Thoughts about the Ultimate PE Unpacker

A lot of incompetence hides behind obscurity. Thanks to PE packers and their notorious ways, these losers are safe, for now.

Fighting the PE packer reminds me of fighting a chess engine. And thinking of chess engines reminds me of transposition tables. And that gave me the idea for an LLVM like optimizer for unpacking obfuscated PE, by observing processor state transitions.

Another strategy would be to look at how packed PE crashes when they are analyzed. Looking at the processor state changes during the dying moments of a program can give insight into how packers crash the program. So one must keep alive two VMs executing the same PE, but one VM ahead of the other. By looking at the VM executing the future of the program, one can discover common halting techniques used by the packer, and then avoid those paths of executions created by the packer.

Of course there are no solutions to the halting problem, but I think the above strategy will keep these arrogant packers at bay.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s