Results 1 to 6 of 6

Thread: Hex-Rays against Aurora

  1. #1
    Imported blog (Hex-Rays)
    Join Date
    Nov 2007
    Posts
    105

    Hex-Rays against Aurora

    As everyone knows, Google and some other companies were under a targeted attack a few days ago. A vulnerability in the Internet Explorer was used to penetrate the computers.

    An IDA user very kindly sent us the following link

    http://www.avertlabs.com/research/blog/index.php/2010/01/18/an-insight-into-the-aurora-communication-protocol/

    As it is visible from the screenshots, the code is somewhat nasty to analysis, because it consists of very short blocks like this:



    Even displayed in the graph mode, the output is still lengthy and messy:



    We were pleasantly surprised to see how the decompiler handles this code:



    I renamed some variables and specified their types, but even without this, the output was very readable.

    Just one more example. Virtually all functions are obfuscated with this quite simple technique:



    Yet the decompiler output is pleasing to the eye:



    I'm very impressed by the results

    We are currently completing support for intrinsic functions in the decompiler (it turned out that there are literally hundreds and hundreds of them). Also, SEE based scalar floating point computations will be mapped to high level constructs. It will probably take a few more weeks before the code stabilizes, it won't be long. Thanks for being patient

    http://hexblog.com/2010/01/hexrays_against_aurora.html

  2. #2
    frozenrain
    Guest
    hi Hex Blog,can you shared the samples? thx
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Quote Originally Posted by frozenrain View Post
    hi Hex Blog,can you shared the samples? thx
    Could it be that the more mankind develops, the less brain is needed by individuals?

  4. #4
    Well... he forgot the 'b' in his nick after frozen I gues...

    But then again people like me living in glass houses should not throw stones.... wot?

    Have Phun
    Blame Microsoft, get l337 !!

  5. #5
    Quote Originally Posted by Aimless View Post
    But then again people like me living in glass houses should not throw stones...
    Uuuuuhmmm, I think that goes for me, too , but I couldn't resist when I read frozenrain's post.

  6. #6
    Certainly one would have thought that the "Imported blog" linsting would have been a "clue"!



    Regards,
    JMI

Similar Threads

  1. Hex-Rays IDA Pro [req]
    By donkey131 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: July 24th, 2012, 00:41
  2. My first month at Hex-Rays
    By Daniel Pistelli in forum Blogs Forum
    Replies: 11
    Last Post: February 15th, 2010, 08:16
  3. Aurora Example
    By 051r15 in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: January 22nd, 2010, 11:10
  4. Hex-Rays SDK is ready!
    By Hex Blog in forum Blogs Forum
    Replies: 0
    Last Post: November 14th, 2007, 00:35

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •