I updated my EFD utility to handle the packed XCP.DAT file. To extract files from the archive, use:
efd -x xcp.dat
in a clean directory. It will create files like xcp1.dat, xcp2.dat, etc. Unfortunately the file names are not present in the archive, that’s why the names are so meaningless.
Here is the utility: efd.zip
The last week several LGPL violations were found in Sony’s DRM implementation.
Here is a proof of one violation. Here is a dedicated page with many other findings.
By the way the license breach could be found using the simplest tools on the earth: any hex editor or the strings tool from unix would be enough to find the copyright strings. In MS Windows Start, Search for Files or Folders would be sufficient as well. Just think about it and look.
In theory the license breach is easy to fix: just add the required copyright notice to the initial dialog box and there is no license violation anymore.
What is not easy to fix is the public opinion. Many will think: Sony’s rootkit is a bad thing and (therefore) DRM in general is a bad thing too. In fact what we need is a good DRM implementation (since the option of having no DRM is not available). Without rootkits and ‘security by obscurity’ approach. Which does not punish legal buyers.
The last described method does not work if the application uses an “unsupported” antidebugging trick. For example, if the application directly checks the PEB field instead of calling the IsDebuggerPresent function, the method will fail. Or the application could use something else, something from the future…
Continue reading The ultimate stealth method
The last time
I showed you a simple trick with conditional breakpoints.
Today I will present you a plugin which automates these breakpoints – to the extent
that a protected malware like the Zotob worm can be unpacked.
Continue reading Stealth plugin
Quite often IDA users ask for a plugin or feature to hide the debugger
from the application. In fact there are many anti-debugging tricks and
each of them requires an appropriate reaction from the debugger, let’s
start with something simple: we will make the IsDebuggerPresent
function call always return zero.
Continue reading Simple trick to hide IDA debugger
Final method of loading several files into a database
Continue reading Several files in one IDB, part 4
I promised to tell you about the TLS callbacks.
Here is the discussion.
Continue reading TLS callbacks
The third method to create a database with several PE files.
Continue reading Several files in one IDB, part 3
The second method to create a database with several PE files.
Continue reading Several files in one IDB, part 2
IDA Pro can load one PE file into a database and analyze it. Some users assume this is the maximum. Let’s take a closer look at the situation…
Continue reading Several files in one IDB