Questions tagged [packers]
A chain of software made to build self-extractable archived software (with a focus on compression and/or on obfuscation). Packer prevent most of the static analysis techniques and force the reverser to *depack* dynamically the software before analyzing it.
53
questions
1
vote
0
answers
59
views
UPX anti unpacking (upx -d)
To start, I know that there is a post on this platform from 2013 that asked the same question but since it's been a while, I will ask it again.
A few months back I recall to find a github repo / ...
2
votes
1
answer
236
views
What is 0xCC between each functions?
First, sorry for my bad english.
What I know about 0xCC instruction is a breakpoint instruction.
But, when I see x64 binary, each functions are seperate by multiple 0xCC instructions.
I think x64 uses ...
0
votes
0
answers
125
views
Scylla error on FThunk import (manually unpacking UPX)
I'm trying to practice on manual unpacking starting from UPX.
I'm using putty.exe x64
This is what I'm doing:
upx -o putty_packed.exe putty.exe
Disable Dynamic base (ASLR) using CFF Explorer on ...
5
votes
1
answer
769
views
How to use dnSpyEx or some other .NET debugger to attach to a .NET process started with a process-hollowing technique?
I have a .NET executable that is started using the process-hollowing technique. Here's how it looks from the Detect-It-Easy tool:
I can open the image file for that process (from disk) with dnSpyEx, ...
3
votes
1
answer
2k
views
How do I reverse an exe packed with an unknown packer?
I got an assignment to analize an exe file with 97% entropy. It's obviously packed but I got no results from Protection Id or PEid about which packer it used...
How can I unpack it if it's possible? ...
1
vote
0
answers
180
views
silvio packer for shared libray leads to error: "ELF load command address/offset not properly aligned"
I'm trying to implement a packer based on silvio infection. The packer works fine for ET_EXEC. However, it failed with "ELF load command address/offset not properly aligned" error for the ...
1
vote
0
answers
72
views
failed to trigger packer's loader by overwritting the entry of rela.dyn on aarch64
I have implemented packer of x86_64 shared library.
Briefly, a loader is injected to a shared library, and
the rela.dyn entry is modified such that it points to the address of the loader. Once the ...
0
votes
2
answers
366
views
How to protect a PE file?
What is the best way to protect a PE file (coded in c++) to make it a little hard for reversing, i mean using something like a Packer, but in a legit way, because most of packers are detected by ...
0
votes
0
answers
3k
views
How to disassemble an obfuscated .NET DLL?
I asked earlier about unpacking a packed .NET exe. But now I need to see the source code for an obfuscated DLL:
Any idea how to unpack it?
3
votes
1
answer
485
views
Packers Material for learn how to unpack software
I would like to known where i can found guides to learn how to unpack packers like Themida, Armadillo, VMProtect, etc. I was searching challenges and guides but i could not found for packers, only ...
1
vote
0
answers
61
views
Is this executable packed, encrypted or what?
I have an executable that I'd like to patch, but I'm very new to RE. I some have assembly knowledge of x86 as first learned language last year, but not of this one: PowerPC (in this case is PPC32), ...
0
votes
1
answer
67
views
Packer changed memory in IDA?
I'm trying to analyze one binary protected by HASP. Since it is pretty old binary (2008) I managed to run it in IDA and it unpacked in memory. When I do tracing + take memory snapshot and reanalyze it,...
1
vote
3
answers
1k
views
Problems with relocation when unpacking
I'm trying to learn how to do basic unpacking EXEs. I've read into how the PE header works, sections, the IAT and I already know a fair bit about assembly.
I started with compressing my simple x64....
0
votes
1
answer
197
views
PE file export functions of packed file
I am new to reverse engineering and I am learning about packed files.
I saw that most of the time I can recognize a packed file with a little number of import functions in PE file and not many strings ...
3
votes
1
answer
5k
views
VMProtect anti-debug method
I recently found a nice crackme which uses VMProtect 3.x as defense.
After doing a little research online I found couple of API's VMProtect uses as an anti debug method.
I set software breakpoint on ...