It’s been a bit quiet for a while, as I was on a vacation :) As you might remember, I published unpacking instructions for RLPack a while back. I mentioned that while the free version of RLPack contained no anti-whatnot code, the premium version supposedly did but I didn’t have any files packed with it. I got contacted by ap0x, the coder of RLPack, and he was kind to send me a sample file packed with the premium edition. (more…)
I was digging through my stash for something interesting when I spotted a small file, only 2048 bytes in size. When looking at the strings, besides some few imports like LoadLibraryA, it contained only two strings:
Hello World!
HI THERE
There were also some garbage strings there that looked like being encrypted with xor.
Yoda’s Crypter (yC) was released 2004, but never seemed to gain popularity amongst malware writers. But still, it isn’t uncommon to run into a sample protected by it. yC utilizes a polymorphic stub to hide better, but the packer can be easily fingerprinted.
I switched on every possible option in the packer, and packed a testfile with it. I’ll try to go through all the options and display them in the code. At the same time, we’ll walk through the unpacking process.
RLPack Basic is an open source packer brought to you by the coders at Reversing Labs. One (if not the only) the coders there is ap0x. I’ve seen some of the code he’s done in the past, and I must admit he knows his trade very well. RLPack basic doesn’t contain any antidebug or antianalysis code, but the premium versions do. (more…)