MW-Blog

PE-PACK is a remnant from the old days. Released in 1998 by ANAKiN, it isn’t uncommon to stumble onto variant packed with it even today. I received a spam today that had a malware packed with PE-PACK. The malware itself was quite unrecognized by AV’s. It’s a mass-mailing worm detected either as W32.Huegone or W32/Walla, and it targets Arabic or Persion computers only. It contains some cscript and whatnot, but enough on the malware itself, let’s get back to the packer.

PE-PACK is as easy to unpack as UPX. When you load the target in OllyDbg you’ll see this:

Singlestep a few times to get to 0040A000. You’ll see this:

So, what we are seeing here is the packer stub pushing all the registrys onto the stack (PUSHAD). This is quite a common behaviour in packers. What we need to look for in the code is a matching POPAD command, or a sequence of commands doing the same manually. Sure enough, a little below we can see the following set of commands:

Set a breakpoint on the jmp eax command, and press F9 to run the target. Singlestep once through the jmp eax, and you’ll land on the original entrypoint. Now you’re set to dump the memory image and start analyzing.

This entry was posted on Sunday, March 25th, 2007 at 7:45 am and is filed under Packer-Magic. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.