Please read complete article without skipping any part to understand everything.
What is packing a program ? Packing is a way to obfuscate and compress the program in order to make the program small and less in size. Packing is done by obfuscating a program, and including some code in the original exe to deobfuscate the original program. This obfuscation is done in many ways, according to the type of packer. In this Article, i will write about how the UPX packer packs, and unpack it by using ollydbg.
What is packing a program ? Packing is a way to obfuscate and compress the program in order to make the program small and less in size. Packing is done by obfuscating a program, and including some code in the original exe to deobfuscate the original program. This obfuscation is done in many ways, according to the type of packer. In this Article, i will write about how the UPX packer packs, and unpack it by using ollydbg.
To identify what type of packer the program is using, we use PEiD ( Download here )
ImpREC ( Import Reconstructor ) is also used: Download
LordPE is also used in this article. Download it here : Download
LordPE is also used in this article. Download it here : Download
Download this packed program : Download
--------------------------------------------------------------------------------------------------------------------------
UPX stands for Ultimate Packer for Executables. When an executable is packed with UPX, all the sections in the PE header like text,resource, and data section etc. will be compressed and will be given names as UPX0, UPX1 etc. You can see this in PEiD . And then, after the compression of the sections in PE header, a stub will be added in the code of the original program. What this stub will do is, it contains some code which will decompress all the compressed code while execution of that packed program.
You can download UPX from here : download
I have packed the program by the following command :
We can directly unpack any UPX packed file by using the UPX packer itself by the following command from command prompt : upx.exe -d "file name.exe"
But sometimes, the UPX packer can be fooled and the above command wont work. So, the only thing we can will be unpacking the file manually. To do that, first open the file in OllyDbg. ( You might want to do this whole thing in a WinXP VMware because ImpREC and LordPE seems to be not working on windows 7)
When you do that, you will land on a "PUSHAD" instruction.
Many cases, this is the first instruction, and also EIP will be pointed to this. But sometimes, it might be after a few instructions. PUSHAD is similar to PUSH, but PUSHAD will push all registers onto the top of the stack. Scroll down and you will find a POPAD instruction .
And beneath it the will be a JMP instruction which is the Original Entry point of that program.Set a break point on that and run the file in ollydbg.
The program pauses on that JMP instruction. Press F8 to JMP to that address and note that address ( which is the current value of EIP) .
Now while Olly is running, open LordPE and select the process you are debugging(i.e., the program) to dump it and name it as dumped.
Launch ImpREC and select the process you are debugging and enter the actual OEP in the OEP box and click on "IAT Autosearch" button. It will show Import table.
Now click on "Get Imports" to get all the imported functions and you will see the the function names which are imported according to their dll.
If you find any not-valid functions, just delete them by clicking on it and selecting "Delete Thunks". Once you do this to all the invalid functions, click on "Fix Dump" and select the File which we have previously dumped with LordPE . It will be saved as dumped_.exe . You can see and compare the file sizes of both packed.exe and unpacked.exe, there is a huge difference. The packed file is 16KB, while the unpacked file is 40KB. It shows the compression of UPX.
Now run the final dumped file to see if it is normal. (If you did the whole process in WindowsXp as recommended , the file will work only in Windows XP )
That is Packing and Unpacking. Thanks bros :)
--------------------------------------------------------------------------------------------------------------------------
UPX stands for Ultimate Packer for Executables. When an executable is packed with UPX, all the sections in the PE header like text,resource, and data section etc. will be compressed and will be given names as UPX0, UPX1 etc. You can see this in PEiD . And then, after the compression of the sections in PE header, a stub will be added in the code of the original program. What this stub will do is, it contains some code which will decompress all the compressed code while execution of that packed program.
You can download UPX from here : download
I have packed the program by the following command :
We can directly unpack any UPX packed file by using the UPX packer itself by the following command from command prompt : upx.exe -d "file name.exe"
But sometimes, the UPX packer can be fooled and the above command wont work. So, the only thing we can will be unpacking the file manually. To do that, first open the file in OllyDbg. ( You might want to do this whole thing in a WinXP VMware because ImpREC and LordPE seems to be not working on windows 7)
When you do that, you will land on a "PUSHAD" instruction.
Many cases, this is the first instruction, and also EIP will be pointed to this. But sometimes, it might be after a few instructions. PUSHAD is similar to PUSH, but PUSHAD will push all registers onto the top of the stack. Scroll down and you will find a POPAD instruction .
And beneath it the will be a JMP instruction which is the Original Entry point of that program.Set a break point on that and run the file in ollydbg.
The program pauses on that JMP instruction. Press F8 to JMP to that address and note that address ( which is the current value of EIP) .
Now while Olly is running, open LordPE and select the process you are debugging(i.e., the program) to dump it and name it as dumped.
Launch ImpREC and select the process you are debugging and enter the actual OEP in the OEP box and click on "IAT Autosearch" button. It will show Import table.
Now click on "Get Imports" to get all the imported functions and you will see the the function names which are imported according to their dll.
If you find any not-valid functions, just delete them by clicking on it and selecting "Delete Thunks". Once you do this to all the invalid functions, click on "Fix Dump" and select the File which we have previously dumped with LordPE . It will be saved as dumped_.exe . You can see and compare the file sizes of both packed.exe and unpacked.exe, there is a huge difference. The packed file is 16KB, while the unpacked file is 40KB. It shows the compression of UPX.
Now run the final dumped file to see if it is normal. (If you did the whole process in WindowsXp as recommended , the file will work only in Windows XP )
Also, there is another way of doing this. This can be done directly in Windows 7, if you are using. You can directly use an OllyDbg Plugin called OllyDump. It does all the work of LordPE and ImpREC by itself, so it makes life easy ( but not all the times) .
Download this plugin and place it in OllyDbg folder. Use normal version of ollydbg not any modified version. Download Ollydump
Select Plugins--->OllyDump---->Dump debugged process
And click on "Get EIP as OEP" and click Dump at last. Check if the Entry Point is modified to the current EIP value. Click Dump and Save file as Dumped1.exe
Run the final file, and it should be all good !
That is Packing and Unpacking. Thanks bros :)
No comments:
Post a Comment