Wednesday, July 10, 2013

[Tutorial] Finding OEP and unpacking Malware packed with ASPACK 2.12

Just FYI, there wont be a whole lot of technical explanation in this post. Its just a quick tutorial.
First we Identify that the exe is packed. Now we need to locate the OEP

This malware was packed with: ASPACK 2.12 


Load it up on Ollydbg.

Now the exe is loaded we need to look at the ECX register.

ECX holds 0012FFB0

We rightclick and choose follow in dump.

Now we have a hex dump in the lower left corner of Olly.

So we select the first four bytes and set a hardware on access breakpoint using WORD.

In the screenshot we can see the breakpoint:

Yay we have a breakpoint!!!


Now we need to run the program. And step 3 times.

Now we should see the following in Olly:






This is the OEP!!!

Now we use a sweet little plugin called Analyze this available here:
http://www.openrce.org/downloads/details/174/Analyze_This
This plugin allows Olly to re-analyze the code so it appears normal! This is great for us.

Lets run it:



This is our result! Thats nice. (we really didnt need to do this, but its fun)

Now we need to dump the process from memory to get the unpacked executable.



So we right clicked and selected dump debugged process, now we get the above menu.

Here we will want to uncheck Rebuild Import, Why?

Because Olly tends to screw this up, we will be using Import Reconstructor AKA ImpRec.
Download it here: http://www.woodmann.com/collaborative/tools/index.php/ImpREC


We will also want to copy the value in the Modify box. In this case it is 16A0.

Now you will dump the executable and save it.

The next step is to rebuild the Import Table.

Fire up ImpREC.



This is where the Modify value we copied earlier will come in.

You will be presented with the following:


We will attach it to the process that Olly created.

It will do its thing....

Now we will enter the value we copied.


Enter it in the OEP box like so:




And then we click auto search.





And you will be presented with the following:





Click OK then Get Imports.





It appears everything worked!! Now we can check it by clicking show invalid.

Right click and select cut Thunks.






Then we hit Fix Dump and save our newly fixed exe.

Select the exe you saved from Ollydump and open it.

Congrats you have unpacked the Malware!!!