r0da's blog

This is a part of my tutorial on how to protect windows executables, so is a little bit disconnected from my others posts, but in wait of my big tutorial I publish this anyway. Something that you can apply with the others encryption tricks in PE files is the encryption of function, and decrypting at calling time. I found this trick with the Zer0Mem0ry post originaly made to bypass memory signatures checks by encrypt functions at runtime. With random xor, so A big thanks to this good guy 😃 But wait, why use function encryption if we can just encrypt segments, In my point of view, if you make the all segments encrypted, the dissasembler will see only functions related to the decryption of the segments. So immediately you will see where the code is decrypted, I think that having a lot of functions is more efficient in this case. There is a lot of " pros and cons " about this trick and I will discuss a bit about them at the end This is, again, to make at the

Today I will share a little tool called Exe2Jar This is an Jar2Exe executable unpacker Jar2exe is a wrapper cross platform for JAR files that allows the execution of JAR files through a windows, linux or mac executable while the JRE is installed. My unpacker recover the main JAR file from these executable. I did it for school project with the goal to make a Java program using Object Programming. I think its look good, so I release it on git I will post a thread about the research around it. Source code : https://github.com/wherethef2ckisr0da/exe2jar

One of the usefull thing in reverse engenering is xrefs (crossreferences), with a complet analyse of all the PE, variables and functions addresses can be linked to functions where they are called or used. This simplify drasticly the reverse engenering, but xrefs can be a problem in case of security check. If you have a big executable and you want to look at the license check system, a string like “Check License” or “Enter License” can be find easily and the xrefs associated to him will show you directly what you wanted to find. Basically, xrefs in commun tool just make a link between the place where the address is used and the data at this address.  So the simple trick that we could use is just to manipulate the address where is called to unmatch with the real data location. The “tricks” can be used only if ALSR is disable (we need to know static addresses in executable) and yes it’s cold be a security issue is the application is important (read documentation about it),