#ro0ted #OpNewblood What the blackhats dont want u to know | Packing & Crypting, There’s a difference
This an introduction to dealing with packed .exe’s. Every packed file is different…each time you will have to use different techniques…while some aren’t even worth unpacking…others near impossible…point is everyone has their different style to Reverse Engineering whether it’s cracking or analyzing or just doing random shit that involves api classes with binaries. – https://twitter.com/ro0ted/
First all let’s go over the difference between crypted & packed.
The most common packer you will find in files is UPX.
UPX uses a method known as data compression which compresses the .exe to different bytes. You can add them or take it away. Either way people use this technique so people don’t alter the code. Meaning when you enter the target in any disassembler the code won’t show. So you have to unpack the file before anything. This is the biggest problem sometimes because not every packer is known. So there’s less ways to unpack. Every file is not unpackable. In pack files you see half the code while most times no code at all.
Simple terms if you don’t want anyone to fuck with your work, pack that shit!
Crypted a file with file encryption is mainly for 1 purpose in malware…..Make
the file undetectable to every AV’s for runtime (when the file executes) And…
People don’t get if your .exe is crypted but it’s not packed then yeah expect people
to fuck with it. You’ve seen me reverse crypted files..there’s really no magic behind it
except for stupidity (this idiot forgot to pack his shit).
In reverse engineering it’s not the crypted files we fear..it’s that one private packer that’s never been unpacked because nothings working.
We are going to go over a file that is using the most common packer (in packer history) UPX.
Packed this crackme
First of all people who crypt their lil botnets don’t understand that we already know there’s a 99% chance this shit is malware..That’s all they care about. They don’t know shit about their botnet except for what language it was coded in because 99% of the time they didn’t make it.
What did they do?
They heard about DDoS and thought that shit sounds cool, downloaded or bought the bot, got some kind of a server or hosting and bam set that shit up. Then crypt their bot. That’s as far as their knowledge span goes. Then they call themselves a hacker. That’s not a hacker, that’s a poser.
When you run the file in exeinfoPE, you see this:
So we download UPX off their website:
Open cmd in start>Right click select as admin:
say it’s in downloads type in cmd:
cd = change directory
then type upx -d target.exe
Now why is this important?
well this is what you get when it’s packed…
This is all we get for the whole code when it’s packed with UPX:
When we select one we get nothing we can work with:
We open it in IDA Pro:
Now let’s the unpacked version….:
All Referenced Text Strings:
All Intermodular Calls:
Open it in IDA Pro now:
When packed you see this in IDA Pro:
Your navigation exploring bar is not split apart in chunks for 1:
It says UPX everywhere, instead of the .text segment we see UPX:
When you select a string it takes you here:
Now a lot of people use packers as crypters but most crypters now days don’t have anything to do with packing techniques just AV Antis (Anti Anti-Virus).
Some packers will crypt files for a moment:
A lot of people crypt their malware but don’t pack it. If you go down this route this could happen to your precious botnet you brag about:
What happen there is the kiddie did not think no ones gonna reverse my malicious file. That’s the problem people don’t think in depth. There’s many ways to unpack files, if the packers known there will be an automatic way. Don’t let anyone give you crap about it because in the Reverse Engineering the real work comes in when it’s unpacked not vice versa.
So pack your file then crypt it.
Check out my tutorials in my series…. “What the Blackhats don’t want you to know”
Unpacking & Crypting there is a difference +
(Visited 501 times, 1 visits today)
- You can follow any responses to this entry through the RSS 2.0 feed.
- Both comments and pings are currently closed.