UnPacking lab 8.1

2 minute read

Description :

​ in this tutorial, I’ll explain how can you unpack file that is packed with UPX packer this file is the first lab in ch18 for practical malware analysis.

Indicator :

  1. strings : first thing I did to see to strings and I found garbage as you can see

  2. PEiD: when we load the file to PEiD we will see that

    this means it can’t identify the type of packer , I’ll see sections

    as you can see that there UPX2 section ,also the row.size of the .text section is zero and the v.size is 6000h which means it allocates 6000h in ram to unpack the code and run it

  3. DIE : to be sure from our result we will load it to DIE this tool will show us more information .

    after we load it we will see it tell us that is packed with UPX and when we see the Entry Point (EP) we will see it between 7000h - 9fffh which is in the data section,then we will see entropy

    we will see that the entropy is high which means there is a difference between the size in memory and real size in the PE header.

Static Analysis with IDA :

we will do static analysis to search for tail jump:

after we load the sample we found the tail jump easily but how can you know this there are some indicators I’ll show you some of them

  1. the tail jump is the last valid instruction before a bunch of bytes that are invalid instructions

  2. It’s located at the end of the code, and it links to an address that is very far away.

  3. The graph view in IDA Pro often makes the tail jump very easy to spot

we go back to our sample after we found tail jump we should note the address to their location in our case is 409f43h this will be useful

Dynamic Analysis with Olly :

in this section we will make stub unpack the original code to memory and we will dump the code from memory

first thing I’ll search for tail jump and put breakpoint there

then run the code to make stub unpack the original code to memory and then press f8 you will see the original code after unpack but this code now in memory you should dump it so I’ll use ollydump tool that will dump the original code and save it

we will see if the strings still garbage or not

you can see useful information

Thanks for reading, I hope I helped you, even with one piece of information

Categories:

Updated: