Hexorcist - IDA Pro Universal Unpacker Manual Reconstruct

Описание

Hexorcist - IDA Pro Universal Unpacker Manual Reconstruct by Hexorcist

Here is a simple trick If you want to see API calls clearly in your disassembly even if they are resolved at runtime.

0:00 Start
0:11 Introduction
0:36 Static Analysis of the Import Resolution Code
3:36 Leveraging the Universal Unpacker Manual Reconstruct Plugin

IDA Pro comes with a free plugin called "Universal Unpacker Manual Reconstruct."
It was created for unpacking PE Files.

The truth is, you can use it in other scenarios too.

Imagine you are reverse engineering a malware that is not packed at all. However, it resolves API functions at runtime. When you look at the disassembly, you see many "call dword," and IDA does not show the API function, and the parameters are not commented.

In such case, reconstructing imports in a classic sense is not needed.

The video will explain how to use the plugin to get a clean disassembly with the API function correctly displayed in IDA Pro and the parameters commented.
We will use the ida pro debugger to stop execution right once the dwords have been filled and then use the plugin.

Sample used in this video can be found here: https://www.reverse-engineer.net/samples-from-youtube-videos

Don't miss out new videos by Hexorcist and subscribe now: https://www.youtube.com/hexorcist?sub_confirmation=1

#hexorcist #idapro #idaprotutorial #reverseengineering #malwareanalysis #importrebuilding #malware