11 July 2010 by Published in: Uncategorized No comments yet

This is, more or less, how I taught myself x86 assembly. By reverse-engineering Skype.

http://www.secdev.org/conf/skype_BHEU06.pdf

It wasn’t quite that difficult back in the 90s. And these guys got way further than I ever did. But a lot of the binary protection (polymorphic checksumming, dynamic calling, a really clever packer, RSA verification, etc) is close or identical to what I was playing with.

Play with that stuff long enough and, well, you’ll get really good at asm. A lot of really clever ideas of mine came out of things I saw in their binary.

I tracked down one of the exe packers I helped write way back when, and turns out that malware protected with it has been detected by McAfee over half a million times now. So that’s kinda cool… even if it’s a little scary.

But sort of the holy grail of reversing right now is Kaspersky. Those guys are hardcore. Their engine can pick apart a lot of packers these days, even stuff it’s never seen before. I’ve heard stories of people who have written decent custom packers that get detected automatically. They’ve got a static analysis tool that can follow not just off-by-one byte alignment tricks or decompress LZW blocks automatically, but it can simulate execution in a sandboxed environment and use the binary’s own decryption routines to decrypt it, even on binaries that only decrypt a few pieces at a time. It’s incredibly hardcore.


Want me to build your app / consult for your company / speak at your event? Good news! I'm an iOS developer for hire.

Like this post? Contribute to the coffee fund so I can write more like it.

Comments

Be first to comment on this post!

Add comment

Copyright © 2011 Drew Crawford, All Rights Reserved
Powered by WordPress

Page optimized by WP Minify WordPress Plugin