Kayaker
January 5th, 2007, 21:40
As usual, an excellent reversing analysis from our friend Nico. While the details and techniques used are interesting in themselves, the irony (and lameness factor) are particularly amusing..
http://www.websense.com/securitylabs/blog/blog.php?BlogID=102
'Tis a shame when ones fine work is used for such a twisted end.
K.
http://www.websense.com/securitylabs/blog/blog.php?BlogID=102
Quote:
The file was protected with "NTkrnl Secure Suite", a commercial protection system using anti-cracking techniques, polymorphic engines, and other interesting features. I won't provide too much details on how I unpacked the sample because it uses a commercial product, but I feel comfortable talking about the copy pasted code. The main protection scheme I faced was the copy pasted from my Honeynet Scan of The month 33 Challenge. The breakpoint detection was 100% identical, even the numbers I had generated randomly. More importantly, the technique I had written based on SEH + cpuid/rdtsc was also copied. The only difference was that they used the EDX register to compare the timing. Copy pasting protection code without even changing it a little, provides no security at all and allowed me to unpack it even quicker. (gotta love looking at code you wrote 2 years ago) |
'Tis a shame when ones fine work is used for such a twisted end.
K.
. Thanks for pointing this out!
