Log in

View Full Version : Write your Own Unpacker


AmrThabet
August 6th, 2010, 18:10
Introduction

The Packers ... The packers are just tools try to encrypt a program to make it hard to be reversed . this tools used

many as anti-crack and more in worms and viruses . Reversing the packer is a waste of time and not a good strategy.

so there's the solution.
you can with only 10 line create an unpacker for these types of packers and maybe create a tool that unpack most of

known packers
you can create this unpacker easily with Pokas x86 Emulator
Pokas x86 Emulator

many generic unpackers appeared but no one of them so easy to be used and so customizable but this tool is maybe

the best tool in unpacking field
right now as it very easy to use and very easy to be customized and open source.now you will ask me
what's the meaning of Emulator?

Emulator is a program that simulate the processor and memory. do what they do .. diassembles an instruction and

runs it in virtual registers and memory.
these prorams doesn't run without stop but they stop by a breakpoint you added it in the debugger that included in

the emulator.
This breakpoint should stop the emulator at the OEP (the original entry point)

so what's Pokas x86 Emulator?

Pokas x86 Emulator is an Application-Only emulator created for generic unpacking and testing the antivirus

detection algorithms.
This Emulator has many features some of them are:
1. Has an assembler and a disassembler from and to mnemonics.
2. Support adding new APIs and adding the emulation function to them.
3. Support a very powerful debugger that has a parser that parses the condition you give and create a very fast

native code that perform the check on this condition.
4. Support seh and support tib, teb, peb and peb_ldr_data.
5. It monitors all the memory writes and log up to 10 previous Eips and saves the last accessed and the last

modified place in memory.
6. it support 6 APIs:GetModuleHandleA, LoadLibrayA, GetProcAddress, VirtualAlloc, VirtualFree and VirtualProtect.
7. With all of these it's FREE and open source.
It successfully emulates:
1. UPX
2. FSG
3. MEW
4. Aspack
5. PECompact
6. Morphine

How can I get Pokas x86 Emulator?

you can get the emulator from this link below:
http://www.sourceforge.net/projects/x86emu/
you will find a good documentation of everything in the emulator
Why I should program an Unpacker ?

some people who love the challenges will ask why I should program an unpacker even it's only near 10 lines code

with this emulator?
I want to say that coding the unpacker is the last step you should do
first you should begin with reversing and finding the all anti-unpackers tricks
then you should find the suitable breakpoint that bypass all the packer defences and then begin converting all

these into code
The Emulator Design

I don't want to dig into the emulator but I think this

2326

Now I will describe the emulator components and classes that's in the uml figure
System: This is the Emulated Operating System and Cpu .This class is used for disassembling and emulating assembly

instructions and APIs. It also has the ability to assemble and disassemble any instruction from or to mnemonics for

easy to debug or fix any error and also it could be used in any application as a separate component.
Process: This class is the emulated application. This class is the real emulator as it calls the system functions

to emulate, calls the debugger for checking the breakpoints , manage the threads and handle the exceptions (if SEH

is enabled) .
It also manages the virtual memory and creates the PEB structure.
Thread: This class contains all variables that we need to emulate with. It contains the registers, Eip and EFlags

and fs segment. It doesn't have the debug registers (because no need for it) and all segments except fs. It also

creates the TEB structure and handle the SEH.
Virtual Memory: this class is used to emulate the memory. It doesn't support pages but it simply adds a pointer and

the equivalent virtual pointer and the size of that buffer.
It also monitors the memory writes and detects the invalid pointers and the writing on a read only page.
It also supports VirtualProtect API.
Stack: it's a small class used to push or pop a value from or to the stack and saves the top and bottom of stack in

two variables but it doesn't support resizing.
Debugger: this class is used for adding the stop condition for the emulator. It takes a condition in a string

format (ex: "eip==0x4001000 && ecx>=100" and this condition is checked with every instruction emulated by emulate

or emulatecommand functions.
The feature of this debugger that it doesn't decrease the performance as it parse the string and convert it into

assembly and then convert it by the assembler into a native code to be run in every check on this breakpoint.
PE: this not a class it's a library that contains separate function for working with the PE executables
It contains two functions:
1. PELoader : this function loads a PE file into memory
2. PEDump : this function dumps a PE file from memory to the disk with a given
entrypoint and set the import directory to zero.
Using The Emulator

Don't worry if you don't understand many of the description above. you will see that the usage of this emulator is

very simple:

1.Initialize your Emulated OS and Cpu
2.Manage the dlls and Apis
3.Emulate the undefined Apis
4.Adding the Stop Condition
5.Emulate your Process
6.Handle the Unhandled Exceptions
7.Waiting for your Breakpoints to be triggered
8.Dump your Process to a File
Let's see an Example:
#
Code:
include <cstdlib>
#include <iostream>
#include "x86emu.h"
using namespace std;

int main() {
//First we will create the Environment Variables
//the Environment Variables is just some parameters or setting will be passed to the System

EnviromentVariables* vars= (EnviromentVariables*)malloc(sizeof(EnviromentVariables));
memset( vars,0,sizeof(EnviromentVariables));

//this variable should be adjusted to make the system perform well. this path is the path to the folder that

contain
//the important dlls which are ("kernel32.dll","ntdll.dll","user32.dll"

vars->dllspath="C:\\Windows\\System32\\";

//here we will set the Imagebase of the kernel32.dll and user32.dll

vars->kernel32=(dword)GetModuleHandleA("kernel32.dll";
vars->user32=(dword)LoadLibraryA("user32.dll";

//there's other variables but we can ignore the right now

//now we will create the new system

System* sys=new System(vars);
define_dll("gdi32.dll",vars->dllspath,0x75DE0000);

//now We Will create a new Process
Process* c;
try{
c=new Process(sys,"upx.exe"; //process take two parameters system & the program filename
}catch(int x){
cout << "Error : File name not found\n";
};
//Adding new breakpoint is an easy task

c->debugger->AddBp("__isdirty(eip)";
//there's two commands to emulate c->emulate() & c->emulatecommand() but emulatecommand(int)
int x=c->emulate();//*/
if (x!=EXP_BREAKPOINT){ //there are other exceptions like invalid pointer and so on return an error

for them
cout << "Error = " << x << "\n";
}else{
//Dump the PE file here

PEDump(c->GetThread(0)->Eip,c,"test.exe";
}

The Debugger Breakpoints :

Int3 Breakpoint or Hardware on Execution :

"Eip ==0x00401000"
Memory on Access or Write:

"__lastaccessed()==0x00401000"
"__lastmodified()==0x00401000"
Execution on Modified Data :

"__isdirty(eip)"
In .text section only:

"__isdirty(eip) && eip>=0x401000 && eip <=0x405000"
Anti-unpackers trick : write "ret" on the real OEP and calls to it :

"__isdirty(eip) && ( __ read(eip) & 0xff ) !=0xC3)"
API Hooking :

"__isapi()"
"__isapiequal('Getprocaddress')" // not case sensitive in the api name
Executing The Code:

For Compiling the program I usually use Dev-cpp and gcc but I think VC++ will not make any problem I think
what are the files I need ?

you will need x86emu.dll and
x86emu.a (you must add it to the linker from project options->parameters->add library or object)
and some header files included in x86emu-bin.zip
After Execution

after execution you will see a program named test.exe that should be the unpacked application. if it doesn't run

change the compatibility
from right click->properties->compatibility-> and change the windows version and it should run correctly Still have

a problem

you can get more information on solving the problem by reading the emulator documentations in x86emu-doc.zip and

email me with any problem
amr.thabet[at]student.alx.edu.eg
To be Continued

In the next article we will expose the features of this emulator and we will also cover the whole steps to write an

unpacker including reversing,
analysing and programming
this is an a screenshot of an example we will talk about in the next article and included in the examples (attached
2325
with the article)

hope you like this emulator and the whole article see you soon in the next article
Points of Interest

For me I love Programming very much. I always want to know about all technologies how it created and how I can

create the same
from this I begin digging into the processor and windows internals . all people learn the high level languages and

me learn the lowest level
I try to know how these high level programming language works and how windows works
I begin digging and digging untill now and still I didn't reach the bottom but I'll always try ...
About The Author

I'm Amr Thabet from Egypt
I'm a student at Alexandria University Fuculty of Engineering Mechanical Department
I love programming ,3D and Digital painting and have only one hate is Mechanics
The university didn't give me choices so I enter Mech and I'll not surrender and I'll continue
in programming field untill the end
I love friends and love to add new friends
if you interested about me and mail me I'll add you with pleasure
that's my mail:
amr.thabet[at]student.alx.edu.eg gmail account
Have a nice day