MW-Blog

RLPack Basic is an open source packer brought to you by the coders at Reversing Labs. One (if not the only) the coders there is ap0x. I’ve seen some of the code he’s done in the past, and I must admit he knows his trade very well. RLPack basic doesn’t contain any antidebug or antianalysis code, but the premium versions do. Unfortunately, they cost, so I could get my hands on the basic version only. If you have a malware sample that’s been packed with the premium versions I’d be highly interested in taking a peek at it.

The basic version is very simple to unpack. There are one of two compression libraries in use: Either LZMA or aPLib.

The entrypoint looks like this when the aPLib has been used:

And when LZMA is used, the entrypoint looks like this:

The exitpoints also differ a bit between the two compression methods used. With aPLib, the exitpoint looks like this:

And with LZMA the exitpoint looks like this:

In both cases, unpacking is the same. Set a breakpoint on the jmp command right after the popa. Press F9 to run to the target, singlestep once into the jump and you’ll find yourself at the original entrypoint. Dump from there, and you can begin your analysis.

This entry was posted on Sunday, April 1st, 2007 at 7:32 am and is filed under Packer-Magic. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.