# Unpacking Packed Executables
> Unpack compressed, encrypted, or obfuscated executables to reveal the original code. Covers automated and manual techniques.

**FOR610 Labs:** 4.1, 4.2, 4.3, 5.3, 5.8, 5.10

## Steps

### Step 1: Packing Identification
**Tools:** [[tools/diec|diec]], [[tools/peframe|peframe]]

Identify packer: DIE detects UPX, ASPack, PECompact, Themida, etc. Check entropy (>7.0 suggests packing). Look for: few imports, unusual section names (.UPX, .packed).

```bash
diec specimen.exe
peframe specimen.exe
```

### Step 2: Automated Unpacking
**Tools:** [[tools/upx|upx]], [[tools/de4dot|de4dot]]

Try known unpackers first. UPX: upx -d <sample>. .NET: de4dot <sample>. If automated unpacking fails (modified packer), proceed to manual.

```bash
upx -d packed.exe
de4dot obfuscated.exe
```

### Step 3: Emulation-Based Unpacking
**Tools:** [[tools/speakeasy|speakeasy]], [[tools/qiling|qiling]]

Emulate execution to let the unpacker run. Speakeasy and Qiling can trace API calls during unpacking without a debugger. Look for VirtualAlloc followed by memcpy patterns.

```bash
speakeasy -t specimen.exe -o report.json 2> report.txt
python3 -c "from qiling import Qiling; ql = Qiling(['<sample>'], '/path/to/rootfs')"
```

### Step 4: Debugger-Based Unpacking [W]
**Tools:** [[tools/x64dbg|x64dbg]], [[tools/x32dbg|x32dbg]]

Set breakpoints on: VirtualAlloc/VirtualProtect (memory allocation), tail JMP to OEP (end of unpacker), or stack breakpoint (ESP trick). Step to OEP.

### Step 5: Anti-Debug Bypass [W]
**Tools:** [[tools/scyllahide|scyllahide]]

If malware detects debugger: enable ScyllaHide. Handles IsDebuggerPresent, NtQueryInformationProcess, timing checks.

### Step 6: Memory Dumping [W]
**Tools:** [[tools/ollydumpex|ollydumpex]], [[tools/scylla|scylla]]

At OEP: dump process with OllyDumpEx. Fix IAT with Scylla (IAT Autosearch → Get Imports → Fix Dump).

### Step 7: PE Fixup [W]
**Tools:** [[tools/pe-unmapper|pe-unmapper]]

If dump has virtual alignment: pe_unmapper /in <dump> /base 400000 /out <fixed>. Only needed if sections have wrong raw sizes.

### Step 8: Verification
**Tools:** [[tools/strings|strings]], [[tools/peframe|peframe]], [[tools/capa|capa]]

Verify: strings are now visible, imports are reasonable, capa detects capabilities. If good, route to Static Analysis Workflow for full analysis.

```bash
strings binary.exe
peframe specimen.exe
capa specimen.exe
```

#unpacking #packing #iat #memory-dump #oep #workflow