Newsroom

TitanGuard, protecting your PDF world
Blog | January 11, 2010

TitanGuard, protecting your PDF world

Recently we have seen an increase of malware attacks targeting multimedia formats. One of the formats targeted recently was PDF, a popular document format. Latest and still un-patched exploit targeting this format CVE-2009-4324 is particularly dangerous because it allows download of malicious content and its execution on the affected system or if it is unsuccessful denial of service attack.

Read More
Attacking the cipher
Blog | January 4, 2010

Attacking the cipher

Not too long ago we dedicated a blog post to removing executable password protections. In that post we said that we will eventually return to this topic to deal with much harder opponent. Well today is that day. This time we take a look at executable password protection named PEPasswordEncryptor

Read More
TitanEngine 2.0.3 and GUI for unpackers
Blog | January 1, 2010

TitanEngine 2.0.3 and GUI for unpackers

In our previous blog we have shown a short video that demonstrates the usage of new LUA SDK. Since then we decided that console unpackers are very boring to we included a new function in the TitanEnginewhich enables creation of a simple unpacker GUI that makes your script unpackers a little bit more user friendly. With this youtube video we welcome you to 2010. ReversingLabs will be back on Monday with more reverse engineering stories just for you. Catch us next time....

Read More
Lockpicking tELock
Blog | December 28, 2009

Lockpicking tELock

Today's blog post brings TitanEngine to the test and its a good way to end this years series of our blog posts dedicated to unpacking. The reason why TitanEngine is put to the test is because tELock is a protector riddled with protection tricks. That is why some modifications were needed so that we can debug files protected with this protection without getting detected by its anti-debugging tricks.

Read More
Writing static decompressors, aPLib story
Blog | December 21, 2009

Writing static decompressors, aPLib story

With the latest TitanEngine release, we introduced new functions which enable decompression of content packed with aPLib and LZMA. Today we will use those functions to make a static decompressor for AHPack. But before we do that we must answer a simple question: "What is the difference between regular static unpackers and static decompressors?"

Read More
How to use TitanEngine and its plugins?
Blog | December 16, 2009

How to use TitanEngine and its plugins?

There was a lot of response and quality feedback about our latest TitanEngine release. One of the questions we got is "How to use the engine and its plugins?". That is why we made this video which shows a quick example on how to compile the UPX sample and use our Nexus plugin in order to unpack samples which can't be run on the system because one or more of their dependencies is missing. Sounds cool?

Read More
TitanEngine 2.0.2
Blog | December 14, 2009

TitanEngine 2.0.2

TitanEngine just got its new major update we labeled as TitanEngine 2.0.2. Even though the version incrementation is small the number of changes and the pure size of the code is vast. That is why we dedicate today's blog for listing all additions and changes done to the engine.

Read More
Removing executable password protection
Blog | December 7, 2009

Removing executable password protection

With the next TitanEngine release just around the corner we decided to do a light an interesting analysis of a simple executable password protection. Today's focus is on LCCrypto a simple example which will show us the general security and vulnerabilities of such and similar tools.

Read More
Complex static unpackers, may the force be with you!
Blog | November 30, 2009

Complex static unpackers, may the force be with you!

Commonly targets chosen for demonstration of TitanEngine static unpacking functions were very simple and so the code that unpacks the target would be very short but still enough to understand the basic principal of static unpackers. But today we do something very different. We decent into madness by testing the far limits of the TitanEngine and ourselves. Yoda's Crypter is one though nut to crack so may the force be with us on this journey.

Read More
From Russia with Love, nPack story
Blog | November 22, 2009

From Russia with Love, nPack story

Dynamic unpacking has a couple of benefits and couple of drawbacks. Main benefit would of course be the quick unpacker writing and natural resilience to minor packer changes including multiple shell versions that use different compression and/or encryption algorithms. Our only real concern would be possibility of file malformation so that the file we are unpacking does a jail break.

Read More
Seek PackMan and press play on tape!
Blog | November 15, 2009

Seek PackMan and press play on tape!

After a few weeks we return to building unpackers with an interesting packer called Packman. Even though this is a pretty straight forward packer there are a few details that make us learn a trick or two while working on this unpacker.

Read More
Halloween reversing
Blog | October 30, 2009

Halloween reversing

Halloween is a special time of year and it deserves a special blog we might call "writing unpackers in reverse". But wait, writing unpackers in reverse... isn't that packer writing?

Read More
TitaniumHandles
Blog | October 26, 2009

TitaniumHandles

Last week was particularity interesting as we did very interesting research related to archive formats. But that's topic for some other week, today we talk about one of the code samples for TitanEngine we mentioned few weeks ago. That code sample is a sample that shows TitanEngine's handler module capabilities implemented as an OllyDBG plugin.

Read More
TitanEngine 2.0.2 on Ubuntu
Blog | October 26, 2009

TitanEngine 2.0.2 on Ubuntu

TitanEngine just became Linux friendly! Even though this framework was and is designed only for Microsoft Windows x86/x64 platforms it can work with no problems under Linux with the help of WINE. Small modifications were necessary in order to make this possible but from next release you will be able to execute all ReversingLabs unpackers under Linux distribution of your choice. We have chosen Ubuntu, what is your choice? This ensures maximum safe environment for live malware analysis for those reverse engineers that make Linux their platform of choice.

Read More
Static decryption in reverse
Blog | October 19, 2009

Static decryption in reverse

For today's blog we had to do some minor engine modifications which is always fun. Even though we met these kinds of crypters before it completely slipped our mind that some crypters decrypt data in backward direction. That is why with CryptoCrackPEProtector we introduced new function for data decryption calledStaticMemoryDecryptSpecial. Only thing special about it is that you can choose the direction of decryption and in later versions if it proves necessary byte skipping etc.

Read More
Cloudy day with exeFog
Blog | October 12, 2009

Cloudy day with exeFog

After one week detour to reversing tool coding field we return to what TitanEngine does best which making unpackers of course. This week we take a peek into what hides in the fog, exeFog.

Read More
TitaniumOverlay
Blog | October 5, 2009

TitaniumOverlay

Remember how last week we decided not to publish some tools? Well it has been brought to our attention that we can publish the binaries and later publish the source with the next TitanEngine update which is very close as it is. That is why this Monday we decided to publish TitaniumOverlay tool.

Read More
Buggy Monday, PeX story
Blog | September 28, 2009

Buggy Monday, PeX story

Its a beautiful Monday once again. What is special about this Monday is that it has its rather long introduction story. Here is what you don't know about ReversingLabs. At the end of each week we go through preparation for Monday blog. So the team decides and creates a sample code for our blog. This was also the case last week and we picked to do a blog about using TitanEngine as static library and creating a PeID plugin for handling overlay.

Read More
Packer security advisory: MEW design flaw
Blog | September 14, 2009

Packer security advisory: MEW design flaw

This is a followup on MEW file format analysis. As mentioned in our video blog yesterday we noticed that MEW 10 has a design flaw that wrongfully passes function names to LoadLibraryA which firstly tries to load it as a DLL file and once that has failed it passes the same string to GetProcAddress and successfully finds selected function in previously loaded DLL.

Read More
Analyzing MEW 10 – 11
Blog | September 12, 2009

Analyzing MEW 10 – 11

This week we do a video tutorial about MEW analysis and we give pointers into making unpacker for this format. Download RL!deMEW 10 - 11 unpacker.

Read More

Pages