Re: unpacking UPX or PE-packed binaries

[Gadi Evron <ge () egotistical reprehensible net>]

> Just interested in how AV R&D companies unpack worms with complex UPX and PE
> pack protocols.

Myself I am not a reverse engineer for years now, so there are far more 
knowledgeable people around who can answer you, but the basic answer 
would be - depends on the packer.

Some are simple scramblers, moving the EP and "jumbling the PE binary" 
in layman's terms, so you'd need to find the original EP and follow 
things from there. Some use more sophisticated ways such as obfuscation, 
anti-debugging code, anti-softice code, etc. That is when things get tricky.

Usually there exist unpackers, or such tools are built by the researcher 
who is in need.

When one does not exist, in most (uncomplicated) cases, a memory dump 
would work fine. There are many online tools to accomplish this.

A third way I can think of right now is the use of an emulator. Usually 
full API emulators can be found only in AV labs for limited use. Non can 
be found for commercial use as far as I know (yet).

When VX-ers pack a sample they just make the AV researcher work a bit 
harder. Usually that means 2-4 more seconds of work, so if we follow the 
concept of Security by Obscurity, they actually only harm their "cause" 
by drawing attention to themselves rather than tackle AV researchers.

In rare cases it takes a bit longer then 4 seconds, and gaining a bit of 
time before a signature is out there is all the VX-ers accomplish. That 
isn't much and is actually a bad idea as I hinted above (drawing 
attention to the binary).

Lately VX-ers have been using many double and triple-packing techniques. 
These don't help them much but as they learned, about half of the AV 
engines out there can't deal with that (or packed files, in any case,m 
to begin with).

Which is why in many cases we see an exact duplicate of a sample only 
re-packed with a different packer, declared as a new threat, as some of 
the AV engines can't cope with it. Notable exceptions who do deal with 
this issue, each to a different level are: Kaspersky, BitDefender, 
DrWeb, Mcafee and Norton; among others.

> Been trying to disect the recent Gaobot variants and getting no where with

There are 3 to 20 new Agobots coming out every day.. which ones? :)

> my generic UPX-unpacker. Since this is more and more commonly used, I
> thought I would be wise to consult the Lists.

Generic UPX? "upx -d" should work fine. A few reasons why it might not 
is because it is not a generic UPX packed file. Maybe some tool such as 
UPXredir(ect) was used, or maybe the UPX header is broke.. You'll have 
to play with it a bit.

Myself, as I already mentioned, I haven't done anything remotely similar 
in years and can hardly be called an expert, but I know a couple of guys 
who had too much experience in this, such as Nicolas Brulez, Rolf Rolles 
and Joe Stewart. Maybe one of them, or someone else, would answer your 
question more comprehensively.

For generic UPX I suppose you should have no problem using a memory dump 
tool, but again - it all depends on the actual packer used.

On a final note, if I mis-understood you and a sample infected you and 
you are just trying to get rid of it.. if you'd like you can 
PGP/GPG/ZIP-passwd the sample to me and I'd get back to you about what 
it is and how to get rid of it.

        Gadi Evron.

--
Email: ge () linuxbox org. Backup: ge () warp mx dk.
Phone: +972-50-428610 (Cell).

PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06
GPG key for encrypted email: 
http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450