[2007 codeengn conference 01] mrbrown - manual unpacking
DESCRIPTION
2007 CodeEngn Conference 01 Packing, Unpacking의 구조와 원리, 기본적인 Manual Unpacking 소개. Unpacking을 방해하는 다양한 Anti ReverseEngineering 과 Protector Unpacking 등에 대해 설명한다. http://codeengn.com/conference/01TRANSCRIPT
1st CodeEngn Seminar
Manual Unpacking for Newbies
http://www.codeengn.com
http://www.CodeEngn.com
http://www.CodeEngn.com
패킹 & 언패킹의구조와원리
PE 구조
IMAGE_OPTIONAL_HEADER
AddressOfEntryPoint ImageBase (0x00400000)BaseOfCode (0x00001000)
http://www.CodeEngn.com
패킹 & 언패킹의구조와원리
PE Header
Code Section
…
PE HeaderEntry Point
Entry PointOEP
Unpack/Decrypt Stub
Packed Unpacked
http://www.CodeEngn.com
기초매뉴얼언패킹
UPX (Ultimate Packer for eXecutables)
▪ Open Source▪ Compress , Decompress▪ Linux , Dos , Windows 32-bits
http://www.CodeEngn.com
언패킹을 방해하는 각종 기법
Anti Debug
IsDebuggerPresent()ZwQueryInformationProcess()NtGlobalFlagProcess32Next()ZwSetInformationThread()UnhandledExceptionFilter()TerminateProcess()
Protection Technic
ETC
Junk CodeIAT changeStolen Bytepolymorphic
Anti BP/Trace
Anti BP(File streams, SEH , etc …) RDTSCGetTickCount()
http://www.CodeEngn.com
언패킹을 방해하는 각종 기법
Sample Code
; --- Anti Debugging using IsDebuggerPresent() ---
CALL DWORD PTR DS:[<&KERNEL32.IsDebuggerPresent>]CMP EAX,1 ; active = 1 , not active = 0JE found_debugger_action
; -----------------------------------------------------------------
http://www.CodeEngn.com
언패킹을 방해하는 각종 기법
Sample Code
; --- Anti Tracing(single stepping) using RDTSC ---RDTSC MOV ECX,EAXRDTSCSUB EAX,ECXCMP EAX,0FFFhJAE found_debugger_action
; -----------------------------------------------------------------
http://www.CodeEngn.com
프로텍터언패킹
Protector
ARM Protector, ASProtect, ExeShield, Themida(막강), VMProtect, NTkrnl Protector, Yoda Protector, SKVP, Nice Protect, GHF Protector … …
http://www.CodeEngn.com
프로텍터언패킹
[시연]
Stolen Byte (crackme) IAT 수정 (변형된 UPX)
Yoda Protector 1.03 (Full Option)