Archive for March, 2012

Author : Deathway (Lo*eXeTools*rd)

This tool will help conversion VirtualOpcodes -> Assembly Instruction restoring the original code of your virtualized Application, the basic engine
was from CodeUnvirtualizer, my other tool

– Supports WinLicense/Themida/CodeVirtualizer Cisc Machines
– Supports almost all common opcodes
– Supppots MultiBranch Tech

– Right-click on the jump leading to the Virtual Machine Area and press Unvirtualize (If machine isn’t found you have to click again, after checking that the full machine was correctly deofuscated)

– Fixed Unvirtualize with Jump on CISC machines
– Fixed some errors when handling signed constants on RISC
– Fixed an issue when processing MOVS instrution on CISC machine
– Fixed some inversion data when processing COMM, REGX, REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI)
– Fixed a problem when handling AH CH DH BH registers on COMM2 instructions
– Added MOVSX – MOVZX – XCHG – IMUL – MUL – DIV – IDIV – PUSHFD – POPFD instructions on RISC
– Added CALL [ESP+IMMC] on Cisc Machine
– Added support of dump files on RISC machines
– OreansAssember_Risc.cfg updated
– DLL Support on CISC and RISC machines

There is a fix regarding Risc machines, if you unvirtualized the opcodes, there is a high chance that you obtain the inversed form of this opcodes COMM REGX,REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI). This errrors is fixed on the latest version

DLL support is now avaible, however Risc machines must be initialized first (not a problem, since risc machines are always encrypted).

On both machines, it’s recommended the devirtualization once the eip reach the oep.

Thanks Deathway for sharing his plugin.

Download here:


Download here:

The Fundamentals
Learn the fundamentals of Binary Auditing. Know how HLL mapping works, get more inner file understanding than ever.

Copy Protection Games
Try to solve brain teasing puzzles with our collection of copy protection games. Increasing difficulty and unseen strange tricks.

Vulnerability Analysis
Learn how to find and analyse software vulnerability. Dig inside Buffer Overflows and learn how exploits can be prevented.

Malware Analysis
Start to analyse your first viruses and malware the safe way. Learn about simple tricks and how viruses look like using real life examples.

Content Overview
The training package includes all necessary files to run a complete lecture for Binary Auditing and Reverse Code Engineering at university. All files are well sorted by topics and with increasing difficulty. You need Windows XP, Windows Vista or Windows 7 to use this training package. The training package does NOT include runnable viruses!
What is inside… Topic Files IDA Pro 5.0 (Free) 1 Total 324 HLL Mapping 1 (NOT for training, only as reference!) 98 HLL Mapping 2 (Start here and convert them to C) 31 Manual Decompilation (Simple exercises) 10 Algorithm Analysis 1 (Simple math exercises) 3 Algorithm Analysis 2 (Simple math exercises) 6 Crash Auditing (more complicated, why crashing?) 10 File Understanding (Simple to hard Reversemes) 31 Copy Protection Auditing (Simple to very hard) 47 Unpacking (Simple exercises) 3 Vulnerability Auditing (Simple to intermediate) 38 Malware Auditing 1 (Simple old .com/.exe exercises) 41 Malware Auditing 2 (Some fakes for analysis) 4 Malware Auditing 3 (Simple win32 analysis)

Download here:

Pass: fdcd2ff4c2180329053650f3075d39f4



IDA Pro Book, 2nd Edition

Posted: March 3, 2012 in IDA Pro Book

The Unofficial Guide to the World’s Most Popular Disassembler
by Chris Eagle

No source code? No problem. With IDA Pro, the interactive disassembler, you live in a source code-optional world. IDA can automatically analyze the millions of opcodes that make up an executable and present you with a disassembly. But at that point, your work is just beginning. With The IDA Pro Book, you’ll learn how to turn that mountain of mnemonics into something you can actually use.

Save time and effort as you learn to:

  • Navigate, comment, and modify disassembly
  • Identify known library routines, so you can focus your analysis on other areas of the code
  • Use code graphing to quickly make sense of cross references and function calls
  • Extend IDA to support new processors and filetypes using the SDK
  • Explore popular plug-ins that make writing IDA scripts easier, allow collaborative reverse engineering, and much more
  • Use IDA’s built-in debugger to tackle hostile and obfuscated code

Table of Contents


PART I: Introduction to IDA
Chapter 1: Introduction to Disassembly
Chapter 2: Reversing and Disassembly Tools
Chapter 3: IDA Pro Background

PART II: Basic IDA Usage
Chapter 4: Getting Started with IDA
Chapter 5: IDA Data Displays
Chapter 6: Disassembly Navigation
Chapter 7: Disassembly Manipulation
Chapter 8: Datatypes and Data Structures
Chapter 9: Cross-References and Graphing
Chapter 10: The Many Faces of IDA

PART III: Advanced IDA Usage
Chapter 11: Customizing IDA
Chapter 12: Library Recognition Using FLIRT Signatures
Chapter 13: Extending IDA’s Knowledge
Chapter 14: Patching Binaries and Other IDA Limitations

PART IV: Extending IDA’s Capabilities
Chapter 15: IDA Scripting
Chapter 16: The IDA Software Development Kit
Chapter 17: The IDA Plug-in Architecture
Chapter 18: Binary Files and IDA Loader Modules
Chapter 19: IDA Processor Modules

PART V: Real-World Applications
Chapter 20: Compiler Personalities
Chapter 21: Obfuscated Code Analysis
Chapter 22: Vulnerability Analysis
Chapter 23: Real-World IDA Plug-ins

PART VI: The IDA Debugger
Chapter 24: The IDA Debugger
Chapter 25: Disassembler/Debugger Integration
Chapter 26: Additional Debugger Features

Appendix A: Using IDA Freeware 5.0
Appendix B: IDC/SDK Cross-Reference

Download link: (Đủ bộ gồm các định dạng pdf, mobi, epub)


Posted: March 3, 2012 in Stud_PE

Stud_PE The Portable Executables Viewer/Editor (32/64 bit PE files)
view/edit PE basic Header information (DOS also):
  -header structures to hexeditor;
view/edit Section Table:
  – add new section;
view/edit Directory Table:
  -Import/Export Table viewer;
  -Import adder;
  -Resource viewer/editor (save/replace ico/cur/bmp);
Pe Scanner (PEiD sig database):
  -400 packers/protectors/compilers;
Task viewer/dumper/killer;
PEHeader/Binary file compare;
RVA to RAW to RVA;
Drag’nDrop shell menu integration;
Basic HexEditor;

Process regions’ dumper/viewer/editor; – 27 feb 2012
-switched the project from vc6 to VC8; just for your information about 60 Errors and 600 warnings after project conversion; take care, those secure crt fixups drived me crazy, errors may have slept through:); if so, please report and I’ll try to fix them;
– unfortunatelly VC8 breaks the w95 compatibility (shlwapi.dll appears at imports due to mfc AddToRecentFileList which links that dll, not known to w95 os; aslo IsDebuggerPresent not present in w95 but linked by vc8 …and who knows which other functins);
-fixed a gpf reported on program exit;
…more inside nfo.txt

Download here: