« So, who is behind Virut?
Automatic malware spying »

Unpacking Pohernah

Pohernah is a packer with Russian origins. Manual tracing is extremely tiresome since there are dozens of various decryption loops and layers in the code.

Here’s a screenshot of the GUI:

Pohernah GUI

Pohernah is a polymorphic packer. Here are two screenshots. The payload file is the same, and you can see how the loader changes each time.

Entrypoint 1:

Pohernah Entrypoint One

Entrypoint 2:

Pohernah Entrypoint Two

So, how to unpack this baby? It’s quite easy. Open the file in any hex editor, and scroll all the way to the bottom. Most likely you just see a big bunch of nulls there. Start scrolling upwards slowly, until you see something like this:

Pohernah OEP

In the above picture, the DWORD at offset A176h (00401720) is the original entrypoint. Load the binary up in a debugger, set a hardware breakpoint at the address you just found (00401720 in my example), and press F9 to run to it. Then just dump and you’re ready to begin analysis.

This entry was posted on Monday, September 17th, 2007 at 9:09 am and is filed under Packer-Magic. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

Comments are closed.

If you want to comment on this article please send e-mail
to authors(_at_)teamfurry.com or go to the forums.

InspectorWordpress has prevented 2 attacks.