Reverse engineering software protections

Learn how to do in depth analysis of compressed and encrypted binary files. Attendees will receive hands-on experience working with the tools designed to do static and dynamic analysis of the PECOFF file format and formats derived from it covering both x86 and x64 platforms.

Instructors: Tomislav Pericin and Nicolas Brulez
Dates: 6-7 July 2011
Availability: 20 Seats

Day 1: Inside the PECOFF file format

During the first day of the training we will focus on reviewing the PECOFF file format and examining its aspects to determine the structures and tables most commonly compressed and protected by PE modifiers. General memory models used by all known PE format modifiers will be described based upon which software compressions will be classified into groups. Key features of crypters, packers and protectors will be analyzed on real world samples and the most representative formats will be manually unpacked.

PE file format properties obscured by the format modifier will be discussed. These properties include import, export, resource, relocation and tls tables and the ways that PE modifiers transform them from standard PECOFF to packer specific formats. By applying reverse engineering techniques we will decipher these internal packer specific formats and restore them to their original state. In addition to this attendees will learn how to reverse engineer custom compression and encryption algorithms and implement them in their code in order to produce fully functional format unpackers. Special attention will be given to static unpacker coding layout and the benefits of using TitanEngine to minimize the time it takes to create an unpacker.

Attendees will learn how to identify and reverse engineer key PE file format modifier sections. Single PE packer format that supports x86/x64/.net packing will be inspected in detail for which static unpacker will be coded.

Day 2: Inside the nightmares of file analysis

During the second day of the training we will focus on analyzing and unpacking complex software protections. Special attention will be given to methods used to harden against format reverse engineering and prevent unpacking. We will describe common protection techniques utilized by both legitimate software protectors and those specifically designed for use in malware. We will then use information to show coding techniques needed for such complex static unpackers and ways to counter all the tricks used to harden detection, analysis and unpacking.

Single PE protection format will be inspected in detail for which dynamic and/or static unpackers will be coded.

Class Requirements

Very basic knowledge of C/C++ or any other programming language.
Very basic understanding of assembly, debugging and Windows internals.
OllyDBG 1.10 and IDA Pro 5 (free version will be sufficient.
Microsoft Visual Studio 2008 (express will be sufficient.
Additional tools and scripts will be provided by the instrutor.


Tomislav Pericin

Tomislav Pericin has been analyzing and developing software packing and protection methods for the last 8 years. He is one of the founders of ReversingLabs and the chief software architect behind such projects as TitanEngine, NyxEngine and RLPack. Recently he spoke at BlackHat, CARO Workshop, SAS and TechnoSecurity conferences.

Nicolas Brulez

Nicolas joined Kaspersky Lab as a senior malware researcher in 2010. His responsibilities include analyzing malware and carrying out security research.

Prior to joining Kaspersky Lab, Nicolas worked as a senior virus researcher for Websense Security Labs and Digital River/Silicon Realms. He is also known for his work on the Software Passport/Armadillo protection system. Here, he served as head of software security and was in charge of the anti-reverse engineering techniques used in the system.

Over the last 12 years, Nicolas has authored numerous articles and papers on reverse engineering. He is a regular speaker at computer engineering schools and international security conferences.

To Register

To register for a training session, download and fill this file and mail it to registration.training2011 recon cx