Unpack packed executable file

1. Create an executable file

(1) Create a C Program

Create a new folder called “test” in C:/, and create a text document called “1.cpp” in the folder.
Like this:

Right click the file and edit it with Notepad++. Input the codes as follows.

#include<stdio.h>
int main (){
    
    
	printf("Hello World!\n");
	return 0;
}

Save the file.

(2) Compile the C program

Open the Developer’s command prompt of Visual Studio 2017 in the start menu.

Switch to the file location C:\test using “cd C:\test”

Then compile 1.cpp using “cl 1.cpp”

We can run it using command “1.exe”

Success.

2.Pack the program

(1) Download UPX

UPX is a free, portable, extendable, high-performance executable packer for several executable formats.

We will use UPX to pack the executable file created above
Download upx from https://github.com/upx/upx/releases/download/v3.96/upx-3.96-win32.zip
Extract the zip file

(2) Pack 1.exe

1. Go to the root directory of upx in Explorer, input “cmd” in path and press Enter to enter cmd in the path of upx.
   
   In that way, we don’t need to input the path of upx manually.
   
2. Use command “upx.exe C:\test\1.exe -o C:\test\1_packed.exe” to pack it.
   
3. 1_packed.exe is a packed file with the same function of 1.exe but the internal structure is different from the later. We can open it with IDA. The procedure and imports are as follows.
   
   
   However, the procedure and imports of 1.exe are as follows.
   
   

3. Unpack the program

(1) Find Original Entry Point with x32dbg

1. Open x32dbg
2. Drug 1_packed.exe into x32dbg
3. Press F9 to run.
4. Find the last jmp command
   The last jmp command is the selected command in the picture.
   
5. Press F2 to set breakpoint for that command. Then Press F9 to run it.
   
6. Press F8, then we see the program which looks like C program. It begins with a “call” and a “jmp” command. In C programs the “call” command is always the entry point of the program.
   

(3) Use PE Tools to save dump file

1. Keep the state of x32dbg. Open PETools and find the process by its PID.
   
2. Right click on it and select “Dump full” to save the file.
   
3. We can find Dumped.exe cannot be run. Open it with IDA. Remeber to Press “yes” here.
   (Click here and look at the first part of the article to know how to open a executable file with IDA)
   
4. We will find the Imports of it is empty. And there is no “strat” in function name table.
   
   

(4) Restore entry point

1. Open PETools. Tools -> PE Editor. Open Dumped.exe
   
2. Click “Optional Header”.
   
3. The address of entry point is “010812E1” .
   
4. The address of entry point is image base plus entry point. “01080000” is image base. So the entry point is 010812E1-01080000=12E1. Change the entry point inOptional Header to 12E1.
   
5. Press Ok and press Ok.
6. Open Dumped.exe in IDA. Then we can see “start” in function name table. That means the entry point has been changed successfully.
   

(5) Get the Imports of the program

1. Close IDA. Run Scylla in x32dbg.
   
2. “EIP” must point to the actual entry point of the program.
   
3. Then press “IAT Autosearch” to automatically get the address of Import Address Table. Import Addre Table is the list of addresses of extral functions for this file.
   
4. Copy VA. Click to dump press Ctrl+G and input VA. Press OK.
   
5. Right click to show address.
   
6. We can see that the fisrt line is empty. So the address of “VA” needs to change to 1094000.
   
7. Scroll down, then we can see the address of import table ends at 1094104.
   
8. So the size of import address table need to change to 104+4=108.
   
9. Then press “Get Imports”. Then the functions will be imported.
   
10. Click “Fix Dump” and select Dump.exe. Then we got Dump_SCY.exe
    
11. Open Dump-SCY.exe with IDA and we can see the imports.

12. Run it in cmd. We can see it cannot run properly.

(6) Prevent address randomization

1. Make x32dbg the default debugger of the system. Run x32dbg as administrator. Options -> Preferences -> Misc -> “Set x32dbg as Just in Time debugger.” -> Save.
   

2. Run Dumped_SCY.exe again, and select Debug the program.
   

3. Press F8 until we see the exception.
   

4. Press in dump, press Ctrl+G, and input 109B018. We can see that is an invalid address.
   

5. Because when a process starts its base address will be chosen randomly by the operation system. We need to prevent address randomization.

6. Open PETools -> Tools -> PE Editor. Open Dumped_SCY.exe. Go to File Header.
   

7. Go to characteristics.
   

8. Enable Reloaction stripped.
   

9. Press OK and OK and OK. Run it again. Success!
   

Finish unpacking!