Unpacking nPack
nPack is a public PE executable compressor that can be freely downloaded from various sites. Here’s a description by the author:
“nPack is a Win32 PE executable file compressor. Features: - Support for all types of PE files (exe, dll, ocx) - Compression of program code, data, and resources - Section naming support - Fast decompression routines - Relocation support - TLS support - File rebuilding - Strip relocation - Strip debug information”
nPack seems to be very rarely used to pack malicious binaries. One of the reasons for this could be because nPack does not employ any antidebug or antianalysis tricks. So, let’s take a look at the entrypoint:
We can easily spot the old push/ret trick at the end of the function. Set a breakpoint on the return command, let the program flow until it hits the breakpoint, singlestep once and you’ll be sitting at the original entrypoint. Just dump the memory image and let the fun begin.