-reversing techniques are
integrated into packers

Meanwhile, researchers on the other side of the fence
find ways to break/bypass these protections… it is a
mind game

Anti-reversing techniques are also interesting because
a lot of knowledge about Windows internals are
gained

Page 36

IBM Global Services

© Copyright IBM Corporation 2007

IBM Internet Security Systems
Ahead of the threat.™

The Art Of Unpacking

Anti-Analysis

Page 37

IBM Internet Security Systems

© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force – The Art Of Unpacking

Anti-Analysis > Encryption and Compression

Encryption: Packers usually encrypt both the
unpacking stub and the protected executable

Algorithms to encrypt ranges from very simple XOR
loops to complex loops the perform several
computations

Decryption loops are easy to recognize: fetch ->
compute -> store operation

Encryption algorithms and unpacking stub varies on
polymorphic packers

Page 72

IBM Internet Security Systems

© Copyright IBM Corporation 2007IBM Internet Security Systems X-Force – The Art Of Unpacking

Tools > OllyDump and ImpRec

OllyDump
http://www.openrce.org/downloads/details/108/OllyDump

– OllyDbg plugin for process
dumping and import table
rebuilding

ImpRec
http://www.woodmann.com/crackz/Unpackers/Imprec16.zip

– Stand-alone tool for process
dumping and excellent import
table rebuilding capability

(Demo)

Page 73

IBM Global Services

© Copyright IBM Corporation 2007

IBM Internet Security Systems
Ahead of the threat.™

Questions?

Thank you!

Mark Vincent Yason
Malcode Analyst
X-Force Research & Development

Similer Documents