Reverse engineering software protections

Attendees will receive hands-on experience working with the tools designed to do static and dynamic analysis of the PECOFF file format and formats derived from it covering both x86 and x64 platforms.

Instructors: Tomislav Pericin and Nicolas Brulez
Dates: 6-7 July 2011
Availability: 20 Seats

Day 1: Inside the PECOFF file format

During the first day of the training we will focus on reviewing the PECOFF file format and examining its aspects to determine the structures and tables most commonly compressed and protected by PE modifiers. General memory models used by all known PE format modifiers will be described based upon which software compressions will be classified into groups. Key features of crypters, packers and protectors will be analyzed on real world samples and the most representative formats will be manually unpacked.

PE file format properties obscured by the format modifier will be discussed. These properties include import, export, resource, relocation and tls tables and the ways that PE modifiers transform them from standard PECOFF to packer specific formats. By applying reverse engineering techniques we will decipher these internal packer specific formats and restore them to their original state. In addition to this attendees will learn how to reverse engineer custom compression and encryption algorithms and implement them in their code in order to produce fully functional format unpackers. Special attention will be given to static unpacker coding layout and the benefits of using TitanEngine to minimize the time it takes to create an unpacker.

Attendees will learn how to identify and reverse engineer key PE file format modifier sections. Single PE packer format that supports x86/x64/.net packing will be inspected in detail for which static unpacker will be coded.

Day 2: Inside the nightmares of file analysis

During the second day of the training we will focus on analyzing and unpacking complex software protections. Special attention will be given to methods used to harden against format reverse engineering and prevent unpacking. We will describe common protection techniques utilized by both legitimate software protectors and those specifically designed for use in malware. We will then use information to show coding techniques needed for such complex static unpackers and ways to counter all the tricks used to harden detection, analysis and unpacking.

Single PE protection format will be inspected in detail for which dynamic and/or static unpackers will be coded.

Class Requirements

Very basic knowledge of C/C++ or any other programming language.
Very basic understanding of assembly, debugging and Windows internals.
OllyDBG 1.10 and IDA Pro 5 (free version will be sufficient).
Microsoft Visual Studio 2008 (express will be sufficient).
Additional tools and scripts will be provided by the instrutor.

More information here.