rednetadmin

Malware Analysis and Malware Reversing Trainings

Many tricks can be devised to unpack malware. This trick is applicable to malware that overwrite their image header while unpacking. sample used: sha1:320fe97d257b99edb4089daea01fce31a13eabaa850ccae9e8b7e59342cb31c7  md5:dca9106dc8556f9a15d7e18b4fad5d44  This is an armadillo packer. Let’s check the PE header of the packed file. You can use tools like CFF explorer,hiew and many others. Fig : PE header- entry point 0x1D16 Now load the file in Ollydbg. Place a breakpoint on ExitProcess() Press F9 to execute. Allow the the sample…