malwarebeginner.files.wordpress.com · web viewunpacking upx manually using ollydebug :...

Unpacking UPX manually using OllyDebug : Tony-McAfee

Why the packers are introduced?Instead of directly obfuscating malware code, malware authors today heavily rely on packers, Packers are programs that transform an executable binary into another form so that its smaller and has a difference appearance from the original ones. Now a days it seems to be like the original file. Their main aim is to avoid the detection of the AV scanners. These days malware authors use multiple packers to the same malware so that it becomes a highly difficult task for the av vendors to detect the malware. It's been said that 80% of the malware are packed.

Steps to be followed to extract the malware:As a reverse engineer, we must know how to unpack the packed files. Here in the present document I will explain you with a basic packer UPX, which is the mostly used packer by the malware authors.This document is applicable to all the version of upx packer.

Step 1:

Identifying the packer name:

The fore and foremost thing is to identify correctly the packer name. If the packer name is been wrongly identified then the entire process goes to a mess.

The identifier can be found out by using PeID or RDG packer detector and one more way is there by seeing the section name present in the PE Section.

First let's try with PeID:

Open the file using PeID and it will display the packer name if it's been packed. At some cases it may fail, so u go for a deep scan and the option is present in the final button present below the exit button in the PeID. A dialog box with the extra information will pop out. There you can find something called as entropy and a value will be given, usually if the value is above 6.5 it has 90% of the chance to be packed and in this sample entropy is 8.00 and others say its packed. So we can finalize that its packed.

Since we need to confirm, open RDG packer detector and open the sample in it and it scans the sample, says it as upx. so now its confirmed.

Even there is way to detect but this we can't assure that, which is by seeing the section since most of the packers keep their name in the section table. Mostly the packers will keep their names as section names.

From following these steps we can conclude the packer name and the following are the illustrated.


Here we are checking with the PeID and it shows its packed.

Fig 1.1 Pe ID verifying the packer.

Using RDG packer detector:

In this sample RDG gives out the exact packer name

For some of the samples if you cannot detect , use the below method, atleast some information regarding the packer we can identify. so open the file in Stud-PE and go to the section tab. It will be displayed as shown in the fig 1.2


So from following these steps we can conclude that it is packed using UPX packer. As good enough you have found the packer name , next you need to unpack the sample then only you can do reverse engineering. Even though there are several upx unpackers available like PE Explorer or UPX unpacker, the best way for a malware researcher is to unpack manually. Now i show you how to unpack a sample packed by upx manually.

Unpacking Upx Manually:

In this section the tools used are Olly debugger of any version with a olly dump plugin(This plugin is availabe world wide, you just need to search in google with a name and add the .dll file to the place where other files are located) added with it(Olly debugger is a best tool used for debugging any kind of file or sample). The ImpRec(Import Reconstructor) which is used for reconstructing the import table used by the sample, which are mostly not obtained using the dumped process.

From now on I will explain you by steps, that helps a beginner.

Step 1:

Open OllyDebugger which is added with olly Dump. Before opening the file in the Olly, do a simple change to the debugger, by clicking the options -> debugging options you will find a dialog box open in that find the Event tab and click on the Entry point of the main module. This is used pausing the sample at the entry point and ensures that nothing runs before the entry point.


Step 2:

Now click and drag to olly or open the sample on olly.It shows a exception such as the files seems to be packed.... still you need to analyse or not. Just click yes it loads to window as present below

Now you can check the entry points are same or not using Stud-PE or by using any other tool, it will be the same and in the sample i used is same too. When a file is packed using UPX in the entry point you can find a PUSH AD as a starting assembly code, i.e., when you open the file in olly the first assembly code is PUSH AD for UPX.

Step 3:

Now press F7 so that it executes first step, as the first statement says a push and when you execute it the stack pointer value in the register changes. After pressing the F7 the stack pointer value alone changes in the register tab and a value is pushed in the stack tab. Let me show you the changes in the registery tab which is the present in the right top of the debugger


Step 4:

Now right click on the value of ESP and Click the Follow on Dump. This you do just to follow the memory dump of stack pointer.

Step 4:

After clicking Follow in Dump go to the memory dump tab which is present in the left bottom of the olly debugger.

The bellow given is the full olly debugger window which is highlighted with the stack pointer and with the first 4 bytes in the memory dump.


Now you need to select the 4 bytes present and right click with the current selection ,goto breakpointHardware on AccessDword.


Here we are just setting a Hardware breakpoint on access for the selected Dword (4 Bytes). We are setting breakpoint to interrupt the running process and stop in a particular point. Here we had set the breakpoint to interrupt the process when the particular Dword is been accessed.

Step 5:

Now press F9 or run, which runs the sample and stops at the breakpoint, which is POP AD since we have set breakpoint at the memory of PUSH AD. This is the basic stack operation. And the window looks like below

Step 7:

Now remove the breakpoint from POP AD by clicking the POP AD(00473BBB) pressing F2. Then keep the breakpoint in the JMP statement next after the POP AD just by clicking F2. Here we are just removing a breakpoint from one place(POP AD) and placing the breakpoint in the immediate JMP instruction( In the sample its JMP wininfo_.00442B4F).


Step 8:

Now press F9 or run so that the program stops at the new breakpoint created and now press F7 (which is a just executing the next instruction from the breakpoint). In the sample i analysed it reaches to the address 00442B4F and this is where we need to reach.

Step 9:

Now Right click and select the dumped process

Here a dialog box opens like the below the displayed image.


Step 10:

Here you have to do 2 things, first is to take down the new entry point which is the original entry point of the sample, make sure you dont make any mistake in it. The next is don’t forget to remove check mark from the rebuild import. Because we are going to reconstruct the import table seperately by using ImpRec.

Step 11:

Open the ImpRec in that select the sample which your analzing.

Here i am selecting the sample which I was analzing, this is nothing but the display of the entire executables running in your system.


Step 11:

Now paste or enter the new entry point in the IAT tab present in the ImpRec( In the Text box present near OEP).

Now press the GetImports after entering the entry point.

Now every imports is valid and the process says yes. So we can build the exe now. Now press the fix dump with the dumped exe which you saved from olly

Here we get the message that the imports are saved successfully. So we can now check with the PeID and verify that the process is done correctly


Step 12:

Now open the sample using PeID and do the process you did in the beginning.

Now we finally got it!

This is one of the manual ways to unpack the sample packed by using unpacker.

*This is a sample document!

malwarebeginner.files.wordpress.com · web viewunpacking upx manually using ollydebug :...

Documents