The Art of Unpacking
by Mark Vincent Yason
Abstract: Unpacking is an art—it is a mental challenge and is one of the most exciting mind
games in the reverse engineering field. In some cases, the reverser needs to know the
internals of the operating system in order to identify or solve very difficult anti-reversing tricks
employed by packers/protectors, patience and cleverness are also major factors in a
successful unpack. This challenge involves researchers creating the packers and on the other
side, the researchers that are determined to bypass these protections.
The main purpose of this paper is to present anti-reversing techniques employed by
executable packers/protectors and also discusses techniques and publicly available tools that
can be used to bypass or disable this protections. This information will allow researchers,
especially, malcode analysts to identify these techniques when utilized by packed malicious
code, and then be able decide the next move when these anti-reversing techniques impede
successful analysis. As a secondary purpose, the information presented can also be used by
researchers that are planning to add some level of protection in their software by slowing
down reversers from analyzing their protected code, but of course, nothing will stop a skilled,
informed, and determined reverser.
Scylla – x64/x86 Imports Reconstruction
ImpREC, CHimpREC, Imports Fixer… this are all great tools to rebuild an import table,
but they all have some major disadvantages, so I decided to create my own tool for this job.
对于64位的可执行程序已经搞了好长一段时间了，但是却一直没有写点什么东西。前面的两篇文章仅仅是单纯的翻译，个人认为不管是32位还是64位的程序脱壳只要能到达程序的OEP就可以了。现在支持64位加壳的程序貌似也不多，这里以mpress压缩的64位系统下的64位notepad为例进行简单的演示。在《IDA + Bochs 调试器插件进行PE+ 格式DLL脱壳 》一问中提到了可以使用bochs调试器进行DLL文件脱壳。但是却没有办法进行64位EXE文件调试，启动调试之后由于代码完全识别错误，因为会出现异常导致无法调试。要想调试64位可执行程序目前只有通过远程调试的方式，使用Windbg插件同样是无法进行调试的。但是用windbg调试时将会提示如图1所示的信息：