Scribd
Upload
603 views6 pages

(Unpack) Mew 11 1.2 - Northfox/Hcc

The document discusses unpacking a file packed with MEW, a packer designed for small files that uses LZMA compression and strips unnecessary data. It explains locating the overall entry point (OEP) by setting a breakpoint on the RETN instruction, stepping once, and dumping process memory to extract the unpacked file. Common packers and approaches for quickly unpacking malware are also summarized, along with OllyScript logic for automating the unpacking process with MEW.

Uploaded by

Qingzhong Gao
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
603 views6 pages

(Unpack) Mew 11 1.2 - Northfox/Hcc

The document discusses unpacking a file packed with MEW, a packer designed for small files that uses LZMA compression and strips unnecessary data. It explains locating the overall entry point (OEP) by setting a breakpoint on the RETN instruction, stepping once, and dumping process memory to extract the unpacked file. Common packers and approaches for quickly unpacking malware are also summarized, along with OllyScript logic for automating the unpacking process with MEW.

Uploaded by

Qingzhong Gao
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

[Unpack] MEW 11 1.

2 -> NorthFox/HCC
엔신

包装 MEW 11 SE 1.2 包装机后,我尝试拆包。您可以看到入口点不是第一节。如果执行调试,则从下面

开始。

0047C526 >-E9 293CF8FF JMP unpacked.00400154

如果跳转到该区域并检查它,您将看到一个函数解密打包的数据。

00400154 BE 1CA04500 MOV ESI,unpacked.0045A01C

00400159 8BDE MOV EBX,ESI

0040015B AD LODS DWORD PTR DS:[ESI]

0040015C AD LODS DWORD PTR DS:[ESI]

0040015D 50 PUSH EAX

0040015E AD LODS DWORD PTR DS:[ESI]

0040015F 97 XCHG EAX,EDI

00400160 B2 80 MOV DL,80

00400162 A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]

00400163 B6 80 MOV DH,80

00400165 FF13 CALL DWORD PTR DS:[EBX]

00400167 ^73 F9 JNB SHORT unpacked.00400162


00400169 33C9 XOR ECX,ECX

0040016B FF13 CALL DWORD PTR DS:[EBX]

0040016D 73 16 JNB SHORT unpacked.00400185

........................... 省略...................................

004001F1 91 XCHG EAX,ECX

004001F2 40 INC EAX

004001F3 50 PUSH EAX

004001F4 55 PUSH EBP

004001F5 FF53 F4 CALL DWORD PTR DS:[EBX-C]

004001F8 AB STOS DWORD PTR ES:[EDI]

004001F9 85C0 TEST EAX,EAX

004001FB ^75 E5 JNZ SHORT unpacked.004001E2

004001FD C3 RETN

004001FE 0000 ADD BYTE PTR DS:[EAX],AL

00400200 0000 ADD BYTE PTR DS:[EAX],AL

00400202 0000 ADD BYTE PTR DS:[EAX],AL

00400204 0000 ADD BYTE PTR DS:[EAX],AL

如果检查数据以解密中间数据并进一步向下查看报表,则最终将获得 RETN。将断点放在该区域并运

行。一段时间后,制动器发生,如果您一步一步地调整,OEP 就会出来。

然而,《分析守则》尚未实现。分析 -* 从模块菜单中删除分析允许正常的代码验证。
现在,您已经确认 OEP 是 45834,您需要查找 IAT。使用 Cntl + B 键使用 Serach 搜索二进制的

FF25。

如果您在转储窗口中通过"搜索"看到"长地址"类型的内容,则可以轻松查看上面所述的 IAT。 4486C4

(终端地址) - 448104 (起始地址) = 5C0 (大小)


使用 OllyDump 或 ImpREC 的转储功能后,转储加载到内存中的数据,并使用 ImpREC 工具修改 IAT

并修复修复转储,您将能够正常解压缩。

MEW
MEW [8] is an executable tool which was designed to handle small files. It works on
32-bit workstations and uses the LZMA algorithm. It strips reloc tables, Delphi
resources, and unused resources. Even though it was designed to handle small
files, it can compress large files as well.
The last instruction in the MEW stub, as shown in Figure 17, is RETN. After this
instruction a jump to the OEP takes place. Set a break point on the RETN
instruction. When the break point is triggered, as shown in Figure 17, step once
and then dump the process to get the unpacked version of the file.
Figure 17. The last instructions for the MEW packer.
The logic used to locate the OEP for MEW is shown in Figure 18. The code ‘findop
eip, #C3#’ locates the RETN instruction in the debugged process packed with the
MEW packer. Once the RETN instruction is located, the debugger steps once and is
at the OEP. The OllyDump plug-in can be used to dump the process and we are left
with the unpacked version of the executable file.

Figure 18. The OllyScript used to unpack MEW.

Conclusion
Reducing the time it takes to perform malware analysis is very important. For static
analysis of malware it is important that the malware is unpacked. There are many
approaches to unpacking a piece of malware – for example, it can be executed in a
virtual environment and then we can capture a memory snapshot of the executing
malware. Once we get the snapshot, we can dump the unpacked malware directly
from memory. However, it is possible that not all of the code of the unpacked
malware will be in memory, so dumping a process from memory might not be an
effective unpacking method. Loading a packed malicious executable and executing
step by step instructions in a debugger is one of the best ways to locate the OEP
and execute the malware. In this article we have provided assembly instructions
for the most commonly used packers which can be used to quickly unpack
malware. We have also provided OllyScripts for the logic to manually unpack the
malware. This can further aid in reducing response time for malware analysis.
Bibliography
[1] http://www.farbrausch.de/~fg/kkrunchy/.
[2] http://pecompact.com/pecompact.php.
[3] http://www.bitsum.com/pec2av.htm.
[4] http://www.openrce.org/downloads/details/156/PECompact_v.2.40_ -
_OEP_finder.
[5] http://nspack.download-230-13103.programsbase.com/ .
[6] http://upx.sourceforge.net/.
[7] http://www.oberhumer.com/opensource/ucl/.
[8] http://www.softpedia.com/get/Programming/Packers-Crypters-
Protectors/MEW-SE.shtml.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy