jueves, agosto 23, 2007

Defeating packers

I was reversing packed software, when I saw an easy way to defeat it: tracing if eip its outside a range.

When a packer extracts the code to a new maped layout, there is a moment when the execution flow is redirected to this code. We cannot put breakpoints becouse the memory is not maped, and cannot see the jump to the address becouse is like: call [eax+0CFh]

Is not possible to know wich value will take eax and wich value gets this indirect access to the memory.

But, there is a very easy way to stop the execution when the call is taken, with a eip range trace.

If you use olly, press ^T and enter the range of the current module.

In ancient times, spectrum-hackers cannot do this kind of things :)

In linux world, there are not ollydebug like debuggers :( but i think radare will be the future: