Unpacking Themida 2.x 64bit … Without Actually Unpacking - REDUX! - - vimore.org

Unpacking Themida 2.x 64bit … Without Actually Unpacking - REDUX!

Unpacking Themida 2.x 64bit … Without Actually Unpacking - REDUX!

YouTube

Open Analysis Live! In this tutorial we show how to unpack a Themida 2.x 64bit PE file.... kind of : ) Instead of attacking the Themida protection directly we will demonstrate how a bad architecture decision to use process injection (runpe) made it easy to dump the unpacked PE. This video is a re-post of a video we made last week. In this video we use a sample that we built ourselves to mimic a common malware technique for demonstration purposes. The demo code was from is great demo repository maintained by @hasherezade https://github.com/hasherezade/demos. We build the sample using CMAKE and Visual Studio Express 2015 x64 compiler. More information about the commercial packer Themida and WinLicense can be found on the Oreans website here: https://www.oreans.com/themida.php The x64dbg debugger with Scylla can be downloaded here: https://x64dbg.com/#start PE-bear is one of our favorite PE manipulation tools (also from @hasherezade). It is no longer supported but you can still download a copy here https://hshrzd.wordpress.com/pe-bear/ Die - Detect it easy can be downloaded here: http://ntinfo.biz/index.html Feedback, questions, and suggestions are always welcome : ) Sergei https://twitter.com/herrcore Sean https://twitter.com/seanmw As always check out our tools, tutorials, and more content over at http://www.openanalysis.net



How To Defeat Anti-VM and Anti-Debug Packers With IDA Pro

Open Analysis Live! We use IDA Pro and the debugger to unpack a Loki malware sample from a packer that has a ton of anti-analysis, anti-debug, and ant-vm tricks

YouTube

Unpacking Emotet / Geodo (Stage 1) Using x64dbg - Subscriber Request

Open Analysis Live! We use x64dbg to unpack a new Emotet / Geodo malware (Stage 1). This was a subscriber request asking us to determine how this was packed. P

YouTube

Unpacking Princess Locker and Fixing Corrupted PE Header (OALabs x MalwareAnalysisForHedgehogs)

Open Analysis Live teams up with MalwareAnalysisForHedgehogs to unpack Princess Locker ransomware. We show how to use x64dbg and hooks on VirtualAlloc to dump t

YouTube

Overcome Self-Defending Malware - Tools, Techniques and Lab Setup

Here I demonstrate how to overcome a simple self-defence tactic that some malware samples commonly utilise to target their victims and prevent sandbox / VM anal

YouTube

Extract Shellcode from Fileless Malware like a Pro

Here I demonstrate how to extract shellcode from the context of a malicious Word doc which uses VBA to inject shellcode into the memory space of a victim proces

YouTube

Analyzing Adwind / JRAT Java Malware

Open Analysis Live! We analyze Adwind / JRAT malware using x64dbg and Java ByteCode Viewer. This was a subscriber request asking us to take a closer look at Adw

YouTube

Manual Unpacking VMProtect v.2.07 Tutorial

Manual Unpacking VMProtect v.2.07 Tutorial this Tutorial perfect working script : http://www9.zippyshare.com/v/kmYPTWRe/file.html

YouTube

Quick And Dirty Binary Patching With A Hex Editor

Open Analysis Live! Quick tutorial of how to patch a binary using IDA Pro and and hex editor. We also have a blog post that covers some of the details in this t

YouTube

How Do Packers Work - Reverse Engineering "FUD" Aegis Crypter

Open Analysis Live! We reverse engineer the Aegis Crypter and take a look at how packers work from the malware developer's perspective... Calc.exe packed with

YouTube

How to crack Filmora and remove the trial limitations using x64dbg

How to remove the trial limitations from Filmora - pop-up registration nags and video watermark http://morituri.co.nf/

YouTube

Unpack Themida - .NET Executables

====================================================== Simple... Hope you learned something today. Download Universal Fixer (.NET v4) Here! https://mega.nz/#

YouTube

Lazy String Decryption Tips With IDA PRO and Shade Ransomware Unpacked!

We use x64dbg debugger to unpack troldesh / shade ransomware then we use IDA PRO to quickly decrypt strings and resolve dynamic imports. Expand for details...

YouTube

Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library

I will discuss each of the techniques the malware author used in order to prevent reverse engineering of their Android native library including manipulating the

YouTube

ASProtect(1.23 - 2.56) Unpacking

Import REConstructor 1.7e FINAL(Password = tuts4you) https://tuts4you.com/e107_plugins/download/download.php?view.415 Scylla - x64x86 Imports Reconstruction.v.

YouTube

Tracing executables with a Pin Tool (tiny_tracer)

tiny_tracer: https://github.com/hasherezade/tiny_tracer Intel Pin: https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool

YouTube

Reverse Engineering Anti-VM Detections in Malware - Subscriber Request Part 2

Open Analysis Live! This is Part 2 of a two part subscriber request asking us to determine "Why didn't the malware run in my sandbox?". We use IDA Pro with the

YouTube

Unpacking Themida with Ollydbg & Script

Script works only on Windows XP Credits goes to: LCF-AT for the script

YouTube

Malware Analysis - Process Hollowing

We unpack a Dridex sample that uses process hollowing for memory execution. Follow me on Twitter: @struppigel Sample: https://www.hybrid-analysis.com/sample/e

YouTube

Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request

Open Analysis Live! We use IDA Pro and x64dbg to unpack a recently packed Gootkit malware (stage1). This was a subscriber request asking us to determine how thi

YouTube

Sandbox Tricks For Faster Reverse Engineering

Open Analysis Live! A quick tutorial on mapping output from your sandbox with disassembled code in IDA. How to quickly match API calls and locate interesting co

YouTube