Tuesday, December 17, 2013

Manual Unpacking of AHpack(0.1) Packed Binary File

File Information
FileName: UnPackMe_!EP(EXE Pack)1.2.exe
MD5: c39d13643796db07eb9c3c90b3db71d0
File Size: 281088
Source: tuts4u
OS Used: Windows XP Pro SP3 (English)

Packer Information
Packer details can be found using tool "Detect It Easy".

Packed Binary Entry Point
Launch the binary in Debugger, I am using Immunity Debugger v1.85. Immunity will alert you stating that the binary might be Compressed, ignore the error message(click NO) and proceed further. We can see the Entry Point as
Address        Opcode       Instruction
0046B0FF    60               PUSHAD

Step Into(F7) or Step Over(F8) PUSHAD instruction. PUSHAD willl push the values of all the General Purpose Registers to Stack, except EIP.

Hardware Breakpoint On Access
Right click on ESP(0x0012FFA4) register and click on "Follow in Dump", in the dump window select initial 2 or 4 bytes, right click "Breakpoint-> Hardware, on access->;Dword (click on it)". Will create a Hardware breakpoint.
We can also execute "hr esp-4" and command bar to set Breakpoint.
"Follow in Dump" will show little endian style register values (EDI might be the first value) on top of the stack.

0046B299   61                          POPAD
0046B29A   BA B0714200      MOV EDX,UnPackMe.004271B0
0046B29F  -FFE2                    JMP EDX                                  ; UnPackMe.004271B0

Hits Breakpoint
Execute the binary i.e. hit F9 key. This should break at one instruction after POPAD. Why break here? Because a POPAD was executed before, this will try to access the memory marked with a breakpoint. Single step (F7) till you execute first jump instruction (at 0x0046B29F) which will actually take us to OEP and continue single stepping till we see below instructions which shows the creation of stack frame.
004271B0   55               PUSH EBP
004271B1   8BEC             MOV EBP,ESP
0x004271B0 is the Original Entry Point. Long jump from 0x0046B29F to 0x004271B0, it's fairly tellable that we have reached OEP.

Dump the process by right clicking at 0x004271B0   (PUSH EBP).

Dump Process
Will pop up a window as shown, click on Dump and save it as dump.exe. Executing this file might throw "...not a valid Win32 Application" error because it doesn't have valid Import Address Table(IAT).

Fix Dumped Process
Image Base + OEP = Start Offset
Let's fix the IAT, fire "Import REC" tool and select the original binary which we are trying to Unpack. Modify the OEP to 0x000271B0 and click on AutoSearch tab, ignore the pop warning (click OK).
IAT AutoSearch feature is used to find right references to the API calls. Click on "Get Imports" to get Imports, should not have any errors(see below snapshot).

Now click on "Fix Dump" and provide dump.exe created from one of the steps above. If successful, will create an unpacked binary dump_.exe.

Execute the binary by double clicking it, if it executes without error; boom, our unpacking is done !!

The steps can be summarized as

  • Execution starts from new Original Entry Point (OEP) newly added code section located at the end of binary)
  • Saves the current Registers Status using PUSHAD (Opcode 60) instruction
  • All the Packed Sections are Unpacked in memory
  • Resolve the import table of original executable file.
  • Restore the original Register Status using POPAD (Opcode 61) instruction
  • Finally Jumps to Original Entry point to begin the actual execution