Professional Documents
Culture Documents
Malware Analysis Professional: Analyzing Packers and Manual Unpacking
Malware Analysis Professional: Analyzing Packers and Manual Unpacking
Professional
14.5 Conclusion
Tools:
• Olly Debugger v1.10
Target:
• Packed_Samples.rar
Introduction
Well-Known Entry
Points
Dev-C++ 4.9.9.2
00401220 55 PUSH EBP
00401221 89E5 MOV EBP, ESP
00401223 83EC 08 SUB ESP, 8
00401226 C70424 01000000 MOV DWORD PTR SS:[ESP], 1
0040122D FF15 D0504000 CALL DWORD PTR
DS:[&msvcrt.__set_app]; msvcrt.__set_app_type first API to be
called
00401233 E8 C8FEFFFF CALL 00401100
MAPv1: Section 02, Module 14 - Caendra Inc. © 2020 | p.20
14.2 Well-Known Entry Points
MASM32/TASM32
00401000 6A 00 PUSH 0
00401002 E8 D7020000 CALL
[JMP.&KERNEL32.GetModuleHandleA] ; \GetModuleHandleA first
API to be called
00401007 A3 6C304000 MOV DWORD PTR DS:[40306C], EAX
0040100C E8 C7020000 CALL
[JMP.&KERNEL32.GetCommandLineA] ; GetCommandLineA
Methods to Reach
the OEP
PUSHAD
….........
…......... ← rest of packer's stub (decryption, IAT resolving, etc.)
….........
POPAD
MAPv1: Section 02, Module 14 - Caendra Inc. © 2020 | p.30
14.3 Methods to Reach the OEP
4. jump to OEP
This trick relies on the fact that some packers, at the
beginning or at some point during their execution, will save
all the general purpose registers before doing their own
necessary operations. Then, they will restore them shortly
before reaching the OEP. So, by setting a HW breakpoint on
access, where the ESP points after the PUSHAD instruction,
we can manage to break in when the POPAD instruction is
executed since that memory area will be accessed.
MAPv1: Section 02, Module 14 - Caendra Inc. © 2020 | p.31
14.3 Methods to Reach the OEP
5. Follow SEH
Many packers use exceptions as anti-reversing tricks in
order to redirect the execution where they want, without
using obvious methods like a jump or a call instruction. So,
by monitoring the exception handlers and where the
execution is about to be transferred, we can create another
path towards the OEP.
Packers:
• UPX
• WinUpack
• ASPack
• PECompact
• FSG v2.0
Conclusion
Enjoy!
Packed_samples.rar