Correct, most packed binaries are malware. I'd put some language in the AUP/License about decompiling the code, it might not help much, but could give you some legal grounds in the future.<br><br><div class="gmail_quote">
On Fri, Jul 10, 2009 at 4:21 AM, astera <span dir="ltr"><<a href="mailto:astera@hackerspaces.org">astera@hackerspaces.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hey Eric,<br>
<br>
this note may be redundant already, for Enki's wizardry in this field<br>
of expertize is extensive.<br>
A packer tool (like Armadillo, for example) is definitely the most<br>
obvious way to go. However, whether you know when unpacking has<br>
finished or not while running your application, a debugger will<br>
definitely tell you, so you could dump the whole decrypted binary out<br>
of memory...<br>
<br>
One combating technique would be to have your app run a debugger at<br>
all times (where your machine wouldn't allow you to run another<br>
debugger); or you could have it run inside an x86 emulator.<br>
<br>
Though the packer approach might be the most common one, keep in mind<br>
that - depending on which product you use - anti-virus software might<br>
throw alarming messages at the user (since this also is the way to go<br>
when distributing your piece of beloved malware).<br>
<br>
Hack on,<br>
<font color="#888888">/astera<br>
</font><div><div></div><div class="h5"><br>
On Jul 10, 2009, at 12:06 AM, Paul Böhm wrote:<br>
<br>
> which os? which languages? a few years back (2002) we released the (to<br>
> our knowledge) first ELF binary encrypter (the binary format on a lot<br>
> of unixy OSs). search for teso burneye - but by now there are generic<br>
> unpackers for it. there's a lot more knowledge in the windows world<br>
> about how to do this (packer/unpacking are the keywords and it's<br>
> become an art of its own) - the essential hard part is that you never<br>
> wanna keep the whole binary unencrypted in memory or it can be easily<br>
> (more or less) retrieved from there. if you just wanna fool existing<br>
> tools, you just need to avoid to give indication that the unpacking<br>
> has completed (the program should already be running, and the unpacker<br>
> should just believe it's still the packer that is running). as for<br>
> dynamic languages your best bet is modifying the intermediate<br>
> representation and the interpreter (e.g. the .pyc files for python) -<br>
> possibly protecting the binaries of your own interpreter with the<br>
> binary packing techniques.<br>
><br>
> enki<br>
><br>
> On Thu, Jul 9, 2009 at 2:35 PM, Eric Michaud<<a href="mailto:eric@hackerspaces.org">eric@hackerspaces.org</a>><br>
> wrote:<br>
>> Hey Guys and Gals,<br>
>><br>
>> I had a interesting question posited to me recently at the space<br>
>> about<br>
>> obfuscating binaries.<br>
>><br>
>> So the example would be.<br>
>><br>
>><br>
>> I have a binary I'm going to distribute. I know it'll eventually get<br>
>> reversed, but what I'm asking is how can I make it take longer<br>
>> without<br>
>> having to rewrite my code with the intention of obfuscation from the<br>
>> beginning.<br>
>><br>
>> I'm happy to fill in more if any of you have questions, but I'd<br>
>> love to hear<br>
>> your thoughts.<br>
>><br>
>> -E.<br>
>><br>
>> _______________________________________________<br>
>> Discuss mailing list<br>
>> <a href="mailto:Discuss@lists.hackerspaces.org">Discuss@lists.hackerspaces.org</a><br>
>> <a href="http://lists.hackerspaces.org/mailman/listinfo/discuss" target="_blank">http://lists.hackerspaces.org/mailman/listinfo/discuss</a><br>
>><br>
>><br>
> _______________________________________________<br>
> Discuss mailing list<br>
> <a href="mailto:Discuss@lists.hackerspaces.org">Discuss@lists.hackerspaces.org</a><br>
> <a href="http://lists.hackerspaces.org/mailman/listinfo/discuss" target="_blank">http://lists.hackerspaces.org/mailman/listinfo/discuss</a><br>
<br>
_______________________________________________<br>
Discuss mailing list<br>
<a href="mailto:Discuss@lists.hackerspaces.org">Discuss@lists.hackerspaces.org</a><br>
<a href="http://lists.hackerspaces.org/mailman/listinfo/discuss" target="_blank">http://lists.hackerspaces.org/mailman/listinfo/discuss</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Tim Krabec<br>Kracomp<br>772-597-2349<br><a href="http://smbminute.com">smbminute.com</a><br><a href="http://kracomp.blogspot.com">kracomp.blogspot.com</a><br>
<a href="http://www.kracomp.com">www.kracomp.com</a><br>