Archive for March, 2012


Author : Deathway (Lo*eXeTools*rd)

This tool will help conversion VirtualOpcodes -> Assembly Instruction restoring the original code of your virtualized Application, the basic engine
was from CodeUnvirtualizer, my other tool

[Features]
– Supports WinLicense/Themida/CodeVirtualizer Cisc Machines
– Supports almost all common opcodes
– Supports CHECK_MACRO_PROTECTION
– Supppots MultiBranch Tech

[Use]
– Right-click on the jump leading to the Virtual Machine Area and press Unvirtualize (If machine isn’t found you have to click again, after checking that the full machine was correctly deofuscated)

[v1.5]
– Fixed Unvirtualize with Jump on CISC machines
– Fixed some errors when handling signed constants on RISC
– Fixed an issue when processing MOVS instrution on CISC machine
– Fixed some inversion data when processing COMM, REGX, REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI)
– Fixed a problem when handling AH CH DH BH registers on COMM2 instructions
– Added MOVSX – MOVZX – XCHG – IMUL – MUL – DIV – IDIV – PUSHFD – POPFD instructions on RISC
– Added CALL [ESP+IMMC] on Cisc Machine
– Added support of dump files on RISC machines
– OreansAssember_Risc.cfg updated
– DLL Support on CISC and RISC machines

There is a fix regarding Risc machines, if you unvirtualized the opcodes, there is a high chance that you obtain the inversed form of this opcodes COMM REGX,REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI). This errrors is fixed on the latest version

DLL support is now avaible, however Risc machines must be initialized first (not a problem, since risc machines are always encrypted).

On both machines, it’s recommended the devirtualization once the eip reach the oep.

Thanks Deathway for sharing his plugin.

Download here:

http://www.mediafire.com/download.php?o627wzdrv35fbzw


sysinternals

Download here:

http://download.sysinternals.com/Files/SysinternalsMalwareCleaning.pdf


The Fundamentals
Learn the fundamentals of Binary Auditing. Know how HLL mapping works, get more inner file understanding than ever.

Copy Protection Games
Try to solve brain teasing puzzles with our collection of copy protection games. Increasing difficulty and unseen strange tricks.

Vulnerability Analysis
Learn how to find and analyse software vulnerability. Dig inside Buffer Overflows and learn how exploits can be prevented.

Malware Analysis
Start to analyse your first viruses and malware the safe way. Learn about simple tricks and how viruses look like using real life examples.

Content Overview
The training package includes all necessary files to run a complete lecture for Binary Auditing and Reverse Code Engineering at university. All files are well sorted by topics and with increasing difficulty. You need Windows XP, Windows Vista or Windows 7 to use this training package. The training package does NOT include runnable viruses!
What is inside… Topic Files IDA Pro 5.0 (Free) 1 Total 324 HLL Mapping 1 (NOT for training, only as reference!) 98 HLL Mapping 2 (Start here and convert them to C) 31 Manual Decompilation (Simple exercises) 10 Algorithm Analysis 1 (Simple math exercises) 3 Algorithm Analysis 2 (Simple math exercises) 6 Crash Auditing (more complicated, why crashing?) 10 File Understanding (Simple to hard Reversemes) 31 Copy Protection Auditing (Simple to very hard) 47 Unpacking (Simple exercises) 3 Vulnerability Auditing (Simple to intermediate) 38 Malware Auditing 1 (Simple old .com/.exe exercises) 41 Malware Auditing 2 (Some fakes for analysis) 4 Malware Auditing 3 (Simple win32 analysis)

Download here:

www.binary-auditing.com/binary-auditing-training-package.zip

Pass: fdcd2ff4c2180329053650f3075d39f4

Regards

m4n0w4r

IDA Pro Book, 2nd Edition

Posted: March 3, 2012 in IDA Pro Book
Tags:

The Unofficial Guide to the World’s Most Popular Disassembler
by Chris Eagle

No source code? No problem. With IDA Pro, the interactive disassembler, you live in a source code-optional world. IDA can automatically analyze the millions of opcodes that make up an executable and present you with a disassembly. But at that point, your work is just beginning. With The IDA Pro Book, you’ll learn how to turn that mountain of mnemonics into something you can actually use.

Save time and effort as you learn to:

  • Navigate, comment, and modify disassembly
  • Identify known library routines, so you can focus your analysis on other areas of the code
  • Use code graphing to quickly make sense of cross references and function calls
  • Extend IDA to support new processors and filetypes using the SDK
  • Explore popular plug-ins that make writing IDA scripts easier, allow collaborative reverse engineering, and much more
  • Use IDA’s built-in debugger to tackle hostile and obfuscated code

Table of Contents

Acknowledgments
Introduction

PART I: Introduction to IDA
Chapter 1: Introduction to Disassembly
Chapter 2: Reversing and Disassembly Tools
Chapter 3: IDA Pro Background

PART II: Basic IDA Usage
Chapter 4: Getting Started with IDA
Chapter 5: IDA Data Displays
Chapter 6: Disassembly Navigation
Chapter 7: Disassembly Manipulation
Chapter 8: Datatypes and Data Structures
Chapter 9: Cross-References and Graphing
Chapter 10: The Many Faces of IDA

PART III: Advanced IDA Usage
Chapter 11: Customizing IDA
Chapter 12: Library Recognition Using FLIRT Signatures
Chapter 13: Extending IDA’s Knowledge
Chapter 14: Patching Binaries and Other IDA Limitations

PART IV: Extending IDA’s Capabilities
Chapter 15: IDA Scripting
Chapter 16: The IDA Software Development Kit
Chapter 17: The IDA Plug-in Architecture
Chapter 18: Binary Files and IDA Loader Modules
Chapter 19: IDA Processor Modules

PART V: Real-World Applications
Chapter 20: Compiler Personalities
Chapter 21: Obfuscated Code Analysis
Chapter 22: Vulnerability Analysis
Chapter 23: Real-World IDA Plug-ins

PART VI: The IDA Debugger
Chapter 24: The IDA Debugger
Chapter 25: Disassembler/Debugger Integration
Chapter 26: Additional Debugger Features

Appendix A: Using IDA Freeware 5.0
Appendix B: IDC/SDK Cross-Reference
Index

Download link: (Đủ bộ gồm các định dạng pdf, mobi, epub)

http://www.mediafire.com/?9nw6vmnmjltl39n

Stud_PE 2.6.0.6

Posted: March 3, 2012 in Stud_PE 2.6.0.6
Tags:

Stud_PE The Portable Executables Viewer/Editor (32/64 bit PE files)
view/edit PE basic Header information (DOS also):
  -header structures to hexeditor;
view/edit Section Table:
  – add new section;
view/edit Directory Table:
  -Import/Export Table viewer;
  -Import adder;
  -Resource viewer/editor (save/replace ico/cur/bmp);
Pe Scanner (PEiD sig database):
  -400 packers/protectors/compilers;
Task viewer/dumper/killer;
PEHeader/Binary file compare;
RVA to RAW to RVA;
Drag’nDrop shell menu integration;
Basic HexEditor;

Process regions’ dumper/viewer/editor;

2.6.0.6 – 27 feb 2012
-switched the project from vc6 to VC8; just for your information about 60 Errors and 600 warnings after project conversion; take care, those secure crt fixups drived me crazy, errors may have slept through:); if so, please report and I’ll try to fix them;
– unfortunatelly VC8 breaks the w95 compatibility (shlwapi.dll appears at imports due to mfc AddToRecentFileList which links that dll, not known to w95 os; aslo IsDebuggerPresent not present in w95 but linked by vc8 …and who knows which other functins);
-fixed a gpf reported on program exit;
…more inside nfo.txt

Download here:

http://www.cgsoftlabs.ro/zip/Stud_PE.zip

Regards


Malware analysis is big business, and attacks can cost a company dearly. When malware breaches your defenses, you need to act quickly to cure current infections and prevent future ones from occurring.

For those who want to stay ahead of the latest malware, Practical Malware Analysis will teach you the tools and techniques used by professional analysts. With this book as your guide, you’ll be able to safely analyze, debug, and disassemble any malicious software that comes your way.

You’ll learn how to:

  • Set up a safe virtual environment to analyze malware
  • Quickly extract network signatures and host-based indicators
  • Use key analysis tools like IDA Pro, OllyDbg, and WinDbg
  • Overcome malware tricks like obfuscation, anti-disassembly, anti-debugging, and anti-virtual machine techniques
  • Use your newfound knowledge of Windows internals for malware analysis
  • Develop a methodology for unpacking malware and get practical experience with five of the most popular packers
  • Analyze special cases of malware with shellcode, C++, and 64-bit code
  • Table of Contents

Introduction
Chapter 0: Malware Analysis Primer

Part 1: Basic Analysis
Chapter 1: Basic Static Techniques
Chapter 2: Malware Analysis in Virtual Machines
Chapter 3: Basic Dynamic Analysis

Part 2: Advanced Static Analysis
Chapter 4: A Crash Course in x86 Disassembly
Chapter 5: IDA Pro
Chapter 6: Recognizing C Code Constructs in Assembly
Chapter 7: Analyzing Malicious Windows Programs

Part 3: Advanced Dynamic Analysis
Chapter 8: Debugging
Chapter 9: OllyDbg
Chapter 10: Kernel Debugging with WinDbg

Part 4: Malware Functionality
Chapter 11: Malware Behavior
Chapter 12: Covert Malware Launching
Chapter 13: Data Encoding
Chapter 14: Malware-Focused Network Signatures

Part 5: Anti-Reverse-Engineering
Chapter 15: Anti-Disassembly
Chapter 16: Anti-Debugging
Chapter 17: Anti-Virtual Machine Techniques
Chapter 18: Packers and Unpacking

Part 6: Special Topics
Chapter 19: Shellcode Analysis
Chapter 20: C++ Analysis
Chapter 21: 64-Bit Malware

Appendix A: Important Windows Functions
Appendix B: Tools for Malware Analysis
Appendix C: Solutions to Labs

Download here:

http://www.mediafire.com/?tvtp54ls0dozv6b

Best Regards