Took your class with your friend at DEFCON 27, you guys were the best ones there. Prepared, and predictably successful. no fuss, and very educational. It actually inspired me to go into malware analysis/ reverse engineering. Love your vids! Great guy you are
Wow that is incredibly nice to hear, thank you! Feedback like this is so motivating. We are planning to be back again this year, with an updated course covering some unpacking techniques. Hope we see you there : )
Really nice history! The cycle controlled by that classifier deciding what is an intermediate or end state is a really nice idea. This part of the architecture (checking if the output is packed or not) sounds super challenging as well. Congratulations!
Thanks! Yeh this has been a big part of our lives for the past few years. So far it's been running really well though, we keep adding features and the user base is growing too... it's still early and I don't want to jinx it but I think it might end up being a real useful service going forward : )
Awesome stuff guys! Threw at it a number of complicated cases of IcedID, REvil and GangCrab.. all handled well. Love the way you deliver, very structured and insightful. Tells me you guys really know your subject if even I can understand what you are talking about..;) Let me know if anything I can do to contribute to your project. Thanks again!!
This sounds great! Really happy that y'all have been able to improve your design/architecture for the system over the years to get such a high success rate. Are there any plans to build plugins for, say IDA, to use the UnpacMe API?
Yes for sure! There are already folks building tools around it, and I'm sure more to come in the future! github.com/larsborn/UnpacMeClient github.com/R3MRUM/unpacme
Based on "The Art of Computer Virus Research and Defense" by Szor --> If the payload changes its form, it is metamorphic --> If the payload is encrypted using countless different stubs, is polymorphic --> If the payload is encrypted using a finite set of stubs, it is oligomorphic Szor applies it only to viruses and the way they replicate. But nowadays it is applied to the way malware is compiled or crypted. It's really confusing that literally everyone uses the terms differently XD
With WinAppDbg we are frozen in time... Python 2.7 on Win7 x86 : )) But we have been porting a lot of things over to emulators so there are no longer any constraints around the OS. We were planning on talking about this at HITB this year but now with the travel restrictions I think we will just make a video...
Thanks for this topic 😁,I’ve upload the two samples to unpacme website,their same packers as I know,but one of them was unpacked,anyway this is awesome topic.
Hey Francisco, I just replied to your comment on our other video. Same response here unfortunately... this is a hard topic that doesn't have a lot of generic solutions so making tutorials may not be the best way to cover it. However, this is an active research topic for us so we may have more on it in the future...
@@OALABS Thank you for your answer :D I was hoping maybe an informative video explaining what type of obfuscation exists and what people tend to use to defeat it (symbolic execution, emulation, etc) will be interesting in my opinion and it will incentive/help people to code their own tools. Greetings.
Yes, so we have actually been planning a video on this since our windbg tutorial! The second part of that tutorial is supposed to be Josh showing us how to use windbg to deal with some tricky heaven's gate implementation. We just haven't found the time but we will... eventually haha : )
Nice suggestion! So I had honestly forgotten all about that project, it has been years since we worked with PIN and I think our initial PIN dumper was created before that project. So when it was released I don't think we looked at it very closely. Just checking out the github now it looks like it hasn't been updated in 4 years : (
Yes!! Frida now is not even comparable to what it was when we were working with it. It's so much more stable now. The issues we faced then would still be around now though... hard to debug crashes in production, and needs lots of external code to support "automating" it so not the best choice for what we are doing. However, a great tool for smaller jobs!
Took your class with your friend at DEFCON 27, you guys were the best ones there. Prepared, and predictably successful. no fuss, and very educational. It actually inspired me to go into malware analysis/ reverse engineering. Love your vids! Great guy you are
Wow that is incredibly nice to hear, thank you! Feedback like this is so motivating. We are planning to be back again this year, with an updated course covering some unpacking techniques. Hope we see you there : )
Definitely! Count me in!
Do you have a discord? I've started watching your videos. Would be great to be a part of a group of others looking to get into Malware Analysis.
Really nice history! The cycle controlled by that classifier deciding what is an intermediate or end state is a really nice idea. This part of the architecture (checking if the output is packed or not) sounds super challenging as well. Congratulations!
I just finished watching it. Awesome, how much work and knowledge went into it. Great project!
Thanks! Yeh this has been a big part of our lives for the past few years. So far it's been running really well though, we keep adding features and the user base is growing too... it's still early and I don't want to jinx it but I think it might end up being a real useful service going forward : )
This channel singlehandedly makes learning reverse engineering 10s of times easier.
Thank you : ))
Excellent work on the tool!! Really useful primer here too :-)
Thank you for you continued great work and sharing it with the community
Awesome stuff guys! Threw at it a number of complicated cases of IcedID, REvil and GangCrab.. all handled well. Love the way you deliver, very structured and insightful. Tells me you guys really know your subject if even I can understand what you are talking about..;) Let me know if anything I can do to contribute to your project. Thanks again!!
Thanks! This was a great history lesson.
Good job, guys. Thanks for sharing your work.
This sounds great! Really happy that y'all have been able to improve your design/architecture for the system over the years to get such a high success rate.
Are there any plans to build plugins for, say IDA, to use the UnpacMe API?
Yes for sure! There are already folks building tools around it, and I'm sure more to come in the future! github.com/larsborn/UnpacMeClient
github.com/R3MRUM/unpacme
Ok . This is the best thing that has happened in the malware community for a while.
Great service sir!!
also great video.
Based on "The Art of Computer Virus Research and Defense" by Szor
--> If the payload changes its form, it is metamorphic
--> If the payload is encrypted using countless different stubs, is polymorphic
--> If the payload is encrypted using a finite set of stubs, it is oligomorphic
Szor applies it only to viruses and the way they replicate. But nowadays it is applied to the way malware is compiled or crypted.
It's really confusing that literally everyone uses the terms differently XD
Excellent video about unpacking. WinAppDbg works on 64 bit process and Win10 machine?
With WinAppDbg we are frozen in time... Python 2.7 on Win7 x86 : )) But we have been porting a lot of things over to emulators so there are no longer any constraints around the OS. We were planning on talking about this at HITB this year but now with the travel restrictions I think we will just make a video...
Thanks for this topic 😁,I’ve upload the two samples to unpacme website,their same packers as I know,but one of them was unpacked,anyway this is awesome topic.
Thanks for the Awesome history lesson! Many things i did not know. I am a little bit smarter today!
The perfect weapon
Thanks for the video...
Can you make a video on deobfuscation? :D
Hey Francisco, I just replied to your comment on our other video. Same response here unfortunately... this is a hard topic that doesn't have a lot of generic solutions so making tutorials may not be the best way to cover it. However, this is an active research topic for us so we may have more on it in the future...
@@OALABS Thank you for your answer :D I was hoping maybe an informative video explaining what type of obfuscation exists and what people tend to use to defeat it (symbolic execution, emulation, etc) will be interesting in my opinion and it will incentive/help people to code their own tools. Greetings.
Instant subscribe ♥️
Can you make a video on debugging malware that uses the Heaven's gate technique
Yes, so we have actually been planning a video on this since our windbg tutorial! The second part of that tutorial is supposed to be Josh showing us how to use windbg to deal with some tricky heaven's gate implementation. We just haven't found the time but we will... eventually haha : )
Interesting tool! Congrats :)
Why you did not mention PINdemoniuom? Is it outdated?
Nice suggestion! So I had honestly forgotten all about that project, it has been years since we worked with PIN and I think our initial PIN dumper was created before that project. So when it was released I don't think we looked at it very closely. Just checking out the github now it looks like it hasn't been updated in 4 years : (
OHHHH YEEEESSSSSS!!!!!
Haha thought you would dig it : )
Frida is way better now right?
Yes!! Frida now is not even comparable to what it was when we were working with it. It's so much more stable now. The issues we faced then would still be around now though... hard to debug crashes in production, and needs lots of external code to support "automating" it so not the best choice for what we are doing. However, a great tool for smaller jobs!
Noice
The upload of a 4.4 Mb PE32 file is tuck in the middle.
can i be your student to learn plizz