unpacking.pdf

(390 KB) Pobierz
Using the Universal PE Unpacker Plug-in included in IDA Pro
4.9 to unpack compressed executables. © DataRescue 2005
Since version 4.9 , IDA Pro comes with an Universal PE Unpacker plug-in, whose source
code is available in the IDA Pro SDK. This tutorial will show how to use this plug-in in practice
and will briefly describe how it works internally.
The compressed application.
Here is what appear on our screen if we execute the sample program:
Quite innocent! However, if we open this executable in IDA Pro, the following warning appears:
IDA detects an unusual imports segment, and tells us the file might be packed...
IDA Pro 4.9 Unpacking Tutorial 1
1336358839.014.png 1336358839.015.png 1336358839.016.png 1336358839.017.png 1336358839.001.png 1336358839.002.png 1336358839.003.png
 
Here is what we observe if we have a look at the Imports window:
Our program only imports three functions from KERNEL32.DLL. We can recognize the usual
LoadLibrary() and GetProcAddress() dynamic-link library functions, which will be more than
probably used by the unpacker engine to restore the original executable's imports.
Using the Universal PE Unpacker plugin.
Let's now start the unpacker through the Plug-ins sub-menu:
IDA Pro 4.9 Unpacking Tutorial 2
1336358839.004.png 1336358839.005.png 1336358839.006.png
The plug-in options dialog appears:
In this dialog, we can adjust the address range which, once reached, will cause the debugger to
suspend the program's execution. It is also possible to specify a file where unpacked resources will
be saved. After pressing OK, the plug-in starts our program, which will unpack itself until an
address inside the previously defined range is reached. This indicates the unpacking is terminated,
and the following dialog box appears, offering to take a memory snapshot of the result:
Note that two breakpoints were reached during the unpacking: we'll say more on these later.
IDA Pro 4.9 Unpacking Tutorial 3
1336358839.007.png 1336358839.008.png 1336358839.009.png
In order to rebuild original import section of the program, the plug-in created a new segment.
IDA Pro 4.9 Unpacking Tutorial 4
1336358839.010.png 1336358839.011.png
Once unpacked, we now recognize the more typical structure of the start() function:
However, let's try to improve this again in order to obtain the nicest disassembly possible!
IDA Pro 4.9 Unpacking Tutorial 5
1336358839.012.png 1336358839.013.png

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin