Anti Reversing Techniques

Name: Anti Reversing Techniques
Author: wshobson

wshobson/agents

Deep-dive reference on packers, OEP finding, and anti-disassembly when analyzing or hardening native binaries—not for everyday web shipping.

Overview

anti-reversing-techniques is an agent skill for the Ship phase that documents advanced packer, unpacking, and anti-disassembly patterns for native binary analysis.

Install

npx skills add https://github.com/wshobson/agents --skill anti-reversing-techniques

What is this skill?

Catalog of common packers (UPX, Themida, VMProtect, ASPack, MPRESS, and others)
Four-step unpacking methodology: identify, static unpack, dynamic unpack, fix imports
OEP discovery techniques including ESP tricks and tail-jump patterns
Companion deep-dive split from core skill to keep SKILL.md focused
VM-based and commercial protector internals for advanced analysis
4-step unpacking methodology
10+ named packer families in the reference catalog

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 6.9k installs on skills.sh; 36.5k GitHub stars; 2/3 security scanners passed (skills.sh audits).

What problem does it solve?

You face a packed or VM-protected executable and need a structured unpacking and OEP methodology instead of ad-hoc debugger guesswork.

Who is it for?

Builders doing malware analysis, CTF reversing, or native app protection research who want packer and OEP reference material in the agent.

Skip if: Standard SaaS or API-only indie projects with no native binaries, or beginners without debugger experience.

When should I use this skill?

Analyzing packed native executables, researching VM-based protectors, or needing OEP and import-reconstruction methodology.

What do I get? / Deliverables

You follow documented packer identification, dynamic unpacking, and import-fix steps aligned with common RE toolchains.

Unpacking workflow aligned to identified packer
OEP and import-table recovery notes

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Binary protection and unpacking methodology is a specialized ship-time security concern for native artifacts, not idea or growth work. Content maps to offensive/defensive reverse-engineering and malware-style protections, which belongs under security rather than backend APIs or DevOps deploy.

How it compares

Use as a specialized RE appendix—not a substitute for general application security or dependency scanning skills.

Common Questions / FAQ

Who is anti-reversing-techniques for?

Advanced solo developers and security researchers analyzing protected Windows executables or studying anti-tamper and packer behavior.

When should I use anti-reversing-techniques?

During ship-phase security or forensic work when you must identify a packer, reach OEP, dump memory, and rebuild imports on a native binary.

Is anti-reversing-techniques safe to install?

It is educational reference text; only analyze software you are authorized to reverse—review the Security Audits panel on this page for the skill package itself.

SKILL.md

READMESKILL.md - Anti Reversing Techniques

# Advanced Anti-Reversing Techniques

This reference covers advanced and niche techniques extracted from the core skill to keep SKILL.md focused on common patterns. Refer here for deep-dive analysis of virtualization-based protections, packer internals, and anti-disassembly tricks.

---

## Packing and Encryption

### Common Packers

```
UPX          - Open source, easy to unpack (upx -d)
Themida      - Commercial, VM-based protection with anti-debug
VMProtect    - Commercial, code virtualization with multiple VM architectures
ASPack       - Compression packer, LZSS-based
PECompact    - Compression packer with CRC integrity checks
Enigma       - Commercial protector with key-based licensing
MPRESS       - LZMA-based packer, often used by malware
Obsidium     - Commercial, anti-debug + anti-VM + encryption
```

### Unpacking Methodology

```
1. Identify packer (DIE, Exeinfo PE, PEiD, detect-it-easy)

2. Static unpacking (if known packer):
   - UPX: upx -d packed.exe
   - Use existing unpacker tools from UnpacMe, MalwareBazaar

3. Dynamic unpacking:
   a. Find Original Entry Point (OEP)
   b. Set breakpoint on OEP
   c. Dump memory when OEP reached
   d. Fix import table (Scylla, ImpREC)

4. OEP finding techniques:
   - Hardware breakpoint on stack (ESP trick)
   - Break on common API calls (GetCommandLineA, GetModuleHandle)
   - Trace and look for typical entry prologue (push ebp / mov ebp, esp)
   - Check for tail jump pattern: jmp <far address>
```

### Manual Unpacking (ESP Trick — x64dbg)

```
1. Load packed binary in x64dbg
2. Note entry point (packer stub address)
3. Use ESP trick:
   a. Run to entry point (F9 then F8 until PUSHAD)
   b. Right-click ESP value → "Follow in Dump"
   c. Set hardware breakpoint on access (HW BP on [ESP])
   d. Run (F9) — execution breaks after POPAD (stack restored)
4. Look for JMP to OEP (often a far jump to .text section)
5. At OEP, use Scylla plugin:
   - IAT Autosearch → Get Imports
   - Dump process
   - Fix dump with imports
```

### UPX Variant Unpacking

```bash
# Standard UPX — direct decompress
upx -d packed.exe -o unpacked.exe

# Modified UPX header (signature patched to evade upx -d):
# 1. Find UPX0/UPX1 section names (may be renamed)
# 2. Restore original UPX magic bytes: 0x55 0x50 0x58
# 3. Then run upx -d

# Python: restore UPX magic for patched header
python3 -c "
import sys
data = open(sys.argv[1], 'rb').read()
# UPX magic at various offsets — search for stub pattern
idx = data.find(b'\x60\xBE')  # PUSHAD; MOV ESI stub
print(f'Stub at: {hex(idx)}')
"
```

---

## Virtualization-Based Protection

### Code Virtualization Architecture

```
Original x86 code is converted to custom bytecode interpreted by an
embedded virtual machine at runtime.

Original:          VM Protected:
  mov eax, 1    →    push vm_context_ptr
  add eax, 2         call vm_entry
  ret                ; VM dispatcher loop decodes bytecode
                     ; and invokes handler table entries
                     ; equivalent semantics, unrecognizable form
```

### VM Component Identification

```
1. VM Entry Point:
   - Usually a CALL or JMP to a large function with a loop
   - Look for: load bytecode ptr, load handler table, dispatch loop

2. Handler Table:
   - Array of function pointers (one per virtual opcode)
   - Indexed by decoded opcode byte/word
   - Each handler emulates one instruction

3. Virtual Registers:
   - Stored in a context structure (vm_context)
   - Usually on the stack or in a dedicated heap allocation
   - Map to native registers by handler logic

4. Bytecode Location:
   - Separate section (.vmp0, .vmp1 in VMProtect)
   - Or inline with code (Themida)
   - Encrypted or compressed in some implementations
```

### Devirtualization Analysis Workflow

```
1. Identify VM entry: look for large functions with indirect dispatch (jmp [reg+offset])

2. Trace execution with logging:
   - Use x64dbg trace log: log handler address and context on each iteration
   - Example trace command in x64d

What is this skill?

Catalog of common packers (UPX, Themida, VMProtect, ASPack, MPRESS, and others)

Four-step unpacking methodology: identify, static unpack, dynamic unpack, fix imports

OEP discovery techniques including ESP tricks and tail-jump patterns

Companion deep-dive split from core skill to keep SKILL.md focused

VM-based and commercial protector internals for advanced analysis

4-step unpacking methodology

10+ named packer families in the reference catalog

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 6.9k installs on skills.sh; 36.5k GitHub stars; 2/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Anti Reversing Techniques

# Advanced Anti-Reversing Techniques

This reference covers advanced and niche techniques extracted from the core skill to keep SKILL.md focused on common patterns. Refer here for deep-dive analysis of virtualization-based protections, packer internals, and anti-disassembly tricks.

---

## Packing and Encryption

### Common Packers

```
UPX          - Open source, easy to unpack (upx -d)
Themida      - Commercial, VM-based protection with anti-debug
VMProtect    - Commercial, code virtualization with multiple VM architectures
ASPack       - Compression packer, LZSS-based
PECompact    - Compression packer with CRC integrity checks
Enigma       - Commercial protector with key-based licensing
MPRESS       - LZMA-based packer, often used by malware
Obsidium     - Commercial, anti-debug + anti-VM + encryption
```

### Unpacking Methodology

```
1. Identify packer (DIE, Exeinfo PE, PEiD, detect-it-easy)

2. Static unpacking (if known packer):
   - UPX: upx -d packed.exe
   - Use existing unpacker tools from UnpacMe, MalwareBazaar

3. Dynamic unpacking:
   a. Find Original Entry Point (OEP)
   b. Set breakpoint on OEP
   c. Dump memory when OEP reached
   d. Fix import table (Scylla, ImpREC)

4. OEP finding techniques:
   - Hardware breakpoint on stack (ESP trick)
   - Break on common API calls (GetCommandLineA, GetModuleHandle)
   - Trace and look for typical entry prologue (push ebp / mov ebp, esp)
   - Check for tail jump pattern: jmp <far address>
```

### Manual Unpacking (ESP Trick — x64dbg)

```
1. Load packed binary in x64dbg
2. Note entry point (packer stub address)
3. Use ESP trick:
   a. Run to entry point (F9 then F8 until PUSHAD)
   b. Right-click ESP value → "Follow in Dump"
   c. Set hardware breakpoint on access (HW BP on [ESP])
   d. Run (F9) — execution breaks after POPAD (stack restored)
4. Look for JMP to OEP (often a far jump to .text section)
5. At OEP, use Scylla plugin:
   - IAT Autosearch → Get Imports
   - Dump process
   - Fix dump with imports
```

### UPX Variant Unpacking

```bash
# Standard UPX — direct decompress
upx -d packed.exe -o unpacked.exe

# Modified UPX header (signature patched to evade upx -d):
# 1. Find UPX0/UPX1 section names (may be renamed)
# 2. Restore original UPX magic bytes: 0x55 0x50 0x58
# 3. Then run upx -d

# Python: restore UPX magic for patched header
python3 -c "
import sys
data = open(sys.argv[1], 'rb').read()
# UPX magic at various offsets — search for stub pattern
idx = data.find(b'\x60\xBE')  # PUSHAD; MOV ESI stub
print(f'Stub at: {hex(idx)}')
"
```

---

## Virtualization-Based Protection

### Code Virtualization Architecture

```
Original x86 code is converted to custom bytecode interpreted by an
embedded virtual machine at runtime.

Original:          VM Protected:
  mov eax, 1    →    push vm_context_ptr
  add eax, 2         call vm_entry
  ret                ; VM dispatcher loop decodes bytecode
                     ; and invokes handler table entries
                     ; equivalent semantics, unrecognizable form
```

### VM Component Identification

```
1. VM Entry Point:
   - Usually a CALL or JMP to a large function with a loop
   - Look for: load bytecode ptr, load handler table, dispatch loop

2. Handler Table:
   - Array of function pointers (one per virtual opcode)
   - Indexed by decoded opcode byte/word
   - Each handler emulates one instruction

3. Virtual Registers:
   - Stored in a context structure (vm_context)
   - Usually on the stack or in a dedicated heap allocation
   - Map to native registers by handler logic

4. Bytecode Location:
   - Separate section (.vmp0, .vmp1 in VMProtect)
   - Or inline with code (Themida)
   - Encrypted or compressed in some implementations
```

### Devirtualization Analysis Workflow

```
1. Identify VM entry: look for large functions with indirect dispatch (jmp [reg+offset])

2. Trace execution with logging:
   - Use x64dbg trace log: log handler address and context on each iteration
   - Example trace command in x64d

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is anti-reversing-techniques for?

When should I use anti-reversing-techniques?

Is anti-reversing-techniques safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is anti-reversing-techniques for?

When should I use anti-reversing-techniques?

Is anti-reversing-techniques safe to install?

SKILL.md