Morphine is primarily a wrapper/encryptor originally designed to encrypt already compressed executables with the likes of UPX to prevent the original file being detected. It uses a polymorphic engine so all newly encrypted executables will never be the same. It also uses a PE loader which puts the entire source image to the .text section of the new PE file which helps to prevent the image being dumped from memory with tools like LordPE and OllyDump. This believe it or not is the weakness which we will be exploiting in this tutorial.
There are already a few tutorials on the internet for unpacking Morphine but I want to talk about methods that have not been approached before. Mainly I want to talk about inline patching but I will also describe an extremely easy way of unpacking it completely and in its original unpacked content in less than a couple of minutes without having to use a PE tool to manually correct section information. Yep! It is actually really very simple. I was also going to talk a little in depth about the way it works but as it is no longer being developed I donï¿½t think there is much need to analyse this encryptor further.
I will be working with and referring to UnPackMe_Morphine2.7b.exe from Tuts 4 You website throughout this tutorial.