|You are here|
WinUpack is a packer with a GUI front-end. It is designed for optimal compression rather than for security, but still uses security measures that make it harder to locate the OEP.
The command line version of this packer is called UPack.
Malware packed with WinUpack/UPack often has corrupted PE headers. This is used as an anti-debugging technique.
To unpack this packer, use breakpoints to LoadLibrary to list loaded libraries and GetProcAddress to identify functions called. The objective is to stop at the latest loaded library and the latest called function to be as close to the tail jump as possible.
Manually unpacking WinUpack
The following content explains how to unpack Lab18-05.exe from the Practical Malware Analysis book. It has been performed on a Windows XP virtual machine.
PEiD indicates that the packer is "Upack 0.39 beta -> Dwing".
As the malware has corrupted PE headers, it produces errors when loaded into OllyDbg. Though, we can still load the malware but it can't find the entry point of the unpacking stub. The best strategy is to list loaded libraries and list functions of the last loaded libraries to identify the last one. At this point, we should be close to the tail jump.
LoadLibraryPress + and enter "LoadLibraryA". Then press to make a breakpoint. Do the same with "LoadLibraryW". Then run the malware ( ). It enables you to list loaded libraries:
After the last one, the program continues. We know that comctl32.dll is the last library.
GetProcAddressNow, let's do the same operations as above but we stop when the program reaches the last library (comctl32.dll). Then, we press + , we enter "GetProcAddress" and then to create a breakpoint. It will enable to list loaded functions. We then run the malware several times ( ) and are able to list following functions:
Here again, after calling InternetOpenA, the malware continues. At this point, we know that this last call is close to the OEP.
Locating the tail jumpNow, we perform the same operations as before and stop when the malware reaches the call to InternetOpenA. Step over ( ) till the return of the GetProcAddress at offset 0x7C80AE8F and step in ( ).
You should arrive at 0x408EB4.
Step over the 2 next instructions to arrive at 0x408E9E:
The code at 0x408E91 is as follows:
When you step over the retn instruction, you arrive at 0x401190, which is the OEP:
Save it with Plugins > OllyDump > Dump debugged process
If you load the unpacked version into IDA-Pro, you will notice that the imports are not resolved:
You can then rename the missing imports in IDA-Pro using this technique.
This category currently contains no pages or media.