Tuesday, August 5, 2014

Manual Unpacking of Compressed Binaries



INTRODUCTION
In this article we will walk through manual unpacking of protected malicious Windows binaries using OllyDBG. We also need to rebuild Import Address Table (IAT) to restore the file to executable state. Most of the Anti-virus (AV) vendors flag PE packers as malicious software. There are many varieties of packer’s available, say, ASpcak, UPX, NsPack, Armadillo, Themida etc.

PACKERS
Packers reduce the physical size of an executable by compressing an executable and combine the compressed data with decompression stub into a single binary. At runtime, the decompression stub expands the original application and transfers control to the original entry point (OEP).

One of the methods that can be used to locate the original entry point (OEP) of the file is to apply break points on the following APIs:
GetLoadLibraryA
GetVersionExA
GetEnvironmentA
LoadLibraryA
GetProcAddress
IniHeap
These APIs are called by the packer’s start-up routine.
 
Following articles explain manual unpacking of UPX and AHpack
http://blog.disects.com/2013/12/manual-unpacking-of-upx-packed-binary.html
http://blog.disects.com/2013/12/manual-unpacking-of-ahpack01.html
  
REFERENCES