Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 10-20-2009, 23:46
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,115
Rept. Given: 220
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 108
Thanks Rcvd at 216 Times in 124 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
And key generation tied to individual CPU.

Git
Reply With Quote
  #17  
Old 10-21-2009, 09:49
remal
 
Posts: n/a
Quote:
Originally Posted by quosego View Post
However I doubt it's feasible, no sane person would give up the free computer model and turn them into restrictive consoles.
Quite true.

At the moment, our computing model is still more or less a static model. Code is compiled into static instructions. Packers have static signatures. Data is treated as data, code is treated as code. So in a sense, it is still a (albeit less) restrictive console.

Maybe the future is in dynamicism. Code and data is mixed up, stirred well, one cannot tell if it's code or data. Code is generated on-the-fly, morphing from time to time.
Reply With Quote
  #18  
Old 10-21-2009, 20:14
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,115
Rept. Given: 220
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 108
Thanks Rcvd at 216 Times in 124 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
> Code is generated on-the-fly, morphing from time to time.

Rather negates the huge speedup gained by the multi tiered large caches we enjoy today.

Git
Reply With Quote
  #19  
Old 10-21-2009, 23:12
remal
 
Posts: n/a
Yea, that's the sad part. Whether it is a fair trade off remains to be seen. We also make this trade off when we decide to use VM code.

But at the moment, we still do not have a good instrumentation tools for PE files. There are very useful tools for Java VM (ObjectWeb ASM), and probably .NET CLR too. This is probably what holds us back from seeing realizations of such dynamicism.

Maybe the next step in evolution is a morphing VM. Let us wait and see.
Reply With Quote
  #20  
Old 10-21-2009, 23:45
quosego quosego is offline
Family
 
Join Date: Feb 2009
Posts: 104
Rept. Given: 8
Rept. Rcvd 39 Times in 13 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
quosego Reputation: 39
As for morphing VM, well themida has got all already..

Bytes -> handler = dynamic (if 00 equals mov in the first instruction it will be different the second, and also different between programs.)
handler sequence = dynamic/random
byte encryption = carrying, modified by each byte(s) and each next byte(s) is encrypted with it.
+ Handler obfuscation
+ VM_code obfuscation

Not much more they could've done..
Reply With Quote
  #21  
Old 10-22-2009, 05:13
kittmaster kittmaster is offline
Friend
 
Join Date: Feb 2005
Location: USA
Posts: 30
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
kittmaster Reputation: 0
sometimes life just gets in the way, or goals about things change......not much you can do, but enjoy the ride
Reply With Quote
  #22  
Old 10-22-2009, 05:19
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,115
Rept. Given: 220
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 108
Thanks Rcvd at 216 Times in 124 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
> We also make this trade off when we decide to use VM code

But we don't make that choice, it is thrust upon us by software manufacturers thinking they are protecting their product. Nobody would choose to have VM'd apps rather than plain 386, would they?

Git
Reply With Quote
  #23  
Old 10-22-2009, 10:18
remal
 
Posts: n/a
Quote:
Originally Posted by quosego View Post
As for morphing VM, well themida has got all already..
I've really no clue on how Themida works, so I'm just guessing blindly here.

To me, morphing means the code is changed in each __run__, not in each __application__. Or even better if the code is changed after some condition, even in one run.
Reply With Quote
  #24  
Old 10-22-2009, 14:33
quosego quosego is offline
Family
 
Join Date: Feb 2009
Posts: 104
Rept. Given: 8
Rept. Rcvd 39 Times in 13 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
quosego Reputation: 39
Well doable but that won't change it much.. If you'd make the handler -> bytes changeable and the accompanying handler location as well, it would however open a massive security problem.. I can force the VM to become static, by shutting down it's randomization, this way I get an Identical VM on all apps.. Making it a lot weaker then it is now.

If you'd morph VM_code however, you can attack the morpher which can interpret VM_code to morph it and very likely extract usable info from it. (If not pure asm.)
Reply With Quote
  #25  
Old 01-23-2010, 10:55
davo007
 
Posts: n/a
Could it be that the scene is smaller because the scene is getting older?? The younger generation are too lazy to spend the time cracking software protection...and that combined with the fact that there is not too much teaching going on out there (imho) so the tricks of the trade are dying with those that know them. And the older scene "is getting too old for this sh%$" to mess with the newer stuff...

my two cents.
Reply With Quote
  #26  
Old 01-23-2010, 17:31
quosego quosego is offline
Family
 
Join Date: Feb 2009
Posts: 104
Rept. Given: 8
Rept. Rcvd 39 Times in 13 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
quosego Reputation: 39
Quote:
The younger generation are too lazy
Hehe well thank you. But you got a point, how I see it all the 15 and 16, 17 year olds are used to internet spoon feeding. Seems that group are around at the RE sites but not quite cracker material.

Last edited by quosego; 01-23-2010 at 17:41.
Reply With Quote
  #27  
Old 01-23-2010, 21:49
metr0 metr0 is offline
Friend
 
Join Date: Apr 2009
Posts: 65
Rept. Given: 19
Rept. Rcvd 11 Times in 5 Posts
Thanks Given: 2
Thanks Rcvd at 2 Times in 2 Posts
metr0 Reputation: 11
The scene's getting smaller for sure. I'm not in the scene for a long time yet but it wasn't hard to notice that trend.

Internet spoon feeding describes the whole attitude perfectly fine (thanks quo :P). But that's also why I don't wonder that the amount of teaching decreases if there's no one left interested in how to solve a RCE problem but rather having the problem solved at all.
Reply With Quote
  #28  
Old 01-26-2010, 14:09
what
 
Posts: n/a
Quote:
The younger generation are too lazy
This, combined with move to obfuscated code, is the causing less and less people to get involved with rce. Earlier in the decade, the code from protectors was easy to read and there was only anti-debugging techniques, but now you have to search for the right code (sift through thousands of commands). It's much harder to jump right in to reversing, so people quit before they even get started. And the scene is getting smaller because (well, the reason why I retired) is because it's the same old crap. There was a shift toward vm and obfuscated code, then no changes since. The protections haven't changed so people just get bored. And those who do stay in the scene and do know how to deal with new protections do not want to share the information because it takes so long to perfect an attack, which is another reason why the new generation is not getting involved (lack of information on new protections).
Reply With Quote
  #29  
Old 02-28-2010, 02:52
netseeker netseeker is offline
Friend
 
Join Date: Jan 2009
Posts: 23
Rept. Given: 14
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 0 Times in 0 Posts
netseeker Reputation: 0
perhaps open-source solutions are working well,
thats why scene is not effective as the way it used to be.
for an isntance for the FTP client its been a long time that I'm using filezilla instead of cuteFTP or any other 3rd party commercial software.
don't you think?
Reply With Quote
  #30  
Old 03-09-2010, 23:20
cybercoder cybercoder is offline
Friend
 
Join Date: Aug 2005
Posts: 114
Rept. Given: 2
Rept. Rcvd 11 Times in 8 Posts
Thanks Given: 22
Thanks Rcvd at 46 Times in 31 Posts
cybercoder Reputation: 11
I think quite simply its all about time now... it is a very time consuming process now and many have grown out of it / got bored.. Girlfriends / kids dont help either.. lol Although i tend to disagree about a lot of the tutorials out there that rely on things such as scripts or other tools that pretty much do it all and you learn nothing.. also many ways of defeating anti debug tricks are often not explained.. usually just use this plugin it does it for you.. I think a complete understanding of why the debugger is being caught and the way to defeat it should be explained a lot more..
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NFO viewers and keygen music from the scene ARUBA General Discussion 0 01-20-2019 03:28
Giraffe Leaving Scene (CastHacker) atom0s General Discussion 2 01-12-2019 01:30
Want join scene group DMichael General Discussion 11 11-09-2014 20:27
Scene Behind VbaStrCmp v2.1 ontryit General Discussion 4 02-26-2013 17:22


All times are GMT +8. The time now is 15:37.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )