Hi all,
deroko just released a plugin for IDA 5.2 and following, to decompress aplib or lzma packed data in your target when analyzing with IDA.

The plugin supports aPlib which is quite common in malware, but there's also support for packman lzma compression, even if this one is very rare.

Run plugin by pressing CTRL+9 and you will be prompted with a window for unpacking or simply go to Edit->plugins->aplib depack

The IDA database is then automatically updated with data of the uncompressed application, no more need of creating dumps for analysis.

Full C sources are included, aswell. See the readme.txt for further details and instructions.

http://arteam.accessroot.com/releases.html or CRCETL ;-)

And also thanks for sharing this one with our readers.

Regards,

Nice tool indeed, and thanks as always for adding it to the CRCETL (please don't include version numbers in the tool titles though, I fixed this for the entry).

http://www.woodmann.com/collaborative/tools/IDA_Plugin_Depack_APlib_And_LZMA

Oh, and one question, does any of these two decompression types include zlib compression somehow, which is also a very common compression type/library used in many programs? That would be a great (and simple) addition for version 1.1 otherwise I think.

the first one is aplib, as a default decompression used in many protections/packers, the other one is, if I'm not mistaken, lzma from 7-zip.org which I saw in only a few packers -> packman is probably the first one to use it.
If there are some compression libraries, which you find in some other packers/protectors, I would be more then happy to add them too