Monthly Archives: November 2005

Reading assembly code

Even unobfuscated code is difficult to understand. Look at this function. Can you tell its purpose?

Posted in Decompilation | 17 Comments

The highlighter

Today I’ll present you a pretty small yet useful plugin.

Posted in IDA Pro | 14 Comments

How to unpack XCP.DAT?

I updated my EFD utility to handle the packed XCP.DAT file. To extract files from the archive, use: efd -x xcp.dat in a clean directory. It will create files like xcp1.dat, xcp2.dat, etc. Unfortunately the file names are not present … Continue reading

Posted in Security | Comments Off

Sony DRM

The last week several LGPL violations were found in Sony’s DRM implementation. Here is a proof of one violation. Here is a dedicated page with many other findings. By the way the license breach could be found using the simplest … Continue reading

Posted in Security | Comments Off

The ultimate stealth method

The last described method does not work if the application uses an “unsupported” antidebugging trick. For example, if the application directly checks the PEB field instead of calling the IsDebuggerPresent function, the method will fail. Or the application could use … Continue reading

Posted in IDA Pro | 7 Comments

Stealth plugin

The last time I showed you a simple trick with conditional breakpoints. Today I will present you a plugin which automates these breakpoints – to the extent that a protected malware like the Zotob worm can be unpacked.

Posted in Uncategorized | 3 Comments

Simple trick to hide IDA debugger

Quite often IDA users ask for a plugin or feature to hide the debugger from the application. In fact there are many anti-debugging tricks and each of them requires an appropriate reaction from the debugger, let’s start with something simple: … Continue reading

Posted in IDA Pro | 10 Comments