Radare2: Can someone do it in Radare2?

Created on 26 Jul 2016  ·  6Comments  ·  Source: radareorg/radare2

Generic Unpacking:
https://www.youtube.com/watch?v=h9RiBJ06MAQ

I know it might be too easy, but whatever works.

1) Put a HW BP on the stack access, when the stack is changed for first time.
2) Run till it breaks.
3) Find the original entry point from a next jump (push, ret).
4) Dump the unpacked code.

Please explain.

Script would also do :-).

FEEDBACK WANTED

Most helpful comment

Generic Request = https://www.youtube.com/watch?v=KlujizeNNQM

I know it may be nothing, but I want 1 billion USD to be donated to the radare2 project

Please transfer.

Bitcoin would also do :-)

All 6 comments

Generic Request = https://www.youtube.com/watch?v=KlujizeNNQM

I know it may be nothing, but I want 1 billion USD to be donated to the radare2 project

Please transfer.

Bitcoin would also do :-)

Do you want to argue that there is 1 bill.. invested in Olly?

I fill that there is a not technical discussion involved. I don't really want to go that way.

Am I asking too much?

The way you asked is like : please do it for me 👎
If you have begin something I will really be happy to help you 👍

On 26 Jul 2016, at 16:17, MariasStory [email protected] wrote:

Generic Unpacking:
https://www.youtube.com/watch?v=h9RiBJ06MAQ https://www.youtube.com/watch?v=h9RiBJ06MAQ
I know it might be too easy, but whatever works.

1) Put a HW BP on the stack access, when the stack is changed for first time.

sr SP
dmp 0

2) Run till it breaks.

dc
3) Find the original entry point from a next jump (push, ret).

e search.in=dbg.maps.exec
pd 10~jmp

4) Dump the unpacked code.

wt

Please explain.

Script would also do :-).


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/5382, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lr7Oa04kht5c0rcz-O8w2PWUkSdzks5qZhb7gaJpZM4JVMYu.

Thanks @Maijin, you seems to be an involved and knowing person.

I didn't ask to help. I can do it with olly :-)

The problem is that olly is limited to 32 bit. I just want to have a good and flexible way to do reverse engineering.

Thanks @radare, you always have detailed and technical answers.

I'll try this solution 👍

Maybe there could be a collection of general malware reverse engineering examples (scripts), so that new users can quickly get to use r2 in their daily doing?

Was this page helpful?
0 / 5 - 0 ratings