And now we're going to Ah, do, ah, unpacking demonstration where I'll use u P x two packed red shop. Ah, tool that we demoed earlier because it's a simple execute herbal. Uh, we're gonna look at the strings as we have before, before and after packing
and show how we can unpack with the U. P X toole itself.
And then, uh, that's quite unique.
With most packers. They don't offer unpacking
tool built in. Some reverse engineers may make their own unpack. Er are unpacking scripts to help, and every once in a while, someone in academia or some someone and
and the industry will say they have a universal unpack, er, but it's it's usually not what they say it is
or they're being very misleading or they're just being very general because
more advanced packers out there that that is really not possible, and I will talk about that in a little bit. But for now I will show you how to manually unpack
and this technique will work with many other packers and ah,
just dump the process and then reconstruct an important
data structure called the I e t. The import address table. And that is very useful because we can actually see what executed Bols.
Uh, what the dependencies are for the execute herbal.
So here of reverted the VM back to its, uh, ready to be infected state. Um,
and I will just drag over a few tools we're gonna use.
The first is on Lee debug 1.1, because if we open an excusable, it's packed with U P X with all the 2.0, it will automatically unpack it for us. And that kind of defeats the point of doing it manually so we can figure out exactly what's going on.
Another one is important, constructor, which I will demonstrate here in a bit to help us rebuild the i E t u P x 391 This one I demonstrated earlier and p i d
drank. He's over here.
As I mentioned before, we're gonna take Greg shot, copied over the desktop and execute just to make sure it works. It does.
Now, we're going to, uh, run p I d on it to see if we get any detections.
Nothing found and Sometimes we have to Ah, do more deep scan to see if it finds anything
So now we can go ahead and pack. Ah,
wreck shot. Here. Copy this over to the desktop
type in CMGI that only works with 1 to 7
to control our CMD on CD to the desktop and then do you p x e x e
and do you read shot
file? Because you didn't actually do it?
Ah, that's trying to go after the shortcut.
So we compressed it. Ah,
by 60%. That's quite impressive. We can run again just to show that it does work. And if we look at the strings for, um
and the strings after it's been packed,
you can see there's a lot of stuff beforehand
strings in both. But there's more in the unpacked version
in the non impact version so we can drag Ric shot again
overto p i. D. And immediately detects that, uh, it is u P x. There are other indicators, such as the section names are all renamed U P x zero u P x one et cetera, And ah,
p i d ah can actually allow for ah, a lot more customization and its signature detection like user DVD dot t x t
can be modified, and you can put in ah, name of Packer
give it a signature of a series of bites it should look for and that is youthful. And if you just Google around online, people have made huge databases of signatures for packers, and I suggest that you grab one of those. I've seen Sands put out one. I took
30 seconds to download it, and
I found that they messed up something coding and it didn't really work. I'm sure I could figure out, but I saw that other people have released other large databases as well. And, uh, I haven't ever
had ah, problem with PG and E, but I'm sure more signatures can't hurt.
There's a lot of false positives out there. Sometimes I found, um, but,
uh, it was helps to just give ah 32nd scan
if we knew something was packed with u P X, we can simply run u P X.
We can simply run u P x dash d
and give it the name of the executed ble, and it will do its best. Unpack it itself, and we can see that this ex Kyul works again, and D p x is just unpacked it. And that works pretty well a lot of the times
because the bad guys just wanna pack it tough. You skip the strings or just changed the hash or or whatever else.
Um, so sometimes that does work. But I think there was a vulnerability in the er
unpacking portion of U P X. And so if people ran ups u p x dash d on ah on the specially crafted execute herbal, it would actually in turn remotely execute code on. So if someone wasn't running this in a V M, they would be infected. So be careful and I like to keep
all the tools inside. The V M is
best. It's possible. Um,
and sometimes a minor change,
so that u p x could not just automatically unpack it like the section names. Um,
see if we have a P E Explorer.
Uh, I usually have one installed But
if we look at the section names, um
see if we have ah, binary template. Uh, we do not,
but I can look pretty easily here and see the section names not taxed our data.
Surprise Didn't complain that the vowels altered.
So here Ah, it's packed And the section names have been changed to u P x zero u p x one, uh
dot resource. So if we were to change this section, name it, it doesn't actually matter Thio
Or just you know u P x X
and save it and tried to unpack it
it would do its best, and sometimes it would work. But if we
not packed by u p X,
I think we corrupted it. Uh, let's
delete it and start again. Ah, right. Shot.
the packet will look at this section names which are
change one of the section names. Save it.
It's so runs just fine. Let's see a few PX still recognizes it when we try to unpack it. No,
So just by simply a team
a small bit of the file you PX can no longer
just unpack it by itself because it uses some of those indicators to unpack it properly because it knows it's It's the Packer that built
Executed. Well, so unpacking, uh, automatically won't always work.
And we can see here that we still got that signature. Um,
we can do a deep scan,
hard core scan, and it's showing the wrong version for that, uh,
Packer was showing the wrong version for U. P X and we're actually using a different version on. Maybe if we downloaded, um,
a new database file.
It would catch that,
someone even might have taken the source code.
I mean that it doesn't help that p i. D is no longer developed. You can get off the Internet, but it's It's no longer maintained. So if there's a bug, there's a bug. You can't fix it. But, um,
if someone has a bad signature out there or whatever someone took Gup X source code on DDE
modified it more than we have to unpack it manually.
If we want to get at the decrypted strings and other resources in the file. So here I've taken an original,
you know, Old Onley debug 1.1
saying, Ah, a newer version of the deal. L, uh
course when the system director did leave the old library. Yes, I want to use the news library.
So I'm gonna add a plug in to help us. Um,
it looks like the plug ins or just dropped in here, and the plug in is all the dump.
I'll tell you about why this is gonna be useful later.
Hey, look, it has a high amount of entropy. Ah, it's probably packed. Are you sure you want to continue? Because it knows that there might be some funkiness going on.
We can't even execute it, and it'll still work. But there is a process being executed.
So the first thing is really important.
Is this push 80 instruction on? Let me see if I can
make Thea appearance a bit more friendly.
so push a d is ah, instruction that pushes all the registers onto the stack. And that's unusual because compilers don't usually admit this instructions a bit slow, but it's frequently used by packers because it easily saves kind of the environment
on so they can do a pop a t at the end of whatever they're doing, whatever. Witchcraft.
they can ensure that the same options were there for the regular program, as as they were there for the Packer
or the unpacking stub that's got to be on the program. So we know that the Richard problems going to use whatever is pushed onto the stack. So we're gonna do, ah, step over. So we're gonna let all these values get pushed onto the stack right down here,
we're just gonna let it unpack the whole excusable. So E S P is
the extended stack pointer and is pointing at the top of the stack. So that's where all these values just got pushed onto the stack. I'm gonna say, following dump
and we can see over here, uh,
you know, these are the values that are over here. There have been pushed onto the dump or push on to the stack, and I'm gonna just put a hardware break point right on access D word. So that's 32 bits a k four bites. And I'm just going to hit, run and let the whole on Packer unpack the original code
and we can see that it accesses the values that pushed on
right here. Does a pop 80 and, uh,
put everything back in its registers. I can see here that's gonna do it jump. And that's probably gonna be the jump into the original code.
So I'm gonna say, Okay, let's start walking through this. But there's this little loop here, and the only way to get out of it
is for this condition to allow this jump, not toe happen. So I know this is gonna happen eventually I'm gonna hit a break point, have to for soft breakpoint don't care if it's hard or soft. Just got hit, Play the hard point hit again
But I'm just gonna play again and it's now reached this break point gonna remove it by pressing F too.
And I know this is gonna jump into the original code.
So I'm gonna say, uh, follow into.
And here is the original code that's now been unpacked. That's fantastic. Now I can scan for strings and do all this other stuff, but I really kind of want it back into a file form. Or it can just transfer to somebody or do some more stack analysis off Ida.
So I'm gonna dump the program. I'm gonna dump
what? I haven't member right here into a file.
And I can do that with that Ali dump program at Plug in that I mentioned earlier. So I'm gonna say, dumped dumped depot process
I'm going to get theirs are section A that we edited. I'm gonna get yapias o e p. Now, this means that I'm gonna say this current area that is about to be executed right now that is the original entry point, the O e p.
I'm gonna copy that value to control C. And this is important because the file on disk that's packed says that the beginning entry point
is actually in the Packer stuff. The thing that does the unpacking, the decrypting and we don't want that to be true anymore. We want theory, journal unpacked code to just begin executing.
And this is Kevin old plug in Ali, Dump on. That's okay. And it tries to rebuild the import table for us, and that could be a little tricky. And I've used Method one and Method to, and they've always kind of work for me, unless it was a
unless it wasn't a really simple program.
So in general, I turn this off and let another program help me out with that.
So I'm gonna dump this two disc, and I usually say,
you know, whatever it is,
This is still executing the memory, even though the window hasn't popped up for
nothing else has been initialized is just unpacked the code, and I'm going to use my import reconstruct er program. Now, what this does
is, uh oh, Before I launch into that, I just want to say that there are other dumping programs that we can use. And so this plug in for Ali, there's like, Lord P E. A program that we have here
I introduced early on,
Aiken demoted real quick.
More. I'm I can select which thing which process running. I want, uh, right here.
full down partial dump. You know that it's a it's a dumper. So it has a lot more options to it, and we'll even help you rebuild things and the p E. But for simplicity sick, uh,
I'm not gonna be showing that off. And there's even a new, newer Ali Plugin dumper. But the old one works just fine
for a lot of my purposes. So and that one's called on Lee debug P e
R p e dumper. Yeah, So here I'm moving on to the next phase, which is rebuilding. Ah, the import address table.
And there's there's a lot of options to this. And then I suggest that you take a look at him. But for right now, I'm just going to rebuild this excusable as fast I can, because currently will not work. If we double clicked on it,
it would say, Hey, the windows loader says, I can't find which dependencies this excusable needs and then tries to execute the code. And the code doesn't quite work, but it's already been loaded up in the memory and still currently running, even though it's been halted by debunker. Uh,
and we can use important constructor
just to look at our process in memory and find the, uh,
proper import address table because the Packer has already done this work for us. We don't need to do it again. We could just take a look at what it's done.
So I'm gonna go here to the Opie and pace that value in that I had earlier
and say OK, I want you to make this the original entry point I want when this file is executed. I wanted to jump straight to the unpacked code, skipped the whole unpacking stub that U P X added in.
Now I'm gonna hit find her the I 80 auto search. I'm saying Break into this process and look through its memory and find what looks to be a n'importe address table
and says It's found one.
It looks about right, but hit and get imports. And we do. And there are several deal owes loaded. We're just like Okay, that looks good. Ah, that looks about what ah, this program would probably use and a good method to verify that is show invalid
as they go through that and look to see which ones are not real, that are messed up or something. And then you can get an idea for where exactly the import address table really is. And if you wanted to, you could with Ali find that import address table.
all you have to do would be to find the inner module calls, which were you showed beforehand and find a table.
I'm sure if we look through the memory enough, we would find a new easy table where it would show. This is, you know,
let's find a way to get filed time function and the find clothes function in the fine next file
a function on so on and so forth.
So, like I said, we could find the the import address table manually in Ali, and there's playing tutorials out there to find it efficiently.
Unfortunately, the man who made this, um,
made some clever algorithms to find it for us. So now we have what looks to be the i e t. And we have the deal l dependencies that are
that we need to make a functioning p excusable. So here, I'm going to say fix the dump. And so the guy who made this was pretty smart, and he was saying, Okay,
you know, they've probably already have a dump of the file and here with my program, I can repair it. Aiken, build the eye a tea table toe. How what it looks like on memory,
and so we can select the unpacked
executed well that we have here.
boom, it creates another execute ble copies. Everything over
Addison underscored to the end of that file and inserts and i a t that looks just like this one that looks like the one that found in memory.
So if we execute this one now,
it completely bypasses the unpacking coach straight to
And that's how you, uh,
pack a file or not Pack a file, but unpack a file
if you don't have the luxury of using u p x dash D. So the same technique of using
the push 80 and pop 80 instructions as indicators for when to,
follow Ah, jump into the original entry point, dump the code and then,
ah, use import reconstruction program like, uh,
import we constructor.
This will work with a lot of packers out there, such as S Pack and a few other common ones. And there are many tutorials on their tux. For you is a great website for finding tutorials on reverse engineering packers. And there's a lot of automated scripts that people have made for Ali to
fine certain data structures or help you just unpack things. In fact,
a few minutes ago, I found someone made a unpack er for Ali, and it did almost exactly what we did here, which was Find the push 80 instruction and find the poppy instruction.
You know, Chris plus place a breakpoint, dump it and then reconstructed with the import actress table.
So but it's good to know what's going on underneath the hood.