A forum for reverse engineering, OS internals and malware analysis 

unpacking help

Discussion on reverse-engineering and debugging.

unpacking help

 #24469  by rever_ser
 Sun Nov 30, 2014 12:52 pm
i have the malware that unclear for me that is packed or not?

the program like PEid shows that code writen with c++ but in addition sandbox shows that's packed with Armadilo and in string of malware there is Aspack. so how can i recognize the malware is packed or not?

note:epilog of file is push ebp - mov ebp،esp - push -1 but it hasn't getversion phrase.i think that it is a fake epilog.

Re: unpacking help

 #24476  by EP_X0FF
 Mon Dec 01, 2014 3:58 am
Usually entropy is enough, even with the naked eye.

Attach your file here so everybody can look and give more suggestions.

Re: unpacking help

 #24478  by EP_X0FF
 Mon Dec 01, 2014 8:05 am
rever_ser wrote:i upload the sample of malware. here is the link
http://uplod.ir/oe8eip84v6xk/sample.bin.htm
Original dropper contain huge packed data block in the overlay. This is Zeus.
In attach unpacked.
Attachments
pass: infected
(112.28 KiB) Downloaded 37 times

Re: unpacking help

 #24483  by rever_ser
 Mon Dec 01, 2014 10:03 am
woww that's incredible.
could you make video of how unpacking process and send to me as soon as possible?
do you find which packer packed this file?
thanks indeed

Re: unpacking help

 #24485  by EP_X0FF
 Mon Dec 01, 2014 10:51 am
rever_ser wrote:could you make video of how unpacking process and send to me as soon as possible?
Set bp on CreateProcess. This crapware uses CreateProcess for cmd.exe to stop certain Windows services. Once you are on the breakpoint, inspect dropper virtual memory for huge RWE region that contain decrypted malware body. This is trivial and generic for most malware.
do you find which packer packed this ?
One of the thousand of malware crypters I guess. You don't need to know what kind of malware packer on file to unpack it. They all are the same. Malware unpacking != legal commercial software unpacking.

Re: unpacking help

 #24493  by EP_X0FF
 Mon Dec 01, 2014 4:15 pm
rever_ser wrote:how to inspect dropper virtual memory for huge RWE region?
vmmap, petools, ollydbg etc

Re: unpacking help

 #24499  by SomeUnusedName
 Tue Dec 02, 2014 9:21 am
EP_X0FF wrote:One of the thousand of malware crypters I guess. You don't need to know what kind of malware packer on file to unpack it. They all are the same. Malware unpacking != legal commercial software unpacking.
I'd like to stress that point. So many blog posts about analyzing malware XYZ spend 5 pages on random shitty packers nobody cares about, and then 2 lines about the actual malware. Don't do that, nobody cares about packers for malware and with practice you can unpack almost all of them in no time.

Re: unpacking help

 #24500  by rever_ser
 Tue Dec 02, 2014 10:39 am
excuse me sir!
can you guide me what are the base knowledge about unpacking that I should be learn ?
because as I said I am junior in malware analysis. I want to know Which kind of practices should I do ?
I am very interesting to become an expert malware Unpacker.
thanks for your attention.
 Return to “Reverse Engineering and Debugging”