Results 1 to 4 of 4

Thread: ARTeam: IDA plugin to depack aplib/lzma statically compressed data into IDA by deroko

  1. #1
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430

    ARTeam: IDA plugin to depack aplib/lzma statically compressed data into IDA by deroko

    Hi all,
    deroko just released a plugin for IDA 5.2 and following, to decompress aplib or lzma packed data in your target when analyzing with IDA.

    The plugin supports aPlib which is quite common in malware, but there's also support for packman lzma compression, even if this one is very rare.

    Run plugin by pressing CTRL+9 and you will be prompted with a window for unpacking or simply go to Edit->plugins->aplib depack

    The IDA database is then automatically updated with data of the uncompressed application, no more need of creating dumps for analysis.

    Full C sources are included, aswell. See the readme.txt for further details and instructions.

    http://arteam.accessroot.com/releases.html or CRCETL ;-)
    Last edited by Shub-nigurrath; September 24th, 2008 at 03:33.
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  2. #2
    And also thanks for sharing this one with our readers.

    Regards,
    JMI

  3. #3
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Nice tool indeed, and thanks as always for adding it to the CRCETL (please don't include version numbers in the tool titles though, I fixed this for the entry).

    http://www.woodmann.com/collaborative/tools/index.php/IDA_Plugin_Depack_APlib_And_LZMA

    Oh, and one question, does any of these two decompression types include zlib compression somehow, which is also a very common compression type/library used in many programs? That would be a great (and simple) addition for version 1.1 otherwise I think.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  4. #4
    the first one is aplib, as a default decompression used in many protections/packers, the other one is, if I'm not mistaken, lzma from 7-zip.org which I saw in only a few packers -> packman is probably the first one to use it.
    If there are some compression libraries, which you find in some other packers/protectors, I would be more then happy to add them too

Similar Threads

  1. ARTeam: dealing with funny checksum tutorial by deroko
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: March 12th, 2013, 17:17
  2. ARTeam: xTracer 1.0 by deroko
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: June 16th, 2009, 19:10
  3. ARTeam: Hooking Services .exe to hide softice by deroko
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: August 8th, 2008, 12:10
  4. ARTeam: TheMida Loader (PEB dll hooker templates for MSVC) by deroko
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: August 8th, 2008, 12:09
  5. compressed data in files?
    By Aquatic in forum The Newbie Forum
    Replies: 10
    Last Post: February 26th, 2003, 17:38

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •