Summary
Reverse engineering is about how we work with the tools in their proper situations. Even with packed, encrypted, and obfuscated executables, hidden information can still be extracted.
In this chapter, we introduced various concepts of how data can be hidden using packers, crypters, obfuscators, protectors, and even SFX tools. We encountered a packed file produced by the UPX tool which we were still able to reverse using a debugger. Being aware of where the instruction pointer is, we can determine if we are already at the original entry point. As a general rule, if the instruction pointer has jumped from a different section, we can say that we are already at the original entry point.
Using another solution to viewing the unpacked state of a program, we used Volatility with a memory dump from a VirtualBox guest and extracted the process of the executable that we just ran. Using the Scylla tool, we were also able to rebuild an unpacked state of the packed executable.
We ended this chapter...