-
Download the linked version of PIN
-
Unzip PIN to the root directory and rename the folder to pin
-
Clone this repository
-
Extract the archive in FindOEPPin/ScyllaDependencies/diStorm.rar into FindOEPPin/Scylla/
-
Extract the archive in FindOEPPin/ScyllaDependencies/tinyxml.rar into FindOEPPin/Scylla/
-
Extract the archive in FindoEPPin/ScyllaDependencies/WTL.rar into FindOEPPin/Scylla/WTL/
-
Open the file PinUnpacker.sln with Visual Studio 2010 ( NB: The version is mandatory )
-
Set your IDAPro (idaw.exe) path in Config.cpp ( const Log::IDA_PATH )
-
Copy the folders FindOEPPin\PinUnpackerDependencies and FindOEPPin\PinUnpackerResults in C:\pin\
-
Be sure that you are compiling in Release mode
-
Be sure that all the module inside the project are compiled using the platform toolset v100 ( you can see this with right click on the module -> Properties -> platform toolset field )
-
Compile the solution
\---C
\---pin
\+---source
|
|
|
\+---PinUnpackerResults
|
|
|
|
\+---PinUnpackerDependencies
| \---badImportsChecker.py
| \---badImportsList.txt
| \---dumperSelector.py
| \---Scylla
| \---ScyllaDLLRelease
| \---ScyllaDLLx86.dll
| \---ScyllaDLLDebug
| \---ScyllaDLLx86.dll
| \---ScyllaDumper.exe
|
\+---PinDemonium.dll
-
Run this command from the directory C:\pin\
pin -t PinDemonium.dll [-flags] -- <path_to_the_exe_to_be_instrumented>
Flags :
-
-iwae <number_of_jump_to_dump> : specify if you want or not to track the inter_write_set analysis dumps and how many jump
-
-antiev : specify if you want or not to activate the anti evasion engine
-
-antiev-ins : specify if you want or not to activate the single patching of evasive instruction as int2e, fsave...
-
-antiev-sread : specify if you want or not to activate the handling of suspicious reads
-
-antiev-swrite : specify if you want or not to activate the handling of suspicious writes
-
-unp : specify if you want or not to activate the unpacking engine
-
-adv-iatfix : specify if you want or not to activate the advanced IAT fix technique
-
-poly-patch: if the binary you are analyzing has some kind of polymorphic behavior this activate the patch in order to avoid pin to execute the wrong trace.
-
-nullify-unk-iat: specify if you want or not to nullify the IAT entry not detected as correct API by the tool. NB: THIS OPTION WORKS ONLY IF THE OPTION adv-iatfix IS ACTIVE!
-
-
Check your result in C:\pin\PinUnpackerResults\< current_date_and_time >\