TransWikia.com

What is unpack? how to become professional Unpacker?

Reverse Engineering Asked on July 27, 2021

I asked a lot of questions in this forum about RE and I am a beginner who is very interested in reverse engineering. (i am learning the RE with Lena151)

  1. What is unpack?
  2. Which tools need to unpack a software?
  3. Is there anyway for manual unpack?
  4. How to unpack software that used unknown packer?
  5. Is there any tutorial that learn unpacking 0-100?
  6. How-to Go From Zero to Hero in Unpacking?

I want to know more about unpacking, all the things that make me a professional.

One Answer

That's a set of very wide questions ...

I'll try to answer as good as I can, but you are asking for something that is so broad, I'm afraid that I can't answer everything.

  1. What is unpacking?

Unpacking is the action of removing the protections layers used by malware in order to reach its core payload. When a malware is packed, everything looks scrambles and messy, and you can't really see (from a static point of view) what the payload is doing. Try to see it like an "armor" around the malware, only here to slow down your analysis (and mess with AV product performing static detection). If you find a sample that is packed, you generally don't have any clue on what is the malware inside this 'protection' nor what it's doing, unless you unpack it.

  1. Which tools need to unpack a software?

A simple debugger can help you unpack the majority of packers. Sometime you'll also find automated unpacker scripts for well-known packers (standalone or compatible with your debugger or even static unpacker). Sometimes the packer is open-source, and contains unpacking capabilities. You also have some online services that are able to unpack stuff for you (Thinking about unpac[.]me).

  1. Is there anyway for manual unpack?

Yes. The rule is simple: if the malware is running (meaning that it is able to unpack itself at runtime and execute it's core payload), you will always have the ability to trace everything and examine its behavior. What is important is not 'can I do it manually' — the answer will only be 'yes', but 'how much time can I spend on this?' or 'is the complexity level worth my time?'.

  1. How to unpack software that used unknown packer?

After a bit of experience, you'll find that common packers are designed in the same way, and are using the same techniques. You'll always find a new clever technique from time to time, but the philosophy behind it will stay the same. If you are stuck on an unknown packer, you can try to find which packer does this look's like, and where are the differences. And remember, if it runs, you can always dump the unpacked process :) You don't have to manually unpack everything.

  1. Is there any tutorial that learn unpacking 0-100?

No, it would be too easy. But you can find some tutorial on how to unpack X sample. Try to reproduce them. My personal advice would be to learn how to unpack something protected with a specific packer by following along with a write-up, then search another malware that is using the same packer, and do it alone. Then repeat with another packer. After some time, you'll see that it's almost every time the same thing.

  1. How-to Go From Zero to Hero in Unpacking?

Practice. Practice again and again. Start with an easy packer (open-source ones or widely used) and slowly increase the level. If you are stuck, search for some write-ups. If you are really stuck, search for something easier. You'll come back to it later.

Unpacking can be a bit frustrating and time-consuming at first, but eventually it will become almost automatic for you. You just have to try again and again. It's OK if you start with basic packed malware. It will help you to build an understanding on how it works. Then the slight variations from the standard unpacking process will become obvious.

Some resources:

Correct answer by Guillaume on July 27, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP