| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Sep 2005 21:39:45 +0200
From: Alejandro Barrera <abarrera@...n-gate.net>
To: Piotr Bania <bania.piotr@...il.com>
Cc: FULLDISC <full-disclosure@...ts.grok.org.uk>,
SBUGTRAQ <bugtraq@...urityfocus.com>
Subject: Re: (TOOL) TAPiON (Polymorphic Decryptor Generator)
Engine
> Hi,
> TAPiON engine was developed to avoid code detection (shellcode/whatever).
Hi Piotr,
I had a look at Tapion's code and I don't relly see any trully genuin
polymorphism. Actually I did see some fixed patterns which could make
Tapion's decryptors pretty detectable:
The main problem is that you build the decryptor based on some blocks
which can be made into patterns, specially because the block
construction is always the same:
1) XOR block [optional with 50% of probabilities]
2) (mov block | get_eip block) or
(get_eip block | anti_emu block [1/3 prob] | mov block) [50% prob]
3) anti_emu block [1/3 prob]
4) -- Decryptor loop --
(copy_reg block | mov_reg block) or
(mov_reg block | copy_reg block | temp block ) [50% prob]
...
As you see, there is nearly no randomnes in the process and the
construction blocks are easy to detect.
If you want some indepth on polymorphis I recomend you the 29a papers:
http://vx.netlux.org/29a/
> best regards,
> Piotr Bania
Kindest regards :)
--
Alejandro Barrera GarcĂa-Orea
R&D Engineer
c/ Alcala 268 28027 Madrid
Office: +34 91 326 66 11
Fax: +34 91 326 66 11
e-mail: abarrera@...n-gate.net
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists