Malware Analysis and Malware Reversing Trainings

Many tricks can be devised to unpack malware. This trick is applicable to malware that overwrite their image header while unpacking.
sample used:
sha1:320fe97d257b99edb4089daea01fce31a13eabaa850ccae9e8b7e59342cb31c7 
md5:dca9106dc8556f9a15d7e18b4fad5d44 
This is an armadillo packer. Let’s check the PE header of the packed file. You can use tools like CFF explorer,hiew and many others.

Fig : PE header- entry point 0x1D16

Now load the file in Ollydbg.
Place a breakpoint on ExitProcess()
Press F9 to execute. Allow the the sample to execute till it hits ExitProcess so that it unpacks. You can check the memory strings in process explorer to see
if the sample has unpacked. you would see a difference in static

Fig: memory string in process Explorer
Now dump the header  from memory .I have used process hacker for the purpose. Other tools can also be used.

Fig:Process Hacker dump header from memory

Now see the dumped header Entry Point

Fig dumped header EP-0x4C00

The image base of process when loaded in Olly in 0x400000
Restart ollyDbg and set a Hardware Breakpoint on execute at 0x404C00(image base + RVA of EP in unpacked header 0x400000+0x4c00)

Fig: ollydbg set hardware breakpoint on expected OEP

Now press F9 to execute.
Bam! you land up the actual OEP. You can see meaningful code at the point

Comments are off

  1. rednetadmin April 2, 2019 at 5:25 am

    I link the topic its is very helpful


  2. prachi April 2, 2019 at 5:41 am

    hello good topic


Comments are closed.