Automatic broken file fixing with Nexus
Blog | March 29, 2010

Automatic broken file fixing with Nexus

In the last couple of years we have seen a drastic increase in numbers of malicious sample we see a day. These numbers are quickly closing to 40M samples a year mark that we expect to see hit this year. That is why the sheer volume of data we are bombarded with each day raises an important question, where is the relevant data in this sea of information? And even is all data we have relevant?

Read More
TitanEngine training course at ReCon
Blog | March 4, 2010

TitanEngine training course at ReCon

CODING UNPACKERS FOR FUN AND PROFIT: TITANENGINE TRAINING BY TOMISLAV PERICIN AND NICOLAS BRULEZ Learn how to analyze, unpack and code unpackers for software packers and protectors. Attendees will receive hands-on experience working with the ReversingLabs TitanEngine framework, designed for unpacker creation. Instructors: Tomislav Pericin and Nicolas Brulez Dates: 6-8 July 2010 Availability: 10 Seats

Read More
Ask a developer Monday
Blog | March 1, 2010

Ask a developer Monday

This is the second "Ask a developer Monday," in which we answer the most common question we've received recently. The current No. 1 question is: "Why is the entry point after unpacking located in the section named UPX0?"

Read More
Unpacking layered protections
Blog | February 23, 2010

Unpacking layered protections

Today we finish our AlexProtector unpacker. We started creating it last week with file format analysis. We initially intended to create a dynamic unpacker for this protection, but since it is just as "easy" to create a static one, we went for that option. We are a day late with our blog as a result, and we are glad we are, since we noticed some bugs in the Importer module that we have since resolved. But we did more then just bug fixing - we made some tweaks to the existing functions, improving import elimination protection support.

Read More
TitanEngine simplification project
Blog | February 18, 2010

TitanEngine simplification project

With over 385 functions, TitanEngine is surely overwhelming at first sight. To help you get over this initial barrier we have included many sample applications with the TitanEngine SDK. However that still involves learning the use of 20 - 30 functions and the general layout we envisioned for our dynamic unpackers. And even this can be a lot for someone who wants to perform simple tasks such as creating an unpacker for FSG packer.

Read More
Analyzing layered protections
Blog | February 15, 2010

Analyzing layered protections

There is hardly a software protection nowadays that has only a single layer of code containing the whole stub code. Even some software packers such as PeCompact implement multiple layers in the process of software decompression. It is common for these additional layers to do the most interesting protection operations, such as memory decompression, import table processing and entry point protection and redirection.

Read More
TitanEngine and Python SDK
Blog | February 8, 2010

TitanEngine and Python SDK

As we said in the blog dedicated to our latest TitanEngine release we are continuously working on expanding our SDK to support as much programming languages as possible. That is why the next major version update for TitanEngine will feature a support for Python scripting language. We are looking forward to seeing multiple unpacking scripts appearing with the next TitanEngine major release. Until next week...

Read More
Minor inconvenience
Blog | February 1, 2010

Minor inconvenience

During our every day work as reverse engineers we encounter problems that affect the tools we use. Most commonly to try to detect their presence and/or crash them. Whatever is their purpose we must work our way around them. One of such problems we encountered recently is a theoretical scenario in whichOllyDBG can't resolve data about the loaded modules.

Read More
ReversingLabs first birthday
Blog | January 27, 2010

ReversingLabs first birthday

The time has proven itself irrelevant once more with ReversingLabs celebrating its first birthday after seven long years of existence. Today is a very special day for us here at the ReversingLabs because today we turn one, officially. That means that just a year ago roller-coaster we call ReversingLabs Corporation stared its journey racing us to future. So far it has been a hell of a ride with the best twist and turns yet to happen, we promise you that. This year, even though its January, looks extremely promising with interesting works already done and releases pending, so keep an eye out open for us since you never know where we might show up. Our thanks goes to everyone who supported us during all those years, we promise to keep surprising you with our projects on (more) regular basics.

Read More
If it ain’t broke…
Blog | January 18, 2010

If it ain’t broke…

If it ain't broke, don't fix it. But what if it is? What if the file you are trying to unpack with your unpacker is broken, then what? Do you just chuck it marking it as crapware or do you try to fix it? This raises many many question in file handling. Its foolish to assume that every file your unpacker receives is a valid portable executable. So, how does TitanEngine cope with this?

Read More
TitanGuard, protecting your PDF world
Blog | January 11, 2010

TitanGuard, protecting your PDF world

Recently we have seen an increase of malware attacks targeting multimedia formats. One of the formats targeted recently was PDF, a popular document format. Latest and still un-patched exploit targeting this format CVE-2009-4324 is particularly dangerous because it allows download of malicious content and its execution on the affected system or if it is unsuccessful denial of service attack.

Read More
Attacking the cipher
Blog | January 4, 2010

Attacking the cipher

Not too long ago we dedicated a blog post to removing executable password protections. In that post we said that we will eventually return to this topic to deal with much harder opponent. Well today is that day. This time we take a look at executable password protection named PEPasswordEncryptor

Read More
TitanEngine 2.0.3 and GUI for unpackers
Blog | January 1, 2010

TitanEngine 2.0.3 and GUI for unpackers

In our previous blog we have shown a short video that demonstrates the usage of new LUA SDK. Since then we decided that console unpackers are very boring to we included a new function in the TitanEnginewhich enables creation of a simple unpacker GUI that makes your script unpackers a little bit more user friendly. With this youtube video we welcome you to 2010. ReversingLabs will be back on Monday with more reverse engineering stories just for you. Catch us next time....

Read More
Lockpicking tELock
Blog | December 28, 2009

Lockpicking tELock

Today's blog post brings TitanEngine to the test and its a good way to end this years series of our blog posts dedicated to unpacking. The reason why TitanEngine is put to the test is because tELock is a protector riddled with protection tricks. That is why some modifications were needed so that we can debug files protected with this protection without getting detected by its anti-debugging tricks.

Read More
Writing static decompressors, aPLib story
Blog | December 21, 2009

Writing static decompressors, aPLib story

With the latest TitanEngine release, we introduced new functions which enable decompression of content packed with aPLib and LZMA. Today we will use those functions to make a static decompressor for AHPack. But before we do that we must answer a simple question: "What is the difference between regular static unpackers and static decompressors?"

Read More
How to use TitanEngine and its plugins?
Blog | December 16, 2009

How to use TitanEngine and its plugins?

There was a lot of response and quality feedback about our latest TitanEngine release. One of the questions we got is "How to use the engine and its plugins?". That is why we made this video which shows a quick example on how to compile the UPX sample and use our Nexus plugin in order to unpack samples which can't be run on the system because one or more of their dependencies is missing. Sounds cool?

Read More
TitanEngine 2.0.2
Blog | December 14, 2009

TitanEngine 2.0.2

TitanEngine just got its new major update we labeled as TitanEngine 2.0.2. Even though the version incrementation is small the number of changes and the pure size of the code is vast. That is why we dedicate today's blog for listing all additions and changes done to the engine.

Read More
Removing executable password protection
Blog | December 7, 2009

Removing executable password protection

With the next TitanEngine release just around the corner we decided to do a light an interesting analysis of a simple executable password protection. Today's focus is on LCCrypto a simple example which will show us the general security and vulnerabilities of such and similar tools.

Read More
Complex static unpackers, may the force be with you!
Blog | November 30, 2009

Complex static unpackers, may the force be with you!

Commonly targets chosen for demonstration of TitanEngine static unpacking functions were very simple and so the code that unpacks the target would be very short but still enough to understand the basic principal of static unpackers. But today we do something very different. We decent into madness by testing the far limits of the TitanEngine and ourselves. Yoda's Crypter is one though nut to crack so may the force be with us on this journey.

Read More

Pages