ASPack Analysing
From UIC
Analysing Aspack
Contents |
| Infos | |
|---|---|
| Author: | Pnluck |
| Email: | Pnluck@virgilio.it |
| Website: | http://pnluck.netsons.org |
| Date: | 29/05/2007 (dd/mm/yyyy) |
| Level: | 
|
| Language: | English 
|
| Comments: |
La cucaraccia, la cucaraccia. ... |
Introduzione
Aspack,for his good compression rating, is one of the most used packer in the world
Tools
Notizie sul Programma
Aspack adds two Sections to the exe/dll: .aspack and .adata. .aspack contains the loader code, the icon and the version info of the application; .adata nothing
Essay
We start to analyse decompiling a packed file into IDA, so: The EP starts at ASPACK_Section.RVA + 1, we find this:
.aspack:00438001 public start
.aspack:00438001 start:
.aspack:00438001 pusha
.aspack:00438002 call anti_disasm
.aspack:00438002 ; ---------------------------------------------------------------------------
.aspack:00438007 db 0E9h ; Ú
.aspack:00438008 ; ---------------------------------------------------------------------------
.aspack:00438008 jmp short loc_43800E
.aspack:0043800A ; ---------------------------------------------------------------------------
.aspack:0043800A
.aspack:0043800A anti_disasm: ; CODE XREF: .aspack:00438002p
.aspack:0043800A pop ebp ;ebp = 438007
.aspack:0043800B inc ebp
.aspack:0043800C push ebp ;return address = 438008
.aspack:0043800D retn
.aspack:0043800E ; ---------------------------------------------------------------------------
.aspack:0043800E
.aspack:0043800E loc_43800E: ; CODE XREF: .aspack:00438008j
.aspack:0043800E call Start_loader
As you can see, the first part of code has just an anti-disassembly trick.
.aspack:00438014 pop ebp
.aspack:00438015 mov ebx, 0FFFFFFEDh
.aspack:0043801A add ebx, ebp
.aspack:0043801C sub ebx, 38000h
.aspack:00438022 cmp ss:(ImageBaseAddress - 438013h)[ebp], 0 ;it was: [EBP+422]
.aspack:00438029 mov ss:(ImageBaseAddress - 438013h)[ebp], ebx
.aspack:0043802F
.aspack:0043802F loc_43802F: ; DATA XREF: .aspack:00438350r
.aspack:0043802F jnz pre_oep ;you'll see this later
.aspack:00438035 lea eax, (aKernel32_dll_0 - 438013h)[ebp] ; "kernel32.dll"
.aspack:0043803B push eax
.aspack:0043803C call ss:(GetModuleHandleA - 438013h)[ebp] ;it gets kernel address, and stores it
.aspack:00438042 mov ss:(KernelBaseAddr - 438013h)[ebp], eax
.aspack:00438048 mov edi, eax
.aspack:0043804A lea ebx, (aVirtualalloc - 438013h)[ebp] ; "VirtualAlloc"
.aspack:0043804D push ebx
.aspack:0043804E push eax
.aspack:0043804F
.aspack:0043804F loc_43804F: ; DATA XREF: .aspack:00438349r
.aspack:0043804F call ss:(GetProcAddress - 438013h)[ebp] ;it gets the address of "Virtual Alloc"
.aspack:00438055 mov ss:(VirtualAlloc - 438013h)[ebp], eax
.aspack:0043805B lea ebx, (aVirtualfree - 438013h)[ebp] ; "VirtualFree"
.aspack:0043805E push ebx
.aspack:0043805F push edi
.aspack:00438060 call ss:(GetProcAddress - 438013h)[ebp] ; it gets the address of "Virtual Free"
.aspack:00438066 mov ss:(VirtualFree - 438013h)[ebp], eax
.aspack:0043806C lea eax, (Prepare_decript - 438013h)[ebp]
.aspack:0043806F jmp eax
.aspack:0043806F ; ---------------------------------------------------------------------------
.aspack:00438071 aVirtualalloc db 'VirtualAlloc',0 ; DATA XREF: .aspack:0043804Ar
.aspack:0043807E aVirtualfree db 'VirtualFree',0 ; DATA XREF: .aspack:0043805Br
.aspack:0043808A ; ---------------------------------------------------------------------------
With this part of code, the loader saves the addresses of Virtual Alloc and Virtual Free
.aspack:0043808A ; .aspack:0043834Cr
.aspack:0043808A mov ebx, ss:(dword_438544 - 438013h)[ebp]
.aspack:00438090 or ebx, ebx
.aspack:00438092 jz short loc_43809E
.aspack:00438094 mov eax, [ebx]
.aspack:00438096 xchg eax, ss:(dword_438548 - 438013h)[ebp]
.aspack:0043809C mov [ebx], eax
.aspack:0043809E
.aspack:0043809E loc_43809E: ; CODE XREF: .aspack:00438092j
.aspack:0043809E lea esi, (Sections_RVA_Size - 438013h)[ebp]
.aspack:004380A4 cmp dword ptr [esi+AspackSection.Va], 0
.aspack:004380A7 jz loc_4381CE
.aspack:004380AD push 4
.aspack:004380AF push 1000h
.aspack:004380B4 push 1800h ; DictionarySize
.aspack:004380B9 push 0
.aspack:004380BB call ss:(VirtualAlloc - 438013h)[ebp]
.aspack:004380C1 mov ss:(Dictionary_Mem - 438013h)[ebp], eax.
.aspack:004380C7
.aspack:004380C7 Start_Decrypt: ; CODE XREF: .aspack:004381A3j
.aspack:004380C7 mov eax, [esi+AspackSection.Size] ; section size
.aspack:004380CA add eax, 10Eh
.aspack:004380CF push 4
.aspack:004380D1 push 1000h
.aspack:004380D6 push eax
.aspack:004380D7 push 0
.aspack:004380D9 call ss:(VirtualAlloc - 438013h)[ebp]
.aspack:004380DF mov ss:(Decrypted_Section_Output - 438013h)[ebp], eax
.aspack:004380E5 push esi
.aspack:004380E6 mov ebx, [esi+AspackSection.Va] ;ebx = VA of section to
; de-compress
.aspack:004380E8 add ebx, ss:(ImageBaseAddress - 438013h)[ebp]
.aspack:004380EE push ss:(Dictionary_Mem - 438013h)[ebp]
.aspack:004380F4 push dword ptr [esi+AspackSection.Size] ;push the size of the
; code to de-compress
.aspack:004380F7 push eax
.aspack:004380F8 push ebx
.aspack:004380F9 call Decomprimi
Where Section_RVA_Size is (in my case):
.aspack:00438580 dd 6000h
.aspack:00438584 dd 7000h
.aspack:00438588 dd 2000h
.aspack:0043858C dd 9000h
.aspack:00438590 dd 1000h
.aspack:00438594 dd 0BAC0h
.aspack:00438598 dd 2C540h
Now the loader loads in esi the address of the bidimensional array Section_RVA_Size[RVA_SIZE], allocates the Dictionary buffer and another buffer which dimension is the size that it gets from the array.
Decomprimi(VA_to_decrypt, decript_output, size, Dictionary) decompresses the block of code (Aspack uses a LZSS algorithm variant), and I’ll explain it in the next essay.
.aspack:004380FE mov bl, 0
.aspack:00438100 cmp bl, 0
.aspack:00438103 jnz short Jmp_to_Copy_decrypted_section
.aspack:00438105 inc byte ptr ss:(Fake_OEP+1 - 438013h)[ebp] ; it changes "mov bl, 0" with "mov bl,1"
.aspack:0043810B mov edi, [esi]
.aspack:0043810D add edi, ss:(ImageBaseAddress - 438013h)[ebp]
.aspack:00438113 push dword ptr [edi]
.aspack:00438115 mov byte ptr [edi], 0C3h
.aspack:00438118 call edi ;call the fake OEP
.aspack:0043811A pop dword ptr [edi]
.aspack:0043811C push eax
.aspack:0043811D push ecx
.aspack:0043811E push esi
.aspack:0043811F push ebx
.aspack:00438120 mov ecx, eax
.aspack:00438122 sub ecx, 6
.aspack:00438125 mov esi, ss:(Decrypted_Section_Output - 438013h)[ebp]
.aspack:0043812B xor ebx, ebx
The conditional jump at 438103 jumps the second time it's executed, when this don't happen, the loader uses another antiunpacking trick calling a fake OEP
.aspack:0043812D or ecx, ecx
.aspack:0043812F jz short end_adjust_code
.aspack:00438131 js short end_adjust_code
.aspack:00438133 lodsb
.aspack:00438134 cmp al, 0E8h
.aspack:00438136 jz short fix_call
.aspack:00438138 jmp short $+2
.aspack:0043813A cmp al, 0E9h
.aspack:0043813C jz short fix_call
.aspack:0043813E
.aspack:0043813E is_not_call: ; CODE XREF: .aspack:00438149j
.aspack:0043813E inc ebx
.aspack:0043813F dec ecx
.aspack:00438140 jmp short Adjust_Code_Section
.aspack:00438142 ; ---------------------------------------------------------------------------
.aspack:00438142
.aspack:00438142 fix_call: ; CODE XREF: .aspack:00438136j
.aspack:00438142 ; .aspack:0043813Cj
.aspack:00438142 mov eax, [esi]
.aspack:00438144 jmp short $+2
.aspack:00438146 cmp byte ptr [esi], 7
.aspack:00438149 jnz short is_not_call
.aspack:0043814B and al, 0
.aspack:0043814D rol eax, 18h
.aspack:00438150 sub eax, ebx
.aspack:00438152 mov [esi], eax
.aspack:00438154 add ebx, 5
.aspack:00438157 add esi, 4
.aspack:0043815A sub ecx, 5
.aspack:0043815D jmp short Adjust_Code_Section
.aspack:0043815F ; ---------------------------------------------------------------------------
.aspack:0043815F
.aspack:0043815F end_adjust_code: ; CODE XREF: .aspack:0043812Fj
.aspack:0043815F ; .aspack:00438131j
.aspack:0043815F pop ebx
.aspack:00438160 pop esi
.aspack:00438161 pop ecx
.aspack:00438162 pop eax
.aspack:00438163
.aspack:00438163 Jmp_to_Copy_decrypted_section: ; CODE XREF: .aspack:00438103j
.aspack:00438163 jmp short Copy_decrypted_section
Here, the Loader fixes calls opcodes: it finds 0xE8 or 0xE9, checks that the first byte is 0x7(in this case, it changes from exe to exe), and fixes the address of call
.aspack:0043816D mov ecx, eax
.aspack:0043816F mov edi, [esi]
.aspack:00438171 add edi, ss:(ImageBaseAddress - 438013h)[ebp]
.aspack:00438177 mov esi, ss:(Encrypted_Section_output - 438013h)[ebp]
.aspack:0043817D sar ecx, 2
.aspack:00438180 rep movsd ; edi = dest, esi = sorg
.aspack:00438182 mov ecx, eax
.aspack:00438184 and ecx, 3
.aspack:00438187 rep movsb
.aspack:00438189 pop esi
.aspack:0043818A push 8000h
.aspack:0043818F push 0
.aspack:00438191 push ss:(Encrypted_Section_output - 438013h)[ebp]
.aspack:00438197 call ss:(VirtualFree - 438013h)[ebp]
.aspack:0043819D add esi, 8 ; next Section
.aspack:004381A0 cmp dword ptr [esi+AspackSection.Va], 0
.aspack:004381A3 jnz Start_Decrypt
.aspack:004381A9 push 8000h
.aspack:004381AE push 0
.aspack:004381B0 push ss:(Dictionary_Mem - 438013h)[ebp]
.aspack:004381B6 call ss:(VirtualFree - 438013h)[ebp]
.aspack:004381BC mov ebx, ss:(dword_438544 - 438013h)[ebp]
.aspack:004381C2 or ebx, ebx
.aspack:004381C4 jz short process_reloc
After the loader decompressed the code, it can copy bytes from the buffer to the VA
.aspack:004381C8 xchg eax, ss:(dword_438548 - 438013h)[ebp]
.aspack:004381CE
.aspack:004381CE process_reloc: ; CODE XREF: .aspack:004380A7j
.aspack:004381CE ; .aspack:004381C4j
.aspack:004381CE mov edx, ss:(ImageBaseAddress - 438013h)[ebp]
.aspack:004381D4 mov eax, ss:(ImageBase_setted - 438013h)[ebp] ;it is 0x400000
.aspack:004381DA sub edx, eax
.aspack:004381DC jz short no_reloc_to_do
The loader verifies if some addresses need to be relocated, subtracting 0x40000 from the ImageBase of the module and if difference is 0, relocation isn't needed, otherwise:…
.aspack:004381E0 shr eax, 10h
.aspack:004381E3 xor ebx, ebx
.aspack:004381E5 mov esi, ss:(reloc_ptr - 438013h)[ebp]
.aspack:004381EB add esi, ss:(ImageBaseAddress - 438013h)[ebp]
.aspack:004381F1
.aspack:004381F1 reloc_proc: ; CODE XREF: .aspack:00438255j
.aspack:004381F1 cmp dword ptr [esi], 0
.aspack:004381F4 jz short no_reloc_to_do
.aspack:004381F6 mov ecx, [esi+4]
.aspack:004381F9 sub ecx, 8
.aspack:004381FC shr ecx, 1
.aspack:004381FE mov edi, [esi]
.aspack:00438200 add edi, ss:(ImageBaseAddress - 438013h)[ebp]
.aspack:00438206 add esi, 8
.aspack:00438209
.aspack:00438209 apply_reloc: ; CODE XREF: .aspack:00438253j
.aspack:00438209 mov bx, [esi]
.aspack:0043820C shr ebx, 0Ch
.aspack:0043820F cmp ebx, 1
.aspack:00438212 jz short case_1
.aspack:00438214 cmp ebx, 2
.aspack:00438217 jz short case_2
.aspack:00438219 cmp ebx, 3
.aspack:0043821C jz short case_3
.aspack:0043821E jmp short delete_reloc_value
.aspack:00438220 ; ---------------------------------------------------------------------------
.aspack:00438220
.aspack:00438220 case_1: ; CODE XREF: .aspack:00438212j
.aspack:00438220 mov bx, [esi]
.aspack:00438223 and ebx, 0FFFh
.aspack:00438229 add [edi+ebx], ax
.aspack:0043822D jmp short delete_reloc_value
.aspack:0043822F ; ---------------------------------------------------------------------------
.aspack:0043822F
.aspack:0043822F case_2: ; CODE XREF: .aspack:00438217j
.aspack:0043822F mov bx, [esi]
.aspack:00438232 and ebx, 0FFFh
.aspack:00438238 add [edi+ebx], dx
.aspack:0043823C jmp short delete_reloc_value
.aspack:0043823E ; ---------------------------------------------------------------------------
.aspack:0043823E
.aspack:0043823E case_3: ; CODE XREF: .aspack:0043821Cj
.aspack:0043823E mov bx, [esi]
.aspack:00438241 and ebx, 0FFFh
.aspack:00438247 add [edi+ebx], edx
.aspack:0043824A jmp short $+2
.aspack:0043824C
.aspack:0043824C delete_reloc_value: ; CODE XREF: .aspack:0043821Ej
.aspack:0043824C ; .aspack:0043822Dj ...
.aspack:0043824C or word ptr [esi], 0FFFFh
.aspack:00438250 add esi, 2
.aspack:00438253 loop apply_reloc
.aspack:00438255 jmp short reloc_proc
This is the code which does relocation operations, in the simplest case at the address i added the difference
.aspack:00438257 ; .aspack:004381F4j
.aspack:00438257 mov edx, ss:(ImageBaseAddress - 438013h)[ebp]
.aspack:0043825D mov esi, ss:(dword_438554 - 438013h)[ebp]
.aspack:00438263 or esi, esi
.aspack:00438265 jz short ImportTable_proc
.aspack:00438267 add esi, edx
.aspack:00438269
.aspack:00438269 loc_438269: ; CODE XREF: .aspack:00438276j
.aspack:00438269 lodsd
.aspack:0043826A or eax, eax
.aspack:0043826C jz short ImportTable_proc
.aspack:0043826E add eax, edx
.aspack:00438270 mov edi, eax
.aspack:00438272 lodsw
.aspack:00438274 stosw
.aspack:00438276 jmp short loc_438269
Nothing interesting
.aspack:00438278 ImportTable_proc: ; CODE XREF: .aspack:00438265?j
.aspack:00438278 ; .aspack:0043826C?j
.aspack:00438278 mov esi, 7F88h ; RVA Import Table
.aspack:0043827D mov edx, ss:(ImageBaseAddress - 438013h)[ebp]
.aspack:00438283 add esi, edx
.aspack:00438285
.aspack:00438285 Load_api: ; CODE XREF: .aspack:00438395?j
.aspack:00438285 mov eax, [esi+ImportTable.Name]
.aspack:00438288 test eax, eax
.aspack:0043828A jz pre_oep
.aspack:00438290 add eax, edx
.aspack:00438292 mov ebx, eax
.aspack:00438294 push eax
.aspack:00438295 call ss:(GetModuleHandleA - 438013h)[ebp]
.aspack:0043829B test eax, eax
.aspack:0043829D jnz short no_LoadLibrary
.aspack:0043829F push ebx
.aspack:004382A0 call ss:(LoadLibraryA - 438013h)[ebp]
.aspack:004382A6
.aspack:004382A6 no_LoadLibrary: ; CODE XREF: .aspack:0043829D?j
.aspack:004382A6 mov ss:(dll_base - 438013h)[ebp], eax
.aspack:004382AC mov ss:(api_counter - 438013h)[ebp], 0
.aspack:004382B6
.aspack:004382B6 get_api_addr: ; CODE XREF: .aspack:0043837F?j
.aspack:004382B6 mov edx, ss:(ImageBaseAddress - 438013h)[ebp]
.aspack:004382BC mov eax, [esi+ImportTable.OFT]
.aspack:004382BE test eax, eax
.aspack:004382C0 jnz short prepare_GetProcAddress
.aspack:004382C2 mov eax, [esi+ImportTable.FThunk]
.aspack:004382C5
.aspack:004382C5 prepare_GetProcAddress: ; CODE XREF: .aspack:004382C0?j
.aspack:004382C5 add eax, edx
.aspack:004382C7 add eax, ss:(api_counter - 438013h)[ebp]
.aspack:004382CD mov ebx, [eax]
.aspack:004382CF mov edi, [esi+ImportTable.FThunk]
.aspack:004382D2 add edi, edx
.aspack:004382D4 add edi, ss:(api_counter - 438013h)[ebp]
.aspack:004382DA test ebx, ebx
.aspack:004382DC jz load_next_dll
.aspack:004382E2 test ebx, 80000000h
.aspack:004382E8 jnz short Use_GetProcAddress
.aspack:004382EA add ebx, edx
.aspack:004382EC inc ebx
.aspack:004382ED inc ebx
.aspack:004382EE
.aspack:004382EE Use_GetProcAddress: ; CODE XREF: .aspack:004382E8?j
.aspack:004382EE push ebx
.aspack:004382EF and ebx, 7FFFFFFFh
.aspack:004382F5 push ebx
.aspack:004382F6 push ss:(dll_base - 438013h)[ebp]
.aspack:004382FC call ss:(GetProcAddress - 438013h)[ebp]
.aspack:00438302 test eax, eax
.aspack:00438304 pop ebx
.aspack:00438305 jnz short Write_Thunk
.aspack:00438307 test ebx, 80000000h
.aspack:0043830D jnz short use_of_ordinal
.aspack:0043830F push edi
.aspack:00438310 mov eax, [esi+ImportTable.Name]
.aspack:00438313 add eax, ss:(ImageBaseAddress - 438013h)[ebp]
.aspack:00438319 push eax
.aspack:0043831A push ebx
.aspack:0043831B lea eax, (aTheProcedureEn - 438013h)[ebp] ; "The procedure entry
; point %s could not "...
.aspack:00438321 push eax
.aspack:00438322 push edi
.aspack:00438323 jmp Beggar_off
.aspack:00438328 ; ---------------------------------------------------------------------------
.aspack:00438328
.aspack:00438328 use_of_ordinal: ; CODE XREF: .aspack:0043830D?j
.aspack:00438328 and ebx, 7FFFFFFFh
.aspack:0043832E mov eax, ss:(KernelBaseAddr - 438013h)[ebp]
.aspack:00438334 cmp ss:(dll_base - 438013h)[ebp], eax
.aspack:0043833A jnz short bad_ordinal
.aspack:0043833C push edi
.aspack:0043833D mov edx, ebx
.aspack:0043833F dec edx
.aspack:00438340 shl edx, 2
.aspack:00438343 mov ebx, ss:(dll_base - 438013h)[ebp]
.aspack:00438349 mov edi, dword ptr ds:(loc_43804F - 438013h)[ebx]
.aspack:0043834C mov edi, dword ptr ds:(Prepare_decript+1 - 438013h)[ebx+edi]
.aspack:00438350 add ebx, dword ptr ds:(loc_43802F - 438013h)[ebx+edi]
.aspack:00438354 mov eax, [ebx+edx]
.aspack:00438357 add eax, ss:(dll_base - 438013h)[ebp]
.aspack:0043835D pop edi
.aspack:0043835E jmp short Write_Thunk
.aspack:00438360 ; ---------------------------------------------------------------------------
.aspack:00438360
.aspack:00438360 bad_ordinal: ; CODE XREF: .aspack:0043833A?j
.aspack:00438360 push edi
.aspack:00438361 mov eax, [esi+ImportTable.Name]
.aspack:00438364 add eax, ss:(ImageBaseAddress - 438013h)[ebp]
.aspack:0043836A push eax
.aspack:0043836B push ebx
.aspack:0043836C lea eax, (aTheOrdinalUCou - 438013h)[ebp] ; "The ordinal %u
; could not be located in "...
.aspack:00438372 push eax
.aspack:00438373 push edi
.aspack:00438374 jmp short Beggar_off
.aspack:00438376 ; ---------------------------------------------------------------------------
.aspack:00438376
.aspack:00438376 Write_Thunk: ; CODE XREF: .aspack:00438305?j
.aspack:00438376 ; .aspack:0043835E?j
.aspack:00438376 mov [edi], eax
.aspack:00438378 add ss:(api_counter - 438013h)[ebp], 4
.aspack:0043837F jmp get_api_addr
.aspack:00438384 ; ---------------------------------------------------------------------------
.aspack:00438384
.aspack:00438384 load_next_dll: ; CODE XREF: .aspack:004382DC?j
.aspack:00438384 mov [esi+ImportTable.OFT], eax
.aspack:00438386 mov [esi+ImportTable.Name], eax
.aspack:00438389 mov [esi+ImportTable.FThunk], eax
.aspack:0043838C add esi, 14h
.aspack:0043838F mov edx, [ebp+422h]
.aspack:00438395 jmp Load_api
Aspack doesn’t modify the original IT, infact this code works as the Windows Loader: from the name of dll, uses LoadLibrary after that checks if the value is an ordinal or is a name, uses GetProcAddress And writes the return_value in the thunk.
.aspack:0043839A ; .aspack:0043828Aj
.aspack:0043839A mov eax, 12A5h ; RVA EP address
.aspack:0043839F push eax
.aspack:004383A0 add eax, ss:(ImageBaseAddress - 438013h)[ebp]
.aspack:004383A6 pop ecx
.aspack:004383A7 or ecx, ecx
.aspack:004383A9 mov dword ptr ss:(jmp_to_oep+1 - 438013h)[ebp], eax
.aspack:004383AF popa
.aspack:004383B0 jnz short jmp_to_oep
.aspack:004383B2 mov eax, 1
.aspack:004383B7 retn 0Ch
.aspack:004383BA ; ---------------------------------------------------------------------------
.aspack:004383BA
.aspack:004383BA jmp_to_oep: ; CODE XREF: .aspack:004383B0j
.aspack:004383BA ; DATA XREF: .aspack:004383A9w
.aspack:004383BA push 0
.aspack:004383BF retn
Finally, after the decompression, the relocation, and the IT loading, the loader is ready to jump at OEP in this way: it puts in eax the EP RVA, adds the ImageBase and writes this value at jmp_to_oep+1(changing the zero): so with the push, it stores this value in the stack, which will use by the retn.
Note Finali
Thx to Ntoskrnl, Que, EvilCry, ZaiRoN, Quake2, Ermes, 0x87, Locu, Evo, StarzBoy (indian friend of mine), and everyone who I met
Disclaimer
I documenti qui pubblicati sono da considerarsi pubblici e liberamente distribuibili, a patto che se ne citi la fonte di provenienza. Tutti i documenti presenti su queste pagine sono stati scritti esclusivamente a scopo di ricerca, nessuna di queste analisi è stata fatta per fini commerciali, o dietro alcun tipo di compenso. I documenti pubblicati presentano delle analisi puramente teoriche della struttura di un programma, in nessun caso il software è stato realmente disassemblato o modificato; ogni corrispondenza presente tra i documenti pubblicati e le istruzioni del software oggetto dell'analisi, è da ritenersi puramente casuale. Tutti i documenti vengono inviati in forma anonima ed automaticamente pubblicati, i diritti di tali opere appartengono esclusivamente al firmatario del documento (se presente), in nessun caso il gestore di questo sito, o del server su cui risiede, può essere ritenuto responsabile dei contenuti qui presenti, oltretutto il gestore del sito non è in grado di risalire all'identità del mittente dei documenti. Tutti i documenti ed i file di questo sito non presentano alcun tipo di garanzia, pertanto ne è sconsigliata a tutti la lettura o l'esecuzione, lo staff non si assume alcuna responsabilità per quanto riguarda l'uso improprio di tali documenti e/o file, è doveroso aggiungere che ogni riferimento a fatti cose o persone è da considerarsi PURAMENTE casuale. Tutti coloro che potrebbero ritenersi moralmente offesi dai contenuti di queste pagine, sono tenuti ad uscire immediatamente da questo sito.
Vogliamo inoltre ricordare che il Reverse Engineering è uno strumento tecnologico di grande potenza ed importanza, senza di esso non sarebbe possibile creare antivirus, scoprire funzioni malevoli e non dichiarate all'interno di un programma di pubblico utilizzo. Non sarebbe possibile scoprire, in assenza di un sistema sicuro per il controllo dell'integrità, se il "tal" programma è realmente quello che l'utente ha scelto di installare ed eseguire, né sarebbe possibile continuare lo sviluppo di quei programmi (o l'utilizzo di quelle periferiche) ritenuti obsoleti e non più supportati dalle fonti ufficiali.
