============================================================
  Unpacking Packed Executables
============================================================

  Unpack compressed, encrypted, or obfuscated executables to reveal the original code. Covers automated and manual techniques.

  Related FOR610 Labs: 4.1, 4.2, 4.3, 5.3, 5.8, 5.10

────────────────────────────────────────────────────────────

  Step 1: Packing Identification
  Tools: diec, peframe
  Identify packer: DIE detects UPX, ASPack, PECompact,
  Themida, etc. Check entropy (>7.0 suggests packing).
  Look for: few imports, unusual section names (.UPX,
  .packed).

    $ diec specimen.exe
    $ peframe specimen.exe

  Step 2: Automated Unpacking
  Tools: upx, de4dot
  Try known unpackers first. UPX: upx -d <sample>. .NET:
  de4dot <sample>. If automated unpacking fails
  (modified packer), proceed to manual.

    $ upx -d packed.exe
    $ de4dot obfuscated.exe

  Step 3: Emulation-Based Unpacking
  Tools: speakeasy, qiling
  Emulate execution to let the unpacker run. Speakeasy
  and Qiling can trace API calls during unpacking
  without a debugger. Look for VirtualAlloc followed by
  memcpy patterns.

    $ speakeasy -t specimen.exe -o report.json 2> report.txt
    $ python3 -c "from qiling import Qiling; ql = Qiling(['<sample>'], '/path/to/rootfs')"

  Step 4: Debugger-Based Unpacking [W]
  Tools: x64dbg, x32dbg
  Set breakpoints on: VirtualAlloc/VirtualProtect
  (memory allocation), tail JMP to OEP (end of
  unpacker), or stack breakpoint (ESP trick). Step to
  OEP.

    $ x64dbg.exe specimen.exe
    $ x32dbg.exe specimen.exe

  Step 5: Anti-Debug Bypass [W]
  Tools: scyllahide
  If malware detects debugger: enable ScyllaHide.
  Handles IsDebuggerPresent, NtQueryInformationProcess,
  timing checks.

    $ Plugins > ScyllaHide > Options > Enable all

  Step 6: Memory Dumping [W]
  Tools: ollydumpex, scylla
  At OEP: dump process with OllyDumpEx. Fix IAT with
  Scylla (IAT Autosearch → Get Imports → Fix Dump).

    $ Plugins > OllyDumpEx > Dump process
    $ Scylla x64 > Attach to process > Dump > IAT Autosearch > Fix Dump

  Step 7: PE Fixup [W]
  Tools: pe-unmapper
  If dump has virtual alignment: pe_unmapper /in <dump>
  /base 400000 /out <fixed>. Only needed if sections
  have wrong raw sizes.

    $ pe_unmapper /in dumped.exe /base 400000 /out fixed.exe

  Step 8: Verification
  Tools: strings, peframe, capa
  Verify: strings are now visible, imports are
  reasonable, capa detects capabilities. If good, route
  to Static Analysis Workflow for full analysis.

    $ strings binary.exe
    $ peframe specimen.exe
    $ capa specimen.exe

────────────────────────────────────────────────────────────
  Tip: 'fhelp cheat <tool>' for full examples
       'Ctrl+G' for interactive cheatsheet browser
