============================================================ Unpacking Packed Executables ============================================================ Unpack compressed, encrypted, or obfuscated executables to reveal the original code. Covers automated and manual techniques. Related FOR610 Labs: 4.1, 4.2, 4.3, 5.3, 5.8, 5.10 ──────────────────────────────────────────────────────────── Step 1: Packing Identification Tools: diec, peframe Identify packer: DIE detects UPX, ASPack, PECompact, Themida, etc. Check entropy (>7.0 suggests packing). Look for: few imports, unusual section names (.UPX, .packed). $ diec specimen.exe $ peframe specimen.exe Step 2: Automated Unpacking Tools: upx, de4dot Try known unpackers first. UPX: upx -d . .NET: de4dot . If automated unpacking fails (modified packer), proceed to manual. $ upx -d packed.exe $ de4dot obfuscated.exe Step 3: Emulation-Based Unpacking Tools: speakeasy, qiling Emulate execution to let the unpacker run. Speakeasy and Qiling can trace API calls during unpacking without a debugger. Look for VirtualAlloc followed by memcpy patterns. $ speakeasy -t specimen.exe -o report.json 2> report.txt $ python3 -c "from qiling import Qiling; ql = Qiling([''], '/path/to/rootfs')" Step 4: Debugger-Based Unpacking [W] Tools: x64dbg, x32dbg Set breakpoints on: VirtualAlloc/VirtualProtect (memory allocation), tail JMP to OEP (end of unpacker), or stack breakpoint (ESP trick). Step to OEP. $ x64dbg.exe specimen.exe $ x32dbg.exe specimen.exe Step 5: Anti-Debug Bypass [W] Tools: scyllahide If malware detects debugger: enable ScyllaHide. Handles IsDebuggerPresent, NtQueryInformationProcess, timing checks. $ Plugins > ScyllaHide > Options > Enable all Step 6: Memory Dumping [W] Tools: ollydumpex, scylla At OEP: dump process with OllyDumpEx. Fix IAT with Scylla (IAT Autosearch → Get Imports → Fix Dump). $ Plugins > OllyDumpEx > Dump process $ Scylla x64 > Attach to process > Dump > IAT Autosearch > Fix Dump Step 7: PE Fixup [W] Tools: pe-unmapper If dump has virtual alignment: pe_unmapper /in /base 400000 /out . Only needed if sections have wrong raw sizes. $ pe_unmapper /in dumped.exe /base 400000 /out fixed.exe Step 8: Verification Tools: strings, peframe, capa Verify: strings are now visible, imports are reasonable, capa detects capabilities. If good, route to Static Analysis Workflow for full analysis. $ strings binary.exe $ peframe specimen.exe $ capa specimen.exe ──────────────────────────────────────────────────────────── Tip: 'fhelp cheat ' for full examples 'Ctrl+G' for interactive cheatsheet browser