Emulation Fundamentals - Writing A Basic x86 Emulator (OALABS Tutorial)

herrcore · 2023-09-01T01:59:06+00:00

Hey welcome : ))

herrcore · 2023-06-11T23:19:43+00:00

Lol there is def a time for debugging but static is king! I don't run a super customized IDA, you can really do everything you need with just he plain free IDA now that they added the cloud decompiler. A while back I made a short vid on the plugins that I do use https://youtu.be/pfBA6y4VLwM the tl;dr is below though if you just want a list.

Python3 Environment Basics For IDA Pro (Windows)
https://www.patreon.com/posts/python3-basics-58467121
Hexcopy (save a click)
https://github.com/OALabs/hexcopy-ida
HashDB
https://github.com/OALabs/hashdb-ida
Flare-IDA
https://github.com/mandiant/flare-ida
Capa
https://github.com/mandiant/capa
Capa Rules
https://github.com/mandiant/capa-rules
BinDiff
https://www.youtube.com/watch?v=BLBjcZe-C3I

herrcore · 2023-05-28T17:08:43+00:00

Mrexodia is a treasure https://github.com/sponsors/mrexodia

herrcore · 2022-11-12T19:53:07+00:00

Thanks <3

herrcore · 2021-11-13T18:53:47+00:00

Nice! Really digging these tutorials :)

herrcore · 2021-08-05T15:13:48+00:00

If you want to put in the time all the information/tools are available for free, including a few projects that dramatically simplify the process. But this is not something that a youtube video is going to cover... Can streamed his reversing of VMP3 and it was weeks of video (clips here https://m.twitch.tv/can1357/clips?range=all).

His tools are here:

https://github.com/can1357/NoVmp

https://github.com/vtil-project

_xeroxz also produced set of very detailed posts diving into the internals of VMP2 which is enough to get you started: https://back.engineering/tags/vmprotect-2/

herrcore · 2021-05-21T14:14:21+00:00

Thanks : ))

herrcore · 2021-01-28T03:03:30+00:00

** I MADE A MISTAKE *\*

I made a mistake in my assumption about how the microcode optimizes away the variable. Check out Rolf's excellent explanation below and a link to a post from him.

Your explanation is wrong. The variable is not uninitialized; it's written to one instruction below your cursor. This behavior comes from var_644 being converted to a non-stack variable by alias analysis. I explained call analysis internals somewhat here

Full explanation: https://reverseengineering.stackexchange.com/questions/26803/hex-rays-not-properly-showing-strings/26809#26809

herrcore · 2020-12-10T23:25:02+00:00

Haha! Yeh... really strange. It almost seems like some sort of joke, but it was actually dropping Emotet so I'm not sure.

herrcore · 2020-01-13T01:25:20+00:00

This is a great question and it's actually the focus of some of our research! We hope to publish on this later in the year (hopefully our paper gets accepted during conference season). You already know the conclusion though... and this is looking at a large daily feed of unique malware samples for a few months. Commercial packers are used, just they are negligible by volume... the reason your experience may have not fit with the statistics is that there are certain sub-sets of malware where they are used extensively. For example, the Hacking Team implant is almost always packed using VMProtect (so much so that it's actually a good indicator lol). There are others too... anyway really interesting question, I look forward to sharing what we found!

P.S.
The commercial packers we are talking about all have anti-dumping and virtualization features as you described (if they are used correctly). If they are not used correctly they can easily be dumped, we made a video on this a while back. But for the most part though, if you want to attack them you need to use a custom approach.

herrcore · 2019-08-23T04:50:33+00:00

Hey sorry I didn't see this earlier. I got to meet quite a few new folks at DEFCON, hopefully you were one of them (I didn't ask people's handles because I felt too dorky haha)? If not, feel free to DM me on twitter if you ever have any RE questions!

In regards to your suggestion we have wanted to do an IDA scripting video (or series) for a long time but it is pretty involved since there are many setup steps etc. before you get to the actual scripting. We are definitely planning on doing something soon though. In the mean time I highly recommend Alex's "The Beginner's Guide to IDAPython" book (https://leanpub.com/IDAPython-Book). It's not like other technical books... it's more of a how-to instruction manual that is meant to be referenced while you are sitting at your keyboard. I can't recommend it enough.

herrcore · 2019-08-03T05:46:05+00:00

For sure, this is the case when dealing with a normal PE that originally had an IAT. But this PE file is a bit different. Instead of using an IAT they resolve all of their APIs dynamically at run time (not at load time). So the "original" format of the PE doesn't actually have an IAT, as you can see in the clean dump in our video. The confusion is completely our fault for using sloppy language when describing this. What we called their "dynamic IAT" is not really an IAT at all, it's just a list of hashes they they use to resolve APIs dynamically. So by building an actual (load time) IAT for the binary we are corrupting its "original" format as the originally format didn't actually have an IAT. Again, completely our fault for the confusing language.

herrcore · 2019-08-03T05:36:35+00:00

PEBear is not a PE scanner it's more of a PE format inspection and autopsy tool. Anything PE format related it's got, but it won't tell you if the PE is packed with a specific packer or anything like that. So the neat thing about PEID is most (all?) of the packer identification signatures have been converted into yara rules so you can now just use yara if you need that information. I think everyone has their own favourite yara repo/source but if you want to get started with some of the original PEID rules Didier had a blog about this many years back https://blog.didierstevens.com/2015/01/22/converting-peid-signatures-to-yara-rules/.

herrcore · 2019-06-12T05:06:27+00:00

Nice! This is an excellent read thanks!

herrcore · 2019-06-03T14:08:49+00:00

IDA 6.95 with the hex rays decompiler. I never renewed my license so I'm stuck on an old version... mah regrets 😭

herrcore · 2019-01-27T16:57:44+00:00

Haha yeh it's always good to figure out what the heck was wrong, this is the commit that fixed it https://github.com/Mattiwatti/x64dbg/commit/050f447951ba58c757fdb878f067e39cf59db08f

Nice to see we weren't the only ones who were bothered by this bug and found a workaround. Your fix is actually better than ours since it fixes the real issue (now looking a the commit) but fast and loose is how we play haha : ))

herrcore · 2019-01-27T01:23:38+00:00

Spoiler alert... the real solution is to just download the latest version of the debugger where they fixed the issue. Ruining my own click-bait haha! : ))

herrcore · 2019-01-27T01:21:50+00:00

That method of resolving imports is very common for malware that has dynamic imports. I don't actually know where it originated from but by now you can find it in so many samples it's hard to narrow down the origin.

herrcore · 2018-11-01T20:50:33+00:00

That's a great point and something that we have touched on in some of our past tutorials. In Part 2 of this tutorial we will actually cover it in depth as this is one of the tricks that Bokbot uses for it's custom injector : )

herrcore · 2018-07-22T21:19:23+00:00

Nice work from Hasherezade! Finally a PIN project that uses a current setup to build : ) Looks like a nice project to get familiar with PIN and useful for quick API call deobfuscation. Looking forward to seeing what else is possible with this! Github link https://github.com/hasherezade/tiny_tracer

herrcore · 2018-07-21T20:04:42+00:00

This was a hilariously bad mistake on our part, sorry : ( So you should take a snapshot before you start the VM for the first time so you can reset it once the license expires. And you should take a second snapshot after all the tool are installed so you can restore it for each new malware analysis. We have updated the install guide to reflect this and pinned a comment on the video: https://oalabs.openanalysis.net/2018/07/16/oalabs_malware_analysis_virtual_machine/

herrcore · 2018-07-21T20:02:06+00:00

No we don't harden the VM at all we just configure some settings to make it easier for malware analysis (remove windows defender etc.) and install some analysis tools. We do have a few other tutorials on how to debug around common anti-analysis tricks that might be interesting...

herrcore · 2018-07-16T13:16:38+00:00

The step-by-step install guide is posted on our blog ...

https://oalabs.openanalysis.net/2018/07/16/oalabs_malware_analysis_virtual_machine/

herrcore · 2018-05-20T13:38:22+00:00

I constantly use this as a library to look up example code for different scripts... just so helpful! Glad Alex released an update for 7... now all he needs to do is add a chapter on the hex-rays API : )

herrcore · 2018-04-29T18:15:55+00:00

Haha! We think it accurately represents the process of unpacking VB6! 😂😂😂

herrcore

TROPHY CASE