Nowadays viruses use polymorphic techniques to mutate their code on each replication, thus evading detection by antiviruses. However detection by emulation can defeat simple polymorphism: thus metamorphic techniques are used which thoroughly change the viral code, even after decryption. We briefly detail this evolution of virus protection techniques against detection and then study the METAPHOR virus, today’s most advanced metamorphic…
Anti-Debugging techniques take different forms from hiding code from reverse engineers and also to avoiding programs from automated analysis in virtual environments. Gone were days where the malwares encryption used XOR or some algorithms implemented like LZMA in UPX or used simple API to check debugger detection. My day-to-day experience with malwares through Comodo Antivirus for 3 years not only…
There are many books that teach beginners how to write secret messages using ciphers. There are a couple books that teach beginners how to hack ciphers. As far as I can tell, there are no books to teach beginners how to write programs to hack ciphers. This book fills that gap. This book is for complete beginners who do not…
Code Virtualizer is a powerful code obfuscation system that helps developers protect their sensitive code areas against Reverse Engineering. Code Virtualizer has been designed to enact high security for your sensitive code while requiring minimal system resources. Code Virtualizer will convert your original code into Virtual Opcodes that will be only understood by an internal Virtual Machine. Those Virtual Opcodes…
This document provides instructions on how to unpack NsPack 3.4 and 3.7 using the OllyDbg debugger. The OllyScripts used in this process are included in the appendixes. The custom plug-ins that are used to automate the procedure are provided with the source code. This paper also includes instructions on how to fully restore the import table so the file can…
The virus is Polymorphic and very infectious. EPO : Entry Point Obscuring - the entry point address in the header is not modified, the virus injects code in the real entry point and hops around a few times, before it jumps to the virus entry point. Obfuscated layers, using junk instructions, and different decryption operations (simple ones tho). The junks…
It is amazing, and rather disconcerting, to realize how much software we run without knowing for sure what it does. We buy software off the shelf in shrinkwrapped packages. We run setup utilities that install numerous files, change system settings, delete or disable older versions and superceded utilities, and modify critical registry files. Every time we access a Web site,…
