In this blog post I am going to show you how to manually unpack any packed executables. Malware authors and other commercial software authors pack their executables to make them unreadable and to make it difficult for analyst/reverse engineers to analyse and reverse the application. But anyhow the application will have to unpack itself in order to run. The logic to unpack the application will be on the application itself. Here in this tutorial we will create an executable pack it with upx packer and then identify the unpacking logic to manually unpack the executable. The tools required are OLLYdbg, ImportREC, and a OLLY plugin named ollydump which is required to dump a process in OLLYdbg. So let’s start.
The sample used is a simple C helloworld program.
First let’s pack the sample executable using upx.
Here our sample is packing.exe. We just packed our sample and now the packed executable is saved as packed.exe. Now let us load the packed executable into OLLY for our analysis.
Here we see the first instruction is pushad and the current Entry Point of the excutable is on 0040F4B0. We know the executable is packed and it should unpack itself in order to execute. Basically what a packer does is it adds STUB code segment before the Original Entry Point and compresses the code and puts it in the data section of the new executable file. So the Entry Point we see is modified by the packer and the code we are seeing is stub and is used to unpack the original executable. So the STUB code will basically decompress the original code and jump to the Original Entry Point. Let us analyse the code carefully to find something interesting.
Okay some scrolling and we find something interesting i.e. popad, remember the first instruction was pushad. So for now let us assume whatever was pushed at first is now popped from the stack. This means the STUB code has finished decompressing and will now probably make a jump to the Original code. Now we know what we are looking for, we are looking for an unusual jump and we see a JNZ (jump not zero) to 0040F64A, but this is not what we are looking for, cause this is probably some loop. The next jump we see is JMP to 00401280, this might be what we are looking for. Lets set a breakpoint at this point to analyse it.
Let us run the application till the breakpoint. Now we step over the jump statement to find this.
Okay the program made a jump to the unpacked code i.e, the Original Entry Point. Now we got the Original Entry Point that is 1280. We keep a note of the Original Entry Point. Now we will make use of the ollydmp plugin. Just make a right click and click on Dump debugged Process.
Click on the Get EIP as OEP button. This changes the Original Entry Point to current Extended Instruction Pointer. Once again keep a note of new OEP cause we will need it later. Unselect the Rebuild Import option as it is unefficient and fails most of the times. Therefore we will be using ImportREC to fix the import table. Okay now click on dump and save the file. I saved the file as dump.exe.
Now open ImportREC to fix the import table. Attach the packed executable sample that is packed.exe in our case. Now change the OEP as 1280 that we made a note of. Now click on IAT AutoSearch and you will get this.
Found Something! Okay! Now click on FixDump and select the dumped process that is dump.exe in our case. Click on Open and on the log window you get a message successful. And the new file will be saved as dump_.exe. So now we have original executable now. We have successfully unpacked the packed executable.
This tutorial was for upx packed executable, for other packers the process is same more or less. All we will need is a simple analysis of what the STUB code is doing.