• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
[2007 CodeEngn Conference 01] mrbrown - Manual Unpacking
 

[2007 CodeEngn Conference 01] mrbrown - Manual Unpacking

on

  • 485 views

2007 CodeEngn Conference 01 ...

2007 CodeEngn Conference 01

Packing, Unpacking의 구조와 원리, 기본적인 Manual Unpacking 소개. Unpacking을 방해하는 다양한 Anti ReverseEngineering 과 Protector Unpacking 등에 대해 설명한다.

http://codeengn.com/conference/01

Statistics

Views

Total Views
485
Views on SlideShare
485
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    [2007 CodeEngn Conference 01] mrbrown - Manual Unpacking [2007 CodeEngn Conference 01] mrbrown - Manual Unpacking Presentation Transcript

    • 1st CodeEngn SeminarManual Unpacking for Newbies송창현aka.MrBrown@gmail.comhttp://www.codeengn.comhttp://www.CodeEngn.com
    • http://www.CodeEngn.comContents프로텍터 언패킹언패킹을 방해하는 각종 기법기초 매뉴얼 언패킹패킹 & 언패킹의 구조와 원리언패킹이란?
    • http://www.CodeEngn.com언패킹 이란?언패킹 (실행압축해제)언패킹이란 보호를 목적으로 암호화 및 압축된 실행파일(패킹된 파일)을 원상태로 해제 하는 것을 의미한다.
    • http://www.CodeEngn.com패킹 & 언패킹의 구조와 원리PE 구조IMAGE_OPTIONAL_HEADERAddressOfEntryPointImageBase (0x00400000)BaseOfCode (0x00001000)
    • http://www.CodeEngn.com패킹 & 언패킹의 구조와 원리PE HeaderCode Section…PE HeaderEntry PointEntry PointOEPUnpack/Decrypt StubPacked Unpacked
    • http://www.CodeEngn.com패킹 & 언패킹의 구조와 원리일반적인 매뉴얼 언패킹 과정Reach the real OEPDUMPRebuild IAT
    • http://www.CodeEngn.com기초 매뉴얼 언패킹UPX (Ultimate Packer for eXecutables)▪ Open Source▪ Compress , Decompress▪ Linux , Dos , Windows 32-bits
    • http://www.CodeEngn.com기초 매뉴얼 언패킹Packed
    • http://www.CodeEngn.com기초 매뉴얼 언패킹OriginalPacked
    • http://www.CodeEngn.com기초 매뉴얼 언패킹OriginalPacked
    • http://www.CodeEngn.com기초 매뉴얼 언패킹UPX 시연
    • http://www.CodeEngn.com기초 매뉴얼 언패킹실행 압축된 악성코드MEW 시연 (변형된)
    • http://www.CodeEngn.com언패킹을 방해하는 각종 기법실행파일 보호 기법
    • http://www.CodeEngn.com언패킹을 방해하는 각종 기법Anti DebugIsDebuggerPresent()ZwQueryInformationProcess()NtGlobalFlagProcess32Next()ZwSetInformationThread()UnhandledExceptionFilter()TerminateProcess()ProtectionTechnicETCJunk CodeIAT changeStolen BytepolymorphicAnti BP/TraceAnti BP(File streams,SEH , etc …)RDTSCGetTickCount()
    • http://www.CodeEngn.com언패킹을 방해하는 각종 기법Sample Code; --- Anti Debugging using IsDebuggerPresent() ---CALL DWORD PTR DS:[<&KERNEL32.IsDebuggerPresent>]CMP EAX,1 ; active = 1 , not active = 0JE found_debugger_action; -----------------------------------------------------------------
    • http://www.CodeEngn.com언패킹을 방해하는 각종 기법Sample Code; --- Anti Tracing(single stepping) using RDTSC ---RDTSCMOV ECX,EAXRDTSCSUB EAX,ECXCMP EAX,0FFFhJAE found_debugger_action; -----------------------------------------------------------------
    • http://www.CodeEngn.com프로텍터 언패킹ProtectorARM Protector, ASProtect, ExeShield, Themida(막강), VMProtect,NTkrnl Protector, Yoda Protector, SKVP, Nice Protect, GHFProtector … …
    • http://www.CodeEngn.com프로텍터 언패킹[시연]Stolen Byte (crackme)IAT 수정 (변형된 UPX)Yoda Protector 1.03 (Full Option)
    • Thanks to…[자료 제공 해주신분들 ㄳ]SlaxCoreCertlab시연자료http://mrbrown.linuxstudy.pe.kr/codeengn/data.zip
    • Q & Ahttp://www.CodeEngn.com