eBOOKS (POST ALL HERE) - Page 34

Dreamer · #1 12-02-2012, 02:02

The Art of Unpacking

=======================

by Mark Vincent Yason

Abstract: Unpacking is an art—it is a mental challenge and is one of the most exciting mind
games in the reverse engineering field. In some cases, the reverser needs to know the
internals of the operating system in order to identify or solve very difficult anti-reversing tricks
employed by packers/protectors, patience and cleverness are also major factors in a
successful unpack. This challenge involves researchers creating the packers and on the other
side, the researchers that are determined to bypass these protections.

The main purpose of this paper is to present anti-reversing techniques employed by
executable packers/protectors and also discusses techniques and publicly available tools that
can be used to bypass or disable this protections. This information will allow researchers,
especially, malcode analysts to identify these techniques when utilized by packed malicious
code, and then be able decide the next move when these anti-reversing techniques impede
successful analysis. As a secondary purpose, the information presented can also be used by
researchers that are planning to add some level of protection in their software by slowing
down reversers from analyzing their protected code, but of course, nothing will stop a skilled,
informed, and determined reverser.

Table of Contents........................................................................................................................... 2
1. INTRODUCTION..................................................................................................................... 3
2. TECHNIQUES: DEBUGGER DETECTION..................................................................................... 4
2.1. PEB.BeingDebugged Flag: IsDebuggerPresent() ................................................................ 4
2.2. PEB.NtGlobalFlag, Heap Flags ......................................................................................... 5
2.3. DebugPort: CheckRemoteDebuggerPresent() / NtQueryInformationProcess()........................ 6
2.4. Debugger Interrupts ...................................................................................................... 7
2.5. Timing Checks ..............................................................................................................8
2.6. SeDebugPrivilege .......................................................................................................... 9
2.7. Parent Process ............................................................................................................ 10
2.8. DebugObject: NtQueryObject() ..................................................................................... 11
2.9. Debugger Window ....................................................................................................... 12
2.10. Debugger Process ................................................................................................... 12
2.11. Device Drivers ........................................................................................................ 12
2.12. OllyDbg: Guard Pages.............................................................................................. 13
3. TECHNIQUES: BREAKPOINT AND PATCHING DETECTION.......................................................... 14
3.1. Software Breakpoint Detection...................................................................................... 14
3.2. Hardware Breakpoint Detection..................................................................................... 15
3.3. Patching Detection via Code Checksum Calculation.......................................................... 16
4. TECHNIQUES: ANTI-ANALYSIS.............................................................................................. 17
4.1. Encryption and Compression......................................................................................... 17
4.2. Garbage Code and Code Permutation............................................................................. 18
4.3. Anti-Disassembly ........................................................................................................ 20
5. TECHNIQUES : DEBUGGER ATTACKS ..................................................................................... 22
5.1. Misdirection and Stopping Execution via Exceptions ......................................................... 22
5.2. Blocking Input ............................................................................................................ 23
5.3. ThreadHideFromDebugger ............................................................................................ 24
5.4. Disabling Breakpoints .................................................................................................. 25
5.5. Unhandled Exception Filter ........................................................................................... 26
5.6. OllyDbg: OutputDebugString() Format String Bug ........................................................... 26
6. TECHNIQUES : ADVANCED AND OTHER TECHNIQUES .............................................................. 27
6.1. Process Injection......................................................................................................... 27
6.2. Debugger Blocker........................................................................................................ 28
6.3. TLS Callbacks ............................................................................................................. 29
6.4. Stolen Bytes ...............................................................................................................30
6.5. API Redirection ........................................................................................................... 31
6.6. Multi-Threaded Packers................................................................................................ 32
6.7. Virtual Machines.......................................................................................................... 32
7. TOOLS ............................................................................................................................... 34
7.1. OllyDbg...................................................................................................................... 34
7.2. Ollyscript.................................................................................................................... 34
7.3. Olly Advanced............................................................................................................. 34
7.4. OllyDump...................................................................................................................34
7.5. ImpRec ...................................................................................................................... 34
8. REFERENCES....................................................................................................................... 35

Code:

http://www.4shared.com/rar/tuo4ou8v/phbs.html

Youtoo · #2 12-23-2012, 22:12

Quote:

Originally Posted by special

The Art of Unpacking

Please reupload because "The file link that you requested is not valid."

Gmax · #3 12-24-2012, 00:21

Quote:

Originally Posted by Youtoo

Please reupload because "The file link that you requested is not valid."

here is the link my friend

PHP Code:


			
http://www.4shared.com/office/9YxgAO5w/The_Art_of_Unpacking.html

bolzano_1989 · #4 12-25-2012, 00:12

Quote:

Originally Posted by Youtoo

Please reupload because "The file link that you requested is not valid."

http://www.blackhat.com/presentations/bh-usa-07/Yason/Presentation/bh-usa-07-yason.pdf
http://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa-07-yason-WP.pdf

chessgod101 · #5 12-20-2012, 07:07

I found an interesting book called Algorithmic Cryptanalysis. I spent around 30 minutes trying to find a working download link for this. At first glance, this book seems to give a lot of insight to cryptography reversing.

Information:
Hardcover: 519 pages
Publisher: Chapman and Hall/CRC (June 15, 2009)
Language: English
ISBN-10: 1420070029
ISBN-13: 978-1420070026

Download:

Code:

http://rghost.net/42373232

Mirror:

Code:

http://www.spaadyshare.net/71vg8xg8ai80/Joux,%20Algorithmic%20Cryptanalysis,%20CRC,%202009.pdf

nikkapedd · #6 12-27-2012, 02:00

Inside Windows Debugging: A Practical Guide to Debugging and Tracing Strategies in Windows
English | 2012 | 592 Pages | ISBN: 0735662789 | PDF | 38 MB

Code:

http://extabit.com/file/28dc44vnkpssp
or
http://ryushare.com/6sdj5ue3m6qs/Microsoft.Press.Inside.Windows.Debugging.pdf

nikkapedd · #7 12-29-2012, 23:37

Professional C Plus Plus 2nd Edition 2011 Wrox pubblisher
| 86.03 MB

Code:

http://www2.zippyshare.com/v/82942829/file.html
pass: rl-team.net

Gmax · #8 12-31-2012, 03:47

For those interested in a comprehensive book IDA with some examples

Quote:

http://www.idabook.com/index.html

bilbo · #9 01-02-2013, 02:17

Quote:

Originally Posted by Gmax

For those interested in a comprehensive book IDA with some examples

that's not the book...
for it in EPUB/MOBI format look for the post bytypedef above; or, for it in PDF format, google for "theidaprobook" and take the first link!
Best regards, bilbo

Gmax · #10 01-02-2013, 03:57

Quote:

Originally Posted by bilbo

that's not the book...
for it in EPUB/MOBI format look for the post bytypedef above; or, for it in PDF format, google for "theidaprobook" and take the first link!
Best regards, bilbo

thank you for the comment you have here is the reason verai link to the complete book

PHP Code:


			
http://rogunix.com/docs/Reversing%26Exploiting/The.IDA.Pro.Book.2nd.Edition.Jun.2011.pdf

giv · #11 01-04-2013, 21:06

The Art of Assembly Language

nikkapedd · #12 01-07-2013, 03:45

Hackers: Heroes of the Computer Revolution (25th Anniversary Edition)
Publisher: O'Reilly Media 2010 | 528 Pages | ISBN: 1449388396 | PDF | 12 MB

Code:

http://extabit.com/file/29g1vn63wy58e/
or
http://ryushare.com/jm8b5mhg3lib/h4ck.univer.pdf

xtiaoshi · #13 01-07-2013, 04:56

Quote:

Originally Posted by nikkapedd

Hackers: Heroes of the Computer Revolution (25th Anniversary Edition)
Publisher: O'Reilly Media 2010 | 528 Pages | ISBN: 1449388396 | PDF | 12 MB

Code:

http://extabit.com/file/29g1vn63wy58e/
or
http://ryushare.com/jm8b5mhg3lib/h4ck.univer.pdf

Help:_http://rghost.net/

nikkapedd · #14 01-07-2013, 06:23

xtiaoshi
here another link for the ebook
Hackers: Heroes of the Computer Revolution (25th Anniversary Edition)
Publisher: O'Reilly Media 2010 | 528 Pages | ISBN: 1449388396 | PDF | 12 MB

Code:

http://rghost.net/42793834

xtiaoshi · #15 01-07-2013, 10:32

nikkapedd
Thanks you.

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
ebooks	conan981	General Discussion	0	07-07-2006 22:36
some ebooks	fulone	General Discussion	1	05-20-2004 21:22

The Following 4 Users Gave Reputation+1 to Dreamer For This Useful Post:
bilbo (12-20-2012), nikre (12-02-2012), Youtoo (12-23-2012)

The Following 3 Users Gave Reputation+1 to Gmax For This Useful Post:
alekine322 (01-07-2013), bolo2002 (12-24-2012), chessgod101 (12-25-2012)

The Following User Gave Reputation+1 to bolzano_1989 For This Useful Post:
chessgod101 (12-25-2012)

The Following 6 Users Gave Reputation+1 to chessgod101 For This Useful Post:
bilbo (12-29-2012), Gmax (12-20-2012), mm10121991 (12-20-2012), nikkapedd (12-21-2012), nikre (12-20-2012), ZeNiX (12-20-2012)

The Following 4 Users Gave Reputation+1 to nikkapedd For This Useful Post:
alekine322 (01-07-2013), bilbo (12-29-2012), chessgod101 (12-27-2012), deepzero (12-30-2012)

The Following 4 Users Gave Reputation+1 to nikkapedd For This Useful Post:
chessgod101 (12-30-2012), deepzero (12-30-2012), Dreamer (12-30-2012), nikre (12-30-2012)

The Following User Gave Reputation+1 to bilbo For This Useful Post:
chessgod101 (01-02-2013)

The Following 2 Users Gave Reputation+1 to nikkapedd For This Useful Post:
alekine322 (01-07-2013), chessgod101 (01-07-2013)