upside down pyramid
Author: David Zimmer
Date: 04.27.25 - 8:00am
here is the thing. tech moves at mach speed. its like an upside down pyramid with hoards of specialized coder monkeys churning away building layers upon layers making the world exponentially more complex with endless specialties.
reversers analyze the world through grains of sand. AI is already helping up our game but it can only do so much. Also if your punching outside your weight class with the help of AI, fixing bugs becomes much more frustrating. Traditionally reversers have released tools to help others where they have specialized.
I think we are getting to the next frontier. We cant specialize in every little thing. Even the tools to analyze these special things takes massive amounts of labor to maintain and keep up let alone use. A reversing tool
that only works with a 3yr old target isnt much help. A scattered landscape of info, and version dependent, isnt much help. Developers can only spend so much time on free tools and there are heights they just cant reach. This is compounded by large infrastructure languages whos internals are constantly shifting like Go or Python
|
 |
What we need is specialized experts in field X that stay apprised of developments and can react to changes on the fly. I can not be an expert in everything. Its actually the opposite of the definition of expert. We dont ask heart surgeons to operate on eyes. It would be ludicrous.
recently I had to look at a pyarmor protected malware wrapped in a pyinstaller package. New ball field.
Pyinstaller spawns a child process with the files unpacked to disk and envirnoment variables all setup. Thought I might be able to bypass
this by setting my own env vars. First couple stabs didnt work, so switched gears and just patched entry point to EB FE jmp -1 and attach to the child.
 |
Ok, now pyarmor 9 pro with bcc mode. Tried replacing the default python 3.11.8 runtime with my own patched one that would dump all bytecode going through _PyEval_EvalFrameDefault (thanks chatgpt). It detected the change. Tried a copy of the default signed python311 dll with the signature wiped, it ran.
Seems to have also detected breakpoints on some of the py api and errored out in unaccountable ways. Not worth hunting it all down. 19mb package. No shortage of places to hide fuckery. Could even be in the pyarmored python boothstap code.
Not good for deadlines, I am already working all day saturday on this...
|
Searching around I found VXNET Decryption Services that specialize in pyarmor reversing.
They were quick to respond and worked hard until the project was done. It was worth the investment.
We need dedicated experts who specialize in the complicated corners of rapidly evolving technology who we can contract with on demand. This is a better future than a free tool with limited/no support that hasnt been updated in years and takes new specialized knowledge to run. It also brings the specialists more sanity and peace of mind. They can have focus in their task and become the expert it demands.
I hope this model takes off more. In a rapidly expanding world, its impossible to keep up with the upside down pyramid effect.
(*I understand it has limits if samples are propritary and gets messy contractally, but its valid for a wide range of samples. )
If you offer specialized reversing services for contract, feel free to post a link in the comments below.
Comments: (1)On 04.27.25 - 10:52am Tom wrote:
| Authors of protector software should offer paid unpacking services for legit security vendors. AV should just block them all by default now. Users can add exceptions if they want to. If the packer author tries to evade AV, then they should be held as an accomplice for any damages their users generate. To much bullshit in the world, to little sanity. |
|
About Me
More Blogs
Main Site
Posts: (year)
|