By packing their malicious executable, malware authors ensure that, when these malicious executables are opened in a disassembler, these executables do not show the correct sequence of instructions, thus making malware analysis a lengthier and more difficult process. One method to locate the address of the code’s first instruction before it was packed, also known as the Original Entry Point (OEP) of a file, is to apply the breakpoint on the APIs that set up execution environments, like GetLoadLibraryA, and then use step-by-step tracing to locate the initialization of the stack frame. Initialization of the stack frame will denote that the file is unpacked.
For many commonly occurring packers, there are specific instructions for locating the OEP.
For example, in the case of NSPacker, as shown in Figure 1.0, the packer starts with the instructions PUSHFD, PUSHAD.
Figure 1.0 showing the starting instructions for NSPacker
To locate the OEP, check for the equivalent POPAD and POPFD instructions as shown in Figure 2.0. Followed by these instructions is the JMP instruction. Put a breakpoint on the JMP instruction. When the break point triggers, step once and dump the process to get the unpacked file.
Figure 2.0 showing the instructions before unpacked file.
The above mention logic can be converted into the Ollyscript as shown in Figure 3.0. The instruction find eip, #619DE9# locates the instruction POPAD, which is in turn followed by POPFD and then a JMP instruction. Once these instructions are located, the code is debugged step by step until the JMP instruction is executed. At this point, the debugger is then at OEP instruction. By using plugins like Ollydump, the process has to be dumped in order to get the unpacked version of the file.
Figure 3.0 showing the OllyScript to locate the OEP for NSPack.
For more information regarding the manual unpacking techniques for commonly occurring packers like UPX, ASPack, KKrunchy, PECompact v2.x, FSG 2.0, FSG1.0, MEW, and PEDiminisher, read our recently published article in Virus Bulletin April 2012 issue. The article provides details about manually unpacking these packers with the Ollyscript to automate the process.