Defeating HyperUnpackMe2 With an IDA Processor Module
By secgeeks - Posted on June 30th, 2007
91
vote
This article is about breaking modern executable protectors. The target, a crackme known as HyperUnpackMe2, is modern in the sense that it does not follow the standard packer model of yesteryear wherein the contents of the executable in memory, minus the import information, are eventually restored to their original forms.
Modern protectors mutilate the original code section, use virtual machines operating upon polymorphic bytecode languages to slow reverse engineering, and take active measures to frustrate attempts to dump the process. Meanwhile, the complexity of the import protections and the amount of anti-debugging measures has steadily increased.
This article dissects such a protector and offers a static unpacker through the use of an IDA processor module and a custom plugin. The commented IDB files and the processor module source code are included. In addition, an appendix covers IDA processor module construction. In short, this article is an exercise in overkill.
NOTE: all code snippets beginning with "ROM:" come from the disassembled VM code; all other snippets come from the protected binary.
Bookmark/Search this post with:
Recent comments
11 weeks 3 days ago
1 year 2 weeks ago
1 year 3 weeks ago
1 year 5 weeks ago
1 year 5 weeks ago
1 year 5 weeks ago
1 year 5 weeks ago
1 year 11 weeks ago
1 year 19 weeks ago
1 year 21 weeks ago