3 months ago

Introduction

Some days ago I found some samples packed with the same packer. I think it is an old packer which looks like a "simple" wrapper. So I decided to write a static unpacker and here is my brief analysis of the packer and the code I wrote.

Brief analysis

The packer I have analyzed looks like:

1.png

It adds a new section (the last section) to the file. And sets the entry point to that section. The last
section is the stub, it has some encrypted subroutines which finally decrypts the others sections.
For performing the unpacking process, it has a structure saved 5 bytes after the entry point. I have
called PACKER_ENGINE to this structure.

2.png

original_entry_point → original entry point of the program after unpacking.
import_directory → import directory address for the unpacked program.
base_address → the image base address of the program.
crypted_block_rva_begin → the beginning of the encrypted data (the beginning of the first secction normally.
crypted_block_size → the size of the encrypted data.
crypted_block_rva_end → the end of the encrypted data (the beginning of the last section)
bypass_size → the raw size of the last section pointed by “crypted_block_rva_end”. The data of the last section is not encrypted in many cases.
xor_key → the algorithm that protects data is a simple XOR, this field is the key of that encryption algorithm.

The image below shows the case when the last section is not encrypted.

3.png

The image below shows the case when the last section is encrypted.

4.png

The PACKER_ENGINE values are protected with the NEG instruction. So before use them we
have to NEG those fields.

Once we know this the unpacking process is easy:
1. Collect PACKER_ENGINE data.
2. Decrypt data.
3. Change in the header the entry point.
4. Change in the header the address of import directory.

Code and packed samples

The unpacker was implemented in both C/C++ and Python. The python version isn't very efficient but it works well.

Github: shrinkwrap_unpacker

Improvements

I havn’t implemented but I think the last section can be delted after the unpacking process.
1. Change in the header number of sections.
2. Change the Size of Image.

Author: @D00RT

← Easy way for analyzing the GootKit banking malware with radare2