lowkick
February 11th, 2009, 15:11
Hi,
how to deal with polymorphic code when writing an unpacker ? Assume that we have a code that does some encryption on a portion of data. Decrypted data is then executed, it contains another polymorphic code. There can be some number of such layers. There is also junk code (semi-random) inserted between intructions. My idea was to emulate the decryptor in the following manner:
- load the code into allocated memory
- read one instruction
- check, if it is some arithmetic operation (add,sub,xor,etc). If yes, then "execute" it virtually - do the same operation as the instruction does
- if it is a jump/call/other redirection, then follow the code flow.
So my question is: is this a proper way to handle such scenario? I dont want to launch the code - I'd lik to unpack it in a static way.
how to deal with polymorphic code when writing an unpacker ? Assume that we have a code that does some encryption on a portion of data. Decrypted data is then executed, it contains another polymorphic code. There can be some number of such layers. There is also junk code (semi-random) inserted between intructions. My idea was to emulate the decryptor in the following manner:
- load the code into allocated memory
- read one instruction
- check, if it is some arithmetic operation (add,sub,xor,etc). If yes, then "execute" it virtually - do the same operation as the instruction does
- if it is a jump/call/other redirection, then follow the code flow.
So my question is: is this a proper way to handle such scenario? I dont want to launch the code - I'd lik to unpack it in a static way.