Unpacking the MaskPE packer
MaskPE is a packer that seems to have originated from China. It’s not extremely common, but you can stumble to these every once in a while. It’s a pretty basic packer but it does have one nice trick that can crash the packer stub if it detects a debugger.
The entrypoint of the packer is static as far as I’ve seen:
So, how to unpack this one? Here’s a quick but ugly version that won’t dig deeper.
First off, fire up OllyDbg. Go to the debug settings, set “Trace real entry bytewise” on and make sure that you ignore int3 on the exceptions page (a.k.a pass to program) as well as “ignore memory access violations in KERNEL32.DLL”.
Load up the program packed with MaskPE and after OllyDbg churns on it for a few seconds you should hit this place:
Now, if you have a OllyDbg version that zeroes out the IsDebuggerPresent flag you can skip the next. Assuming that you don’t, you need to zero it out manually. So, press Alt+F1 to open up the command line plugin, type “set byte ptr ds:[fs:[30]+2]] = 0″, sans quotes, and press enter.
Now, scroll down a bit until you a CALL being made. Step into it and trace manually forward. You can see the packer stub retrieving the value of the isDebuggerPresent flag and using the value to manipulate the return address. If the isDebuggerPresent flag is on, the return from the CALL will land into an area filled with null bytes which will crash the program.
When you survive the return, keep stepping manually over the POPAD and JMP commands. After that You’ll see a similar stub as you did on the SFX stage where OllyDbg stopped the first time. Just keep stepping and you’ll see another similar CALL being made. Keep stepping the code one instruction at a time. This time, after you get over the set of POPAD and JMP, you’re at the real entrypoint of the unpacked program. So just dump there and have lots of fun analyzing the unpacked sample.