Thursday, January 8, 2009

Detect and Bypass Packer

Sometimes, when doing RCE (Reverse Code Engineering) using ollydbg, we got a message tell that the source are encrypted. And that make our life harder if the code are encrypted but ollydbg did not alert to us. Both of them because the code had been encrypted using "packer". Packer are used for reducing the size of file and at the same time it encrypt the code. It is one of anti-reverse engineering method. One of the commonly used is UPX but it was already known and easily unpackt it.

In this post I will demonstrate how easy you can bypass the the packer in our code. For this example, i used UPX for the packer and I'm packing calc.exe and rrenamed it to kalc.exe. Tutorial on how to pack using UPX is out of scope of this post but trust me, there're lots of tuts in google.

First thing is of course load the code in ollydbg and the first thing you see on EP was the PUSHAD instruction. PUSHAD was used to PUSH all the registers (eg: EAX,EBX ...) to the stack. This make the the backup af the data before the packing process occured. So, they did not fear of changing the data during packing.

So, the second thing is we step into the instruction by pressing F8. This is for making the all the data PUSHed into the stack.

After we step into the instruction, we can see ESP at the right side had filled with something. ESP is stack pointer and point to the top of the stack.

Then we right-click at the ESP and choose follow in Dump. We will see that something chnaging in the hexdump below the ollydbg.

Then, we will make a hardware breakpoint. Highlight the first dword value (thats are the first 4 pair hex value) and then right-click > Breakpoint > Harware on access > Dword.

After that, run the code and it will stop at the hardware breakpoint that we made before. If you notice, there are POPAD instruction. This instruction is calling or POP all the data in stack. It is opposite with PUSHAD. Thats mean, we are at the end of the packing process. But we need to step a little bit by pressing F8 and after we step after the JMP, we will arrive at the start point of the unpack file or we called Original Entry Point (OEP).

1 comment:

Anonymous said...

Hi friend, I had to visit your blog and I found it great and if you feel free, you can visit my two blogs Nuclear mess in France and Global climate change