OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Article Abstract How often have you thought about what is happening under the covers when you launch an executable on your Windows system? In these days of malicious activity, i.e. viruses, worms, spyware, caused by seemingly innocent programs and attachments the question becomes more pressing and important. If you are confident that if needed you could debug (reverse-engineer) a suspicious program, what happens if you encounter a program that was specifically created to frustrate and defeat your analysis attempts? Should you persevere in such a circumstance, you should be aware ahead of time of some tricks and traps that can be employed in an attempt to thwart your best intentions. This article will attempt to introduce you to some of these and, perhaps, fire your own curiosity on topics such as code obfuscation, protection and anti-reverse-engineering.

Full Article ...

Printer Friendly ...

Article Comments

OpsMan	Posted: Tuesday, August 2 2005 21:38.41 CDT
Wow! What a wild ride. Thanks for posting this exciting piece. Has to be a Charles Dickens of RCE tutorials.

nico

Posted: Wednesday, August 3 2005 00:09.34 CDT

Hi,

Nice article.
Looks like those people have read my paper: Anti Reverse Engineering Uncovered, i selected some values randomly in the headers, and they picked the EXACT Same ones to mess with Soft ICE (see my vuln report in the article) and ollydbg.

They just copy pasted my work heh:

http://honeynet.org/scans/scan33/
lots of write ups, and my official one:

http://honeynet.org/scans/scan33/nico/index.html

They use my RDTSC trick with the BPM cleaning stuff as well.
The headers thingy are the best proof though, i picked up one of those numbers randomly, and the other one was tied to my binary, to get soft ICE to crash.
Fun :)

Well, i think they took most of my work and used it in their program to me :)

Cheers,

Nico

anonymouse Posted: Wednesday, August 3 2005 09:45.48 CDT

wow pretty excellent write up
pretty exhaustive and informative article

i just would like to point out one little feature of ollydbg which comes in handy for such obfuscated code
its runtrace feature hit ctrl+f11 and the deobfuscated
listing (the actual execution path that was taken)just shows up including register values and you can even navigate the path backwards

i simply ripped the opcodes from your listing 2 and binary pasted it into ollydbg and ran runtrace
and i am pasting the runtrace list here as you could see
one can just see the jbe or sub eax,[esp] and cmp eax,0xfff



Address  Thread   Command           ; Registers and comments

00401007 Main     JMP SHORT 00401003

00401003 Main     JMP SHORT 00401009

00401009 Main     CALL 00401018

00401018 Main     CALL 0040100F

0040100F Main     JMP SHORT 0040101D

0040101D Main     ADD ESP,8

00401020 Main     JE SHORT 00401026

00401022 Main     JNZ SHORT 00401026

00401026 Main     JMP SHORT 00401029

00401029 Main     CALL 00401038

00401038 Main     CALL 0040102F

0040102F Main     JMP SHORT 0040103D

0040103D Main     ADD ESP,8

00401040 Main     JE SHORT 00401046

00401042 Main     JNZ SHORT 00401046

00401046 Main     JMP SHORT 00401049

00401049 Main     PUSH EAX

0040104A Main     CALL 00401051

00401051 Main     POP EAX                 ; EAX=0040104F

00401052 Main     IMUL EAX,EAX,3          ; EAX=00C030ED

00401055 Main     CALL 0040105C

0040105C Main     ADD ESP,4

0040105F Main     POP EAX                 ; EAX=00000000

00401060 Main     JE SHORT 00401066

00401062 Main     JNZ SHORT 00401066

00401066 Main     JMP SHORT 00401069

00401069 Main     RDTSC         ; EAX=8AD0BE24, EDX=000053DA

0040106B Main     PUSH EAX

0040106C Main     RDTSC         ; EAX=8ADA1B18

0040106E Main     CALL 0040107D

0040107D Main     CALL 00401074

00401074 Main     JMP SHORT 00401082

00401082 Main     ADD ESP,8

00401085 Main     SUB EAX,[ESP]        ; EAX=00095CF4

00401088 Main     JE SHORT 0040108E

0040108A Main     JNZ SHORT 0040108E

0040108E Main     JMP SHORT 00401091

00401091 Main     ADD ESP,4

00401094 Main     CALL 004010A3

004010A3 Main     CALL 0040109A

0040109A Main     JMP SHORT 004010A8

004010A8 Main     ADD ESP,8

004010AB Main     CMP EAX,0FFF

004010B0 Main     JMP SHORT 004010B3

004010B3 Main     JMP SHORT 004010B7

004010B7 Main     JMP SHORT 004010BA

004010BA Main     JBE SHORT 004010D7

004010BC Main     JMP SHORT 004010BF

004010BF Main     JMP SHORT 004010C3

004010C3 Main     JMP SHORT 004010C6

004010C6 Main     INT3

    INT3 command at smidge.004010C6

End of session

:thumbsup for taking time to write such clear articles

HiPPiEkiLLeR	Posted: Sunday, August 14 2005 17:32.32 CDT
Good article, however this bit: --------- PID: 0x574 TID: 0x9CC %s%s Not much interesting happening here except perhaps some leftover debugging code. -------- OutputDebugStringA("%s%s") is code to crash Ollydbg, not leftover code.. :)

Vex	Posted: Wednesday, August 31 2005 21:19.58 CDT
Wicked

GAMerritt	Posted: Thursday, November 18 2010 10:34.16 CST
Why hasn't anyone commented on this incredible article for five years?

Donner2011	Posted: Wednesday, December 21 2011 04:12.42 CST
Your posts are so helpful and detailed. The links you feature are also maternity wedding dresses Pregnancy wedding dresses maternity dresses for weddings chiffon maternity wedding dresses short maternity wedding dresses plus size maternity wedding dresses christmas costumes very useful too. Thanks a lot!

There are 31,320 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit