»Unpacking for Dummies«
2018-10-17, 13:30–17:30, Schengen

Most malwares are packed, that is a sad reality. Packing is a common method the hide a PE payload inside another PE payload in order to slow down reverse analysis and fool antiviruses. Some packing are simple but others, virtual machine based, full of anti-debugger, may be a real nightmare. One may only dump the final running payload, but for dynamic analysis, it is a real advantage to unpack cleanly the final payload. Reverser need to master this skill. We propose a workshop to learn how to unpack.

Workshop detail We will propose a 4h Workshop and we are open to repeat it multiple time during the hack.lu event. In the workshop, we aim to learn to the public how packers usually works to hide the original payload. We will learn tricks used by reverse engineers to unpack samples and dumps protected executables. Between each formal "lessons" slides, we will have hand on practice to unpack real malwares. We will show where breaking and what looking for in order to dump the real payload.

We will try to cover and explain; • How packer usually works. • Packer types (On stack, Process hollowing, thread injection). • Payload unpacking by known plaintext attack. • How to identify known packers. • Unpacking Simple things, UPX, Petite, break based on the stack. • How packer hides API call using loadlibrary/getprocaddress obfuscated access. • Dumping a PE and fixing Entry point and IAT table. • Unpacking PE using the RUNPE process hollowing technique. • Unpacking .NET Payloads (agent Testla, autolog) (unpacking and Cleanup) • Writing a simple .NET string decryptor.

Public targeted Ideally, we need a public having little knowledge in x86 assembly who could play with simple crackme. We will quickly re-explain all fundamentals required knowledge needed.

Our qualifications to perform this workshop. Due to our work and hobbies, we have the mandatory skills and the will to share on this topic. Paul has already done many blogpost [REF_A] and security challenges around packing [REF_B].

References REF_A 1. http://thanat0s.trollprod.org/2013/12/packer-sans-ta-mere-level-ii-prerequis-i-viewoffile/ 2. http://thanat0s.trollprod.org/2014/05/packer-sans-ta-mere-level-ii-prerequis-ii-le-peb/ 3. http://thanat0s.trollprod.org/2014/05/packer-sans-ta-mere-level-ii-prerequis-iii-loaderdata/ 4. http://thanat0s.trollprod.org/2014/02/depacking-sans-ida-vive-les-strings/ REF_B 1. https://www.root-me.org/fr/Challenges/Cracking/PE-RunPE 2. https://www.root-me.org/fr/Challenges/Cracking/ELF-VM