Defeating ESET1013 – Malware Analyst

Posted: February 11, 2014 in Uncategorized
Tags:

Author: Julien (jvoisin) Voisin
ESET1023
I stumbled upon joineset.com, and though this could be a nice pretext to try some reversing under Windows : I never did any on this platform.

Get the crackme and enjoy!
Part One.
PEiD tells us

UPX 0.89.6 – 1.02 / 1.05 – 2.90 -> Markus & Laszlo [Overlay]

I already reversed some UPX things on GNU/Linux (Yes, it’s a multi-platform packer), should be easy on Windows. Of course (it would be too easy), if you try to unpack it using upx -d, you’ll get an error:

upx: EsetCrackme2013.exe: CantUnpackException: file is modified/hacked/protected; take care!!!

Either this is a trick, and the used packer has a false signature, or it’s a modified version of UPX. I go for the later: the “Unpacker for UPX” plugin from PEiD manage to unpack it. Yes, it’s lame, but I rather spend time on interesting things.

If you open the unpacked.exe binary, you’ll see a classic function prelude, and a short loop that push some zeros, followed by some crap, and a mega-shitload of mov. It prints the introduction text, and then it does some classic anti-debugging stuff.

Full article here: http://dustri.org/b/defeating-eset1013-malware-analyst.html

Regards,

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s