Unpacking executable files

Hello, Khabrovites. As part of the course "Reverse-Engineering. Basic" Alexander Kolesnikov (specialist in complex protection of informatization objects) prepared an article.



We also invite everyone to an open webinar on the topic "Exploitation of vulnerabilities in the driver. Part 1 " . Participants of the webinar, together with an expert, will analyze driver overflow vulnerabilities and the specifics of developing exploits in kernel mode.






This article will discuss approaches to analyzing packed executable files using simple reverse engineering tools. We will discuss some of the packers that are used to pack executable files. All examples will be conducted in Windows OS, however, the studied approaches can be easily ported to any OS.





OS toolkit and setup

For tests, we will use a virtual machine running Windows. The toolkit will contain the following applications:





  • x64dbg debugger;





  • x64dbg Scylla plugin installed by default;





  • hiew Demo;





The fastest and easiest way to unpack any executable file is to use a debugger. But since we will also consider the Python programming language, we may need a project:





  • uncompile6 project that allows you to parse the bytecode of a Python virtual machine;





  • pyinstallerExtractor is a tool for extracting a pyInstaller archive.





General methods of unpacking

, . . , . โ€” UPX. , .





, , . 1.5 .





-? , ? . , :





, UPX:





:





  1. โ€” , , ;





  2. : , .





, , . :





  1. โ€” , ;





  2. โ€” ( , );





  3. ;





  4. .





. . pushad/popad



push



. ESP/RSP, "Hardware Breakpoint" , . , . .





UPX

. UPX:





:





:





ESP โ€” . :





:





, Scylla Hide .





, .





PyInstaller

, . , PyInstaller โ€” , Python . , Python . .





- . Python PyInstaller. :





def main():
    print("Hello World!")

if __name__ == '__main__':
    main()
      
      



pyInstaller



exe



:





pip install pyinstaller
pyinstaller -F hello.py #-F   
      
      



, , . , , , . .





, ./dist/test.exe



. pyinstallerextractor



uncompile3



:





, . exe



. test.pyc



. hiew



:





, Python. โ€” uncompile6



.





.






"Reverse-Engineering. Basic".





ยซ . 1ยป.








All Articles