Unpacking SimplePack

By packing their malicious executable, malware authors can be sure that when they are opened in a disassembler they will not show the correct sequence of instructions, thus making malware analysis a lengthier and more difficult process.

SimplePack is yet another packer often used by malware authors. Specifically, it uses LZMA compression. When the packed process is opened in the debugger, the packed code starts with the instruction PUSHAD as seen in Figure 1. The instruction then pushes all the general purpose registers onto the stack, with value stored in EDI being on top of the stack.


Figure 1. Starting instructions of the packed file

The next step for unpacking the file is to put hardware on access breakpoint on the uppermost dword of the stack when the PUSHAD instruction is executed. When the breakpoint triggers, as shown in the Figure 2, POPAD, PUSH, and RETN instructions are then encountered.


Figure 2. Assembly instructions when hardware breakpoint triggers

When the debugger executes the RETN instruction, as shown in Figure 3, we
can see the initialization of the stack frame.


Figure 3. The initialization of the stack frame.

Upon initialization of the stack frame, the debugged process has to be dumped to get the unpacked file.

In this posting we have discussed how to manually unpack SimplePack. For more information regarding the manual unpacking techniques for commonly occurring packers like PECompact 1.x, Molebox, PE-Pack, WinUpack, and PolyCrypt, we encourage our readers to read our recently published article entitled "Quick Reference for Manual Unpacking II" in Virus Bulletin July 2012 issue. The article provides details about manually unpacking these packers.