64-bit Imports Rebuilding and Unpacking

Presented at REcon 2008, June 15, 2008, 2:30 p.m. (60 minutes).

With 64-bit packers and protectors being released, there is presently a growing need to create new tools to facilitate the manual unpacking process and to make it as trivial as it is now for protected 32-bit executables. I'm proposing two brand-new tools: CHimpREC and CHimpREC-64, allowing the spirit of ImpREC to live on under the best possible compatibility with all the x64 versions of the Windows operating system. This talk is about explaining the inner-workings of coding a 32-bit imports rebuilder and the problems encountered due to the WoW64 environment and Address Space Layout Randomization. Next, is an overview of the differences between the PE and PE32+ formats and their impact on porting CHimpREC to 64-bit. Finally, 2 or 3 short live unpacking sessions with different examples of 64-bit packers and how trivial it has become to deal with them with the help of CHimpREC-64.


Presenters:

  • Sébastien Doucet
    Sébastien Doucet, a.k.a. TiGa, is an expert in Metropolitan-Area Fiber-Optics Network Engineering (fancy cable guy) and Actuarial Sciences. He works as IT Security Trainer for IITAC - International Institute (www.iitac.org) where he gives trainings on Binary Auditing and IDA Pro. His video tutorial series on IDA Pro is well-known throughout the world. He is the co-founder of the RCE Video Portal (videos.reverse-engineering.net) and moderator for crackmes.de and reverse-engineering.net, he also is a member of ARTeam (arteam.accessroot.com) and CostCo (www.costco.com). In his free time, he plans to have some free time, some day in the distant future.

Links:

Similar Presentations: