Shub-nigurrath
September 24th, 2008, 03:29
Hi all,
deroko just released a plugin for IDA 5.2 and following, to decompress aplib or lzma packed data in your target when analyzing with IDA.
The plugin supports aPlib which is quite common in malware, but there's also support for packman lzma compression, even if this one is very rare.
Run plugin by pressing CTRL+9 and you will be prompted with a window for unpacking or simply go to Edit->plugins->aplib depack
The IDA database is then automatically updated with data of the uncompressed application, no more need of creating dumps for analysis.
Full C sources are included, aswell. See the readme.txt for further details and instructions.
http://arteam.accessroot.com/releases.html or CRCETL ;-)
deroko just released a plugin for IDA 5.2 and following, to decompress aplib or lzma packed data in your target when analyzing with IDA.
The plugin supports aPlib which is quite common in malware, but there's also support for packman lzma compression, even if this one is very rare.
Run plugin by pressing CTRL+9 and you will be prompted with a window for unpacking or simply go to Edit->plugins->aplib depack
The IDA database is then automatically updated with data of the uncompressed application, no more need of creating dumps for analysis.
Full C sources are included, aswell. See the readme.txt for further details and instructions.
http://arteam.accessroot.com/releases.html or CRCETL ;-)