How to learn unpacking "strong" packed binaries?

[underthevoid]

Hi there,

First of all I want to say I have worked for few years playing the role of the reverse engineering in some projects (mainly developing patches to fix bugs and extend features to non-protected binaries). I think I can say I know the very basics of reversing. That being said recently I started developing some interest in malware analysis so I took what I found to be the better approach for someone like me which is reading the book "Practical Malware Analysis".

The big frustration I'm facing now is: even knowing the basics of this field and going easily through all of the "Practical Malware Analysis" labs, I find myself completely lost on my first attempt to unpack a "real world" strongish packed binary (a binary protected with ASProtect 1.56). The tips and tricks I learned from the book can take me somewhere but whatever I do I end up feeling I was just fooled by the ASProtect. I think I managed to crack the anti-dbg tricks the binary uses (which is basically checking for the PEB::BeingDebugged flag) but I just can't find the OEP - all I have learned from the book seems useless at this point.

I'm not interested in any script or any automated way to unpack binaries. I want to become a skilled reverse engineer, but I just can't find a learning path to follow. This seems to be so overwhelming to even know what to look for at the point I'm at.

With all that I only ask this community to shed some light here: what should I look for to learn how to unpack the strongest packed binaries after reading the "Practical Malware Analysis" book? What am I missing here that it seems to be so much to handle? ANY text references, links or even kind words are very appreciated!

 

[Progman]

Automating unpacking is the future.  I understand what you mean though for specific versions of specific packers there are scripts or fixed ways to get the OEP and then fix the IAT.  Some generic ideas work on a good amount of mostly older protectors.

But for example an antivirus program is useless unless it can unpack on auto mode.  There are too many options though especially for custom protection schemes.   For example decrypting functions, one at a time on the fly before running them.  Or wrapping a packed file using yet another packer, etc.

Neural networks will start aiding with tasks like this surely in the near future.  Already they can find unknown, new malware and even find weaknesses or flaws in programs.

Not that we shouldn't still learn to defeat ASProtect manually, this is classic unpacking task.  There are many tutorials including on this site that can help in your learning journey.

[underthevoid]

4 hours ago, Progman said:

Automating unpacking is the future.  I understand what you mean though for specific versions of specific packers there are scripts or fixed ways to get the OEP and then fix the IAT.  Some generic ideas work on a good amount of mostly older protectors.

But for example an antivirus program is useless unless it can unpack on auto mode.  There are too many options though especially for custom protection schemes.   For example decrypting functions, one at a time on the fly before running them.  Or wrapping a packed file using yet another packer, etc.

Neural networks will start aiding with tasks like this surely in the near future.  Already they can find unknown, new malware and even find weaknesses or flaws in programs.

Not that we shouldn't still learn to defeat ASProtect manually, this is classic unpacking task.  There are many tutorials including on this site that can help in your learning journey.

I can see that automating the process of unpacking is the future, totally. Thing is I want to work in this field and to do so I need to know the basics.

Could you throw me some links or words so I can search in this forum that will help me on learning how to unpack ASProtect? I'm very new to this community so I'm a bit lost with so much information

Thanks in advance!

[kao]

Search for the keyword: vnekrilov  

He published a set of scripts and tutorial covering pretty much all features of Asprotect. Tutorial was machine-translated from Russian to English but it was sufficient for learning purposes.

[underthevoid]

4 hours ago, kao said:

Search for the keyword: vnekrilov  

He published a set of scripts and tutorial covering pretty much all features of Asprotect. Tutorial was machine-translated from Russian to English but it was sufficient for learning purposes.

Thanks for the information. However all the threads I found are very old and I couldn't find any working download link to the vnekrilov scripts. Do you have any idea how I can get them?

 

[akkaldama]

@underthevoidDid you try downloading from this thread, most of the links from this thread is working for me.

vnekrilov's thread

Rar file

I am not an expert in unpacking, but u may try compile your own small executable files and protect it with various protection options one at a time and analyze/compare with that original, that way you can learn what is happening with each protection options.

[underthevoid]

2 hours ago, akkaldama said:

@underthevoidDid you try downloading from this thread, most of the links from this thread is working for me.

vnekrilov's thread

Rar file

I am not an expert in unpacking, but u may try compile your own small executable files and protect it with various protection options one at a time and analyze/compare with that original, that way you can learn what is happening with each protection options.

I really appreciate your suggestion (thanks about the links too). However I think my actual problem is lack of theoretical knowledge about packing/unpacking.

I can't find any book or paper explaining the more advanced concepts needed to unpack packed binaries with protectors like Themida, VMProtect, or even ASProtect. The scripts and tutorials I found so far here at tuts4you and at other places doesn't actually explain why things are done to unpack certain binary, they just show how to unpack binaries (eg. "load the binary into olly and press f9 16 times until you reach this specific code section" - this does not explain any theory behind why that need to be done that way).

I'm able to easily crack weaker packed binaries (such as those packed with UPX for instance), but when it comes to code virtualization, code permutation and other more advanced techniques I just can't find theoretical material to study.

[deepzero]

You have to distinguish between unpacking and de-virtualization. For Unpacking you can mostly avoid full devirtualization, in fact it's common to dump and append the full VM to the unpacked file to easier circumvent antidump and other protections. This is done e.g. in some of the LCF-AT tutorials for Themida. With modern protectors you will also run into virtualization during api redirection, but here it's usually possible to trace execution and fish the wrapped API at specific locations ("press f9 16 times", etc.), thereby it's not necessary to fully defeat virtualization.

All that is of course not helpful if you are dealing with properly configured protections and need to devirtualize the code, period.

As others suggested, vnekrilov is good for this. The AsProtect VM is one of the early ones, and as such very basic and therefore suitable for getting into devirtualization. There is almost no obfuscation on the AsPro VM itself and it only virtualizes a small subset of instructions, so you frequently enter and exit the vm, which gives you good opportunity to trace and understand it. What's more opcodes are static ... and documented by vnekrilov. His tutorials are compiled in a big pdf somewhere - go find that.

Additionally I can recommend my old Arteam release on unpacking Private Exe Protector v4, which includes dealing with a variety of modern protections, that were implemented in a somewhat basic way by PEP (again, therefore it's easy to understand and get into it). Disclaimer - I wrote it. (uff - accessroot.com is down, what a loss, and i cant find it a tuts4you either)

More generally, you will want to google for "devirtualization" rather than unpacking, which should bring up a lot more results. I can recommend rolfs papers and blog articles (https://www.msreverseengineering.com/blog) or the more recent project which features a direct attack on VMprotect (not sure how far they got yet ... havnt checked in a while - https://github.com/vtil-project/VTIL-Core).

Good luck.

[deepzero]

pekill ASProtect 2.xx eng.pdfthis also contains a description of the aspro vm, and lists its static opcodes.

edit: i also reuploaed my pep tutorial: https://forum.tuts4you.com/files/file/2155-private-exe-protector-v3-unpacking-by-deepzero/

 

Edited October 19, 2020 by deepzero

[underthevoid]

@deepzero thank you very much for the explanations friend. I really appreciate that! I'll google hunt each and every word that you just said