handmade.network » Forums » Unpacking/Decompressing Windows PEs
Todd
94 posts

I use x86-64 assembly, Python, C, and SQL to fight malware.

#11927 Unpacking/Decompressing Windows PEs
3 months ago

Is anyone here experienced in unpacking execs that are packed with either Themida or custom packers, or any packers manually in a debugger, for that matter?

I know this isn't necessarily a reverse-engineering community, but I've found a surprisingly large amount of games folks who do this stuff for various reasons anyway, plus it's directly related to the Windows API that many of us are using.

I'm the smartest man in Athens because I know that I know nothing. ~ Socrates
mmozeiko
Mārtiņš Možeiko
1435 posts
1 project
#11928 Unpacking/Decompressing Windows PEs
3 months ago

What do you want to know about it?
I was working more on creating packers/obfuscators, not reverse engineering existing ones, but in a lot of cases I needed to reverse engineer our own packers because they were pretty random and every time you got a bug and something didn't worked, it was not very easy to find issues.
Todd
94 posts

I use x86-64 assembly, Python, C, and SQL to fight malware.

#11940 Unpacking/Decompressing Windows PEs
3 months ago Edited by Todd on May 14, 2017, 7:59 a.m.

Was just looking for some updated info on the latest packing techniques and ways to defeat them/locate OEP on files. Tutorials about this seem to be scattered about and I haven't found anything recent at all. Been getting a lot of PE files that my tools think are corrupted/bad PEs but are actually just packed with some custom algorithms or Themida. I know a couple of generic methods to unpack involving watching ESP, setting hardware bp directly after the unpacking stub finishes and then dumping to disk, looking for POPAD, etc... but some of these newer packers that doesn't work at all.

Another thing that throws me off is the DOS header and PE signature often seems to be intact, but something up there fools analysis tools, even though the Win Loader can run the file just fine. I'm thinking about trying to create my own Win Loader-style analysis tool.

I'm the smartest man in Athens because I know that I know nothing. ~ Socrates