Using the Universal PE Unpacker Plug-in included in IDA Pro

4.9 to unpack compressed executables. DataRescue 2005

Since version 4.9, IDA Pro comes with an Universal PE Unpacker plug-in, whose source
coe is availa!le in the IDA Pro SD". #his tutorial will show how to use this plug-in in practice
an will !rie$l% escri!e how it works internall%.
he compressed application.
&ere is what appear on our screen i$ we e'ecute the sample program(
)uite innocent* &owever, i$ we open this e'ecuta!le in IDA Pro, the $ollowing warning appears(
IDA etects an unusual imports segment, an tells us the $ile might !e packe...
IDA Pro 4.9 Unpacking Tutorial 1
&ere is what we o!serve i$ we have a look at the Imports winow(
+ur program onl% imports three $unctions $rom "E,-E./0.D... 1e can recogni2e the usual
LoadLibrary() an GetProcAddress() %namic-link li!rar% $unctions, which will !e more than
pro!a!l% use !% the unpacker engine to restore the original e'ecuta!le3s imports.
Using the Universal PE Unpacker plugin.
.et3s now start the unpacker through the Plug-ins su!-menu(
IDA Pro 4.9 Unpacking Tutorial 2
#he plug-in options ialog appears(
In this ialog, we can a4ust the aress range which, once reache, will cause the e!ugger to
suspen the program3s e'ecution. It is also possi!le to speci$% a $ile where unpacke resources will
!e save. A$ter pressing +", the plug-in starts our program, which will unpack itsel$ until an
aress insie the previousl% e$ine range is reache. #his inicates the unpacking is terminate,
an the $ollowing ialog !o' appears, o$$ering to take a memor% snapshot o$ the result(
-ote that two !reakpoints were reache uring the unpacking( we3ll sa% more on these later.
IDA Pro 4.9 Unpacking Tutorial 3
In orer to re!uil original import section o$ the program, the plug-in create a new segment.
IDA Pro 4.9 Unpacking Tutorial 4
+nce unpacke, we now recogni2e the more t%pical structure o$ the start56 $unction(
&owever, let3s tr% to improve this again in orer to o!tain the nicest isassem!l% possi!le*
IDA Pro 4.9 Unpacking Tutorial 5
Appl!ing signatures.
I$ we look at the strings $oun a$ter the program was unpacke, we see that our program was
compile !% the 7isual 899 compiler. .et3s appl% the associate :.I,# li!rar% signatures(
#he $inal isassem!l% listing looks like this(
;uch !etter, isn3t it<
IDA Pro 4.9 Unpacking Tutorial 6
"ehind the scene.
.et3s now have some eeper look at how the SD" e!ugger API $unctions were use to implement
this unpacking in practice.
#he main iea is to start the process, then react in an ae=uate wa% to various events caught !% the
e!ugger, until we etermine the program was properl% unpacke. So we $irst setup a hanler to
receive e!ugger events an to start the process until its entr% point(
Events will !e sent to our noti$ication hanler, e$ine as $ollow(
IDA Pro 4.9 Unpacking Tutorial 7
if ( !hook_to_notification_point(HT_DBG, callback, NULL) )
{
warning("o!l" not hook to notification point#n")$
return$
%
&& L't() )tart th' "'b!gg'r
if ( !r!n_to(inf*b'gin+,) )
{
warning("-orr., co!l" not )tart th' proc'))")$
!nhook_fro/_notification_point(HT_DBG, callback, NULL)$
%
static int i"aapi callback(void 0 &0!)'r_"ata0&,
int notification_co"',
va_list 1a)
{
switch ( notification_co"' )
{
case "bg_proc'))_)tart2
***
case "bg_librar._loa"2
***
case "bg_r!n_to2
***
case "bg_bpt2
***
case "bg_trac'2
***
case "bg_proc'))_'3it2
***
***
%
return 4$
%
1hen we start our process through a call to run_to(), we will receive a corresponing dbg_run_to
event, inicating the run_to() comman was properl% e'ecute. 1e are now at the entr% point o$ the
packe program, an setup a !reakpoint on the GetProcAddress() %namic-link li!rar% $unction
5assuming the unpacking engine has terminate its work !e$ore recreating the original import ta!le
o$ the original application6(
1hen our GetProcAddress() !reakpoint is reache, we receive a dbg_bpt event. 1e can e'tract the
return aress $rom the stack, elete this $irst !reakpoint, an setup a secon !reakpoint at the
return aress in orer to get noti$ie as soon as the GetProcAddress() $unction returns(
IDA Pro 4.9 Unpacking Tutorial 8
case "bg_r!n_to2 && 5ara/'t'r)2 thr'a"_i"_t ti"
"bg67)topp'"_at_"'b!g_'1'nt(tr!')$
gpa 8 g't_na/'_'a(B,D,DD9, "k'rn'l:;_G't5roc,""r'))")$
***
else if( !a""_bpt(gpa) )
{
bring_"'b!gg'r_to_front()$
warning("-orr., can not )'t bpt to k'rn'l:;*G't5roc,""r'))")$
goto <=9+_-T=5$
%
else
{
>>)tag'$
)'t_wait_bo3("?aiting for a call to G't5roc,""r'))()")$
%
contin!'_proc'))()$
break$
case "bg_bpt2 && , !)'r "'fin'" br'akpoint wa) r'ach'"*
&& 5ara/'t'r)2 thr'a"_i"_t ti"
&& 'a_t br'akpoint_'a
{
&0ti"_t ti" 80& 1a_arg(1a, ti"_t)$
'a_t 'a 8 1a_arg(1a, 'a_t)$
***
if ( 'a 88 gpa )
{
r'g1al_t r1$
if ( g't_r'g_1al("')p", @r1) )
{
'a_t ')p 8 r1*i1al$
in1ali"at'_"bg/'/_cont'nt)(')p, A4;B)$
'a_t r't 8 g't_long(')p)$
***
if ( !"'l_bpt(gpa) CC !a""_bpt(r't) )
'rror("an not /o"if. br'akpoint")$
Do %ou remem!er the two !reakpoint messages we saw uring the unpacking, occurring at
aresses >'?8@>A80@ an >'>>>4>8A@D< #he $irst one was our GetProcAddress() !reakpoint,
while the secon one was our !reakpoint at the return aress. In the $ollowing isassem!l%, %ou
can see the call leaing to our GetProcAddress() !reakpoint. 1e now onl% have to e'ecute
instructions until the unpacking engine restores the program3s original register contents an then
4umps to the real entr% point o$ the unpacke program(
IDA Pro 4.9 Unpacking Tutorial 9
Step tracing is !% $ar the easiest wa% to e'ecute instructions until we reach an aress in the
previousl% e$ine range. So let3s ena!le step tracing as soon as we reach our secon !reakpoint(
At each instruction step, we now check i$ the aress matches the previousl% e$ine range. I$ we
reache this range, we stop to trace, reanal%2e the unpacke coe, a4ust the entr% point, re!uil the
import ta!le, save resources, an... $inall% take a snapshot*
#he user has o!taine a memor% ump o$ the process in his IDA ata!ase, allowing him to start
anal%2ing the unpacke coe as usual.
Don3t hesitate to $urther look at the source coe in the SD", $or all implementation etails*
IDA Pro 4.9 Unpacking Tutorial 10
"'l_bpt('a)$
if ( !i)_librar._'ntr.('a) )
{
"'b(DD,_D+BUG_5LUGDN, "Ea2 r'ach'" !npack'r co"', )witching to trac' /o"'#n",
'a)$
'nabl'_)t'p_trac'(tr!')$
***
)'t_wait_bo3("?aiting for th' !npack'r to fini)h")$
%
else
{
warning("Ea2 bpt in librar. co"'", 'a)$ && how can it b'F
a""_bpt(gpa)$
%
case "bg_trac'2 && , )t'p occ!r'" (on' in)tr!ction wa) '3'c!t'")* Thi) '1'nt
&& notification i) onl. g'n'rat'" if )t'p tracing i) 'nabl'"*
&& 5ara/'t'r2 non'
**
&0ti"_t ti" 80& 1a_arg(1a, ti"_t)$
'a_t ip 8 1a_arg(1a, 'a_t)$
if ( o'p_ar'a*contain)(ip) )
{
&& )top th' trac' /o"'
'nabl'_)t'p_trac'(fal)')$
&& r'anal.G' th' !npack'" co"'
)'t_wait_bo3("9'anal.Ging th' !npack'" co"'")$
"o_!nknown_rang'(o'p_ar'a*)tart+,, o'p_ar'a*'n"+,, fal)')$
a!to_/ak'_co"'(ip)$
noU)'"(o'p_ar'a*)tart+,, o'p_ar'a*'n"+,)$
a!to_/ark_rang'(o'p_ar'a*)tart+,, o'p_ar'a*'n"+,, ,U_<DN,L)$
&& /ark th' progra/() 'ntr. point
/o1'_'ntr.(ip)$
)'t_wait_bo3()$
***
)'t_wait_bo3("9'cr'ating th' i/port tabl'")$
in1ali"at'_"bg/'/_config()$
***
cr'at'_i/p"ir()$
)'t_wait_bo3("-toring r')o!rc') to (r')o!rc'*r')(")$
if ( r')fil'H4I !8 (#4( )
'3tract_r')o!rc'(r')fil')$
)'t_wait_bo3()$
if ( tak'_/'/or._)nap)hot(tr!') )
goto <=9+_-T=5$
#his tutorial is Data,escue SAB-7 0>>C
,evision D.D
Data,escue SAB-7
4> El Piercot
4>>> .iFge, Eelgium
#( 9/0-4-/44ACD> :( 9/0-4-/44ACD4
IDA Pro 4.9 Unpacking Tutorial 11