Reverse engineering executables is always a very challenging procedure especially if the analyzed executable has been packed or encrypted. I've been talking a lot about packers and unpackers (take a look to these posts here) but the technique I am going to show you is totally new respect to those already described. As you might know the most difficult procedure of reversing a packed (or encrypted) executable is to find out the original entry point (OE). Again, there are tons of ways to figure out if an executable is packed or not (aka PEiD) but there is no a universal known way to unpack it. The following image shows PEiD in action.
PEID finds out that the executable has been packed with Aspack v2.12. Nowadays you might find specific unpackers (unpackers designed for a specific packing procedure) but there is no way to have an ultimate universal unpacker. Here you can find many of those packers. YES, I know, there are universal unpackers too, but those unpackers are signature based, meaning that they are not able to unpack "new" packing procedure (algorithms), they must include the signature of every used algorithms. The following pictures shows one of my favorite Unpackers: Faster Universal Unpacker from RCE.
A group of the New Mexico Tech designed a visualization tool based on Entropy (system calls, oriented graphs and so on) called VERA (read more here, here and here). By using this tool you are able to distinguish between packers / encryptors STUB and unpacked / decrypted code by simply analyzing the execution of the executable. The following image shows the notepad.exe (yes the one in WinXP) traced by PIN and visualized by VERA. I traced notepad.exe by fixing 2 minutes of execution here the result:
The blue label represents the Start address (which in this particular case corresponds to OE), yellow color means normal entropy, numbers in labels (you probably cannot see them because the image is too small) are the called addresses. The following image shows the same executable packet by using UPX.
As you may see the are sections (calls to addresses) that have high entropy (meaning be packed or encrypted) represented with RED labels. This alerts us about the presence of a packer / encryptor. Where the is a continuously low entropy labels (purple) we can find the OE. This because the encryptor / packer STUB finished its job and unpacked / decrypted the executable code giving to the OE the control flow. The following image shows notepad.exe packed by BroExePacker.
In this case BroExePacker introduces a two levels of compression STUBs, you can easily distinguish them by looking at the red labels that are present in two points during the execution. This shows a typical two stage decompression. A first STUB decompress the function that decompress the real function who will decompress the original byte code (RED -PURPLE-RED-PURPLE). The OE is placed after the second RED labels. The following image shows the same executable (notepad.exe) compressed by the same BroExePacker but by using a different algorithm.
Again, we can easily discover that this executable has been packed, this time with one level STUB. The OE could be in a couple of positions. Experience will help a lot in finding the OE, but this Visualization tool considerably decrease the complexity of such operation. VERA could be integrated to IDA pro by installing an IDA Pro plugin making IDA Pro communicating to VERA through sockets. This integration makes a lot easier the interaction between the tracer (IDA Pro) and the visualization tool VERA. I am not going to cover in this post how to integrate VERA with IDA, but I am rather cover how to use VERA and PIN in a very quick way. Once you download and install VERA from its website , you will get the visualization tool (VERA) and a small installation of PIN. PIN is the tracer, the one who will produce the .trace file by executing the analyzed executable, the .trace file who will get VERA to elaborate its diagram. The following picture shows hot to run PIN with VERA template.
PIN is now running and tracing the analyzed executable. Let it running for a while (the time you decide) and then close the executable in a normal way (File -> Close, or whatever). Now opera VERA and click on Open. Select the file produced by PIN. Now VERA asks you about the original file and ask where to put its own graph file. The following image shows this process
Once you done with that, VERA will take a while and finally it will show you a graphic traced path. You will find more details on VERA and PIN manual.
Summing up, I wanted to describe a new way to figure out if a executable has been packed or encrypted, and a new way to discover the Original Entry Point of the packed/encrypted executable. My experience in this field let me say that this is a great way to proceed and to learn about packers/encrypters.
Posts
25 comments:
Nice approach!. If you are doing other things with Pin and unpacking maybe we can talk a little :)
Btw, thanks for mentioning FUU in your post! :P
@crackinglandia
Of course we can talk a little ! I'll be happy
I sent you an email.
Thanks for your posting about vera. I have a question vera's pin.exe. How to use pin.exe if packed dll file?
Thanks for read it.
I really feel good and the information is really good.
Sahara Packers | Sahara, Domestic International Packers and Movers in India for Packers India, International Movers, Domestic Packers, Movers India, Packing Services India, Unpacking Services, India Domestic Movers, Loading Unloading Services, International Couriers, Packers Delhi, Bangalore Packers, Movers Mumbai etc. are the helpful words that’s help our customer to easily make a best deal over the Internet with Sahara Packers & Movers. Sahara Packers is one of the best all Re-Allocation service provider in India.
Packers India | International Movers | Domestic Packers |
really its very nice information about packers and movers. thanks for shearing it with us. keep it up.
Best Moving Company NYC
Believe me, PackerBreaker is your ultimate choice of a universal unpacker.
http://www.sysreveal.com/packerbreaker-intro/
Nice Work , Packers and movers bangalore
welldone keep it up , look it this website:- http://www.shainex.com/karnataka/movers-packers-bangalore.htm
thank for this http://www.moversandpackersbangalore.com/
Iffco Home - Packers and Movers in Delhi
Thanks for Nice and Informative Post
This blog is really contains lot more information about relocation meant to online Moving Companies.
Best Packers and Movers Services....
Nice Share
Packers and Movers Pune, Movers And Packers Pune
Century Packers and Movers is an Indiabased organization that offers professional packing services, professional moving services for your packing and moving requirements throughout India.
Thanks to share a A New Way to Detect Packers it may very help full a find the movers and packers in current time.,..
NICE BLOG!!! Packers and Movers are said to be those people who help you to pack and move your belongings in the safest and the most convenient way. Thanks for sharing a nice information.
packers and movers in jaipur
shifting services in jaipur
If you are looking for fast friendly service then you have come to the right place. We provide many services to both residential and commercial clients. There is no job to big or small we can move it all.
movers medford, ma
NICE BLOG!!! Packers and Movers are said to be those people who help you to pack and move your belongings in the safest and the most convenient way. Thanks for sharing a nice information.
packers and movers in jaipur
shifting services in jaipur
This is a nice information about packers and movers .We are also provider packing and moving services .
Really its very nice information about packers and movers. thanks for shearing it with us. keep it up.
Dallas Moving Company
NICE BLOG!!! Packers and Movers are said to be those people who help you to pack and move your belongings in the safest and the most convenient way. Thanks for sharing a nice information.
packers and movers in jaipur
movers and packers in jaipur
Nice blog and I fell very happy after read this content.
packers and movers pune :-packers and movers hyderabad:-packers and movers bangalore
packers and movers
packers and movers lucknow
packers and movers ghaziabad
packers and movers noida
packers and movers delhi
packers and movers hyderabad
packers and movers chandigarh
packers and movers raipur
packers and movers kolkata
packers and movers kolkata
packers and movers gurgaon
packers and movers bangalore
packers and movers mumbai
packers and movers ranchi
packers and movers chennai
packers and movers pune
packers and movers faridabad
packers and movers jaipur
packers and movers ahmedabad
packers movers bangalore
packers and movers bangalore
packers and movers delhi
packers and movers noida
packers and movers bhubaneswar
packers and movers gurgaon
packers and movers bangalore
packers and movers chennai
packers and movers hyderabad
packers and movers delhi
packers and movers kolkata
packers and movers mumbai
packers and movers ahmedabad
packers and movers surat
packers and movers jaipur
Nice Approach to detect packers with Pin
We are an ISO Certified International Movers Dubai Contact WRAP IT Movers for all your local and International Moves in Dubai at affordable rates.
Post a Comment