MW-Blog

Exe32Pack is relatively unused packer in the malware world, but I stumble onto samples occasionally. I wrote an unpacker for it few months back and decided that I might as well give some instructions on how to do it manually.

Load up your target in OllyDbg. What you should be seeing is something like this:

First thing you need to do is hide your presence. Exe32Pack calls IsDebuggerPresent, but in addition to that it seems to do the check inline also, so setting a breakpoint at the IsDebuggerPresent API won’t suffice. Find the debuggerflag from memory, and zero it out. One way to do it is told in here. Other way is to use the OllyHide plugin.

Singlestep a few times to reach the “cmp eax, eax” instruction at offset 00437013. Set a hardware breakpoint (on access, dword) at the address contained in the ESP register. After the hardware breakpoint is in place, press F9 to run free.

When the hardware breakpoint you just set fires, you should be seeing the following:

Singlestep through 3 times (the last instruction before OEP is a “jmp eax”). Dump the image and you’re ready to analyze.

Note: If you failed to hide you presence, you will see garbage code in the OEP which upon execution crash the program. If that is the case, hide yourself better and redo the unpacking :)

This entry was posted on Sunday, March 11th, 2007 at 10:03 am and is filed under Packer-Magic. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.