Yesterday I encounter another sample (SHA1: e3a7a9c9a5fcdc0b4bd6ffd9a5b83ba7a22353af) of Dorkbot while analyzing my honeypot.
Knowing most of the Dorkbot samples are packed with UPX, I used the upx tool to unpack the binary. However, just to recall my manual steps for unpacking binaries, I thought of writing this post.
Let’s use PEiD tool to verify if the malware is packed.
PEiD clearly says the binary is packed with UPX packer. UPX is malware analyst friendly packer and is aims for high compression than security. In this exercise, we will unpack this UPX packed dorkbot using Ollydbg and a famous ESP trick.
General Unpacking process:
Before unpacking routine unpacks the binary, it needs to store the current state of all the CPU registers. This is usually done with instruction PUSHAD.
Similary, just before the unpacking routine finishes, it restore previously stored state of the CPU registers. This is usually done with instruction POPAD. Once this is done, an unconditional jump is made to Original Entry Point (OEP) of the unpacked binary. This OEP is nothing but the main(), WinMain() or DllMain() of the program.
During the unpacking of UPX, both the PUSHAD and POPAD instructions can be easily tracked. However, many time it’s not and hence we need to use the ESP trick.
The ESP Trick:
When unpacking routine starts all the registers including stack state are saved and when the unpacking is complete, everything is restored. Below are the steps one needs to take when using ESP trick for unpacking any packer.
- Step over PUSHAD instruction
- Follow ESP register in dump
- Set the hardware breakpoint on the DWORD memory pointed by Stack pointer (ESP) in dump.
- Look for unconditional jump instruction once the HW breakpoint is hit.
- Put software breakpoint (F2) on the JMP instruction.
- Remove the previously set hardware breakpoint.
- Step into/over the JMP (press F7/F8)
- Use OllyDump plugin to dump the process.
- If import address table is not properly fixed, then use Import Reconstructor (ImpRec) tool to fix it.
I will demonstrate all these steps in the below video.