Newsroom

ReversingLabs at CARO Workshop
Blog | April 29, 2010

ReversingLabs at CARO Workshop

FILE ANALYSIS AND UNPACKING IN THE AGE OF 40M NEW SAMPLES PER YEAR With daily unique malware counts exceeding 100,000 pressure is exerted at sample analysis and automated unpacking systems. Known 400+ packer families and custom packers can be mixed together in layers and in parallel. Today's system has to be able to handle all known format schemas statically and dynamically while anticipating increases in complexity.

Read More
File analysis and unpacking in the age of 40M new samples per year
Blog | April 28, 2010

File analysis and unpacking in the age of 40M new samples per year

With daily unique malware counts exceeding 100,000 pressure is exerted at sample analysis and automated unpacking systems. Known 400+ packer families and custom packers can be mixed together in layers and in parallel. Today's system has to be able to handle all known format schemas statically and dynamically while anticipating increases in complexity.

Read More
BlackHat Europe presentation videos online
Blog | April 28, 2010

BlackHat Europe presentation videos online

As you remember few weeks ago ReversingLabs presented its NyxEngine to the World on BlackHat Europe security conference. Today the conference has published the presentation videos which can be found here, and here is a direct link to our talk video recording. Enjoy...

Read More
Its just bits and bytes…
Blog | April 26, 2010

Its just bits and bytes…

Two weeks ago we introduced our NyxEngine to the World and we got nothing but positive comments and responses about it. That is why for today's blog we have decided make it do something its not primarily designed to do. With that in mind we decided to create a simple program based on the NyxEngine which does archive conversion from one file type to another.

Read More
BlackHat Europe Recap
Blog | April 19, 2010

BlackHat Europe Recap

We had a great time during this year's BlackHat Europe Conference last week. Now it is the time to sort out our impressions. First of all, thanks to all that have made it to our talk and have been asking us in hallways about the new engine that we were working on. In a packed full room we have discussed archive steganography and the impacts such and other malformed files have on security products.

Read More
Introducing NyxEngine
Blog | April 12, 2010

Introducing NyxEngine

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. When it comes to digital steganography no stone should be left unturned in the search for viable hidden data. Although digital steganography is commonly used to hide data inside multimedia files, a similar approach can be used to hide data in archives as well.

Read More
Unpacking archives with TitanEngine
Blog | April 5, 2010

Unpacking archives with TitanEngine

TitanEngine is primarily envisioned as a portable executable file format unpacker and handling framework. However due to its static unpacking functions it can be used to unpack other file format types such as installers and archives. That is why today we are showing the utilization of the new static unpacking functions that will be available with the next update. We are discussing the upcoming features which is something we generally like to avoid but it is for a good reason.

Read More
Hiding in the Familar
White Paper | April 3, 2010

Hiding in the Familar

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. Nyx also searches for viable hidden data that was intentionally cloaked from sight using steganographic principles.

Read More
TitanEngine training course at BlackHat
Blog | March 29, 2010

TitanEngine training course at BlackHat

In addition to TitanEngine course in Montreal on Recon there is another course that will be teaching you how to use the TitanEngine. So, if you are in Vegas for BlackHat you might want to check out Advanced Malware Deobfuscation training by Jason Geffner & Scott Lambert. Here is the course description:

Read More
Automatic broken file fixing with Nexus
Blog | March 29, 2010

Automatic broken file fixing with Nexus

In the last couple of years we have seen a drastic increase in numbers of malicious sample we see a day. These numbers are quickly closing to 40M samples a year mark that we expect to see hit this year. That is why the sheer volume of data we are bombarded with each day raises an important question, where is the relevant data in this sea of information? And even is all data we have relevant?

Read More
TitanEngine training course at ReCon
Blog | March 4, 2010

TitanEngine training course at ReCon

CODING UNPACKERS FOR FUN AND PROFIT: TITANENGINE TRAINING BY TOMISLAV PERICIN AND NICOLAS BRULEZ Learn how to analyze, unpack and code unpackers for software packers and protectors. Attendees will receive hands-on experience working with the ReversingLabs TitanEngine framework, designed for unpacker creation. Instructors: Tomislav Pericin and Nicolas Brulez Dates: 6-8 July 2010 Availability: 10 Seats

Read More
Ask a developer Monday
Blog | March 1, 2010

Ask a developer Monday

This is the second "Ask a developer Monday," in which we answer the most common question we've received recently. The current No. 1 question is: "Why is the entry point after unpacking located in the section named UPX0?"

Read More
Unpacking layered protections
Blog | February 23, 2010

Unpacking layered protections

Today we finish our AlexProtector unpacker. We started creating it last week with file format analysis. We initially intended to create a dynamic unpacker for this protection, but since it is just as "easy" to create a static one, we went for that option. We are a day late with our blog as a result, and we are glad we are, since we noticed some bugs in the Importer module that we have since resolved. But we did more then just bug fixing - we made some tweaks to the existing functions, improving import elimination protection support.

Read More
TitanEngine simplification project
Blog | February 18, 2010

TitanEngine simplification project

With over 385 functions, TitanEngine is surely overwhelming at first sight. To help you get over this initial barrier we have included many sample applications with the TitanEngine SDK. However that still involves learning the use of 20 - 30 functions and the general layout we envisioned for our dynamic unpackers. And even this can be a lot for someone who wants to perform simple tasks such as creating an unpacker for FSG packer.

Read More
Analyzing layered protections
Blog | February 15, 2010

Analyzing layered protections

There is hardly a software protection nowadays that has only a single layer of code containing the whole stub code. Even some software packers such as PeCompact implement multiple layers in the process of software decompression. It is common for these additional layers to do the most interesting protection operations, such as memory decompression, import table processing and entry point protection and redirection.

Read More
TitanEngine and Python SDK
Blog | February 8, 2010

TitanEngine and Python SDK

As we said in the blog dedicated to our latest TitanEngine release we are continuously working on expanding our SDK to support as much programming languages as possible. That is why the next major version update for TitanEngine will feature a support for Python scripting language. We are looking forward to seeing multiple unpacking scripts appearing with the next TitanEngine major release. Until next week...

Read More
Minor inconvenience
Blog | February 1, 2010

Minor inconvenience

During our every day work as reverse engineers we encounter problems that affect the tools we use. Most commonly to try to detect their presence and/or crash them. Whatever is their purpose we must work our way around them. One of such problems we encountered recently is a theoretical scenario in whichOllyDBG can't resolve data about the loaded modules.

Read More
ReversingLabs first birthday
Blog | January 27, 2010

ReversingLabs first birthday

The time has proven itself irrelevant once more with ReversingLabs celebrating its first birthday after seven long years of existence. Today is a very special day for us here at the ReversingLabs because today we turn one, officially. That means that just a year ago roller-coaster we call ReversingLabs Corporation stared its journey racing us to future. So far it has been a hell of a ride with the best twist and turns yet to happen, we promise you that. This year, even though its January, looks extremely promising with interesting works already done and releases pending, so keep an eye out open for us since you never know where we might show up. Our thanks goes to everyone who supported us during all those years, we promise to keep surprising you with our projects on (more) regular basics.

Read More
If it ain’t broke…
Blog | January 18, 2010

If it ain’t broke…

If it ain't broke, don't fix it. But what if it is? What if the file you are trying to unpack with your unpacker is broken, then what? Do you just chuck it marking it as crapware or do you try to fix it? This raises many many question in file handling. Its foolish to assume that every file your unpacker receives is a valid portable executable. So, how does TitanEngine cope with this?

Read More

Pages