Results 1 to 3 of 3

Thread: Upack

  1. #1
    Imported blog (Jason Geffner)
    Join Date
    Oct 2007
    Posts
    25

    Upack

    "You got a pocket pager? What are you, a doctor?"
    - Dr. Gillian Taylor, Star Trek IV

    No, I'm not a doctor. I'm the Virus Analyst on-duty this week. But I am carrying around a pager (in case an important new threat comes out).

    As luck would have it, one such threat came up yesterday. Dasher.C was released (thanks, Jose), and as the off-hours Analyst on-duty, it was my job to analyze it.

    Dasher.C was packed with Upack, an interesting little packer. At first, I thought the sample file was corrupt, since its PE header looked all screwed up and when I loaded it into OllyDbg, OllyDbg gave an error and landed in ntdll. Before I classified it as corrupted though, I tried running it (F9 in OllyDbg). Sure enough, it ran fine.

    So what was going on? Well, OllyDbg didn't like the look of the headers any more than I did, and dropped me into ntdll instead of breaking at the entry-point of the sample. Once I realized that it wasn't corrupted after all, I looked up the entry-point with a PE editor, reloaded the sample in OllyDbg and set a breakpoint on the entry-point address, and let it run. OllyDbg then hit the breakpoint at the entry-point, and I was able to trace it easily to the OEP.

    What's the takeaway?
    Short: No matter how corrupt something looks, always try running it before throwing it away.
    Long: When dealing with Upack or similar packers, setting a breakpoint on the EP after loading the sample into OllyDbg works just fine, despite the error message and ntdll screenful.
    Bonus: Quoting Star Trek IV is now considered the "cool" thing to do


    http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2005/12/18/8.aspx

  2. #2
    Upack AKA WinUpack is, apart from the slightly non-standard header, essentially UPX-level difficulty (FSG is quite similar, in that it uses otherwise useless bytes in the header to store its stub).

    Maybe you should report the bad handling of PE headers to Oleh so he can fix it in OllyDbg 2.0.

    And watch out for TLS callbacks (e.g. EXEcryptor et al.), those can be nasty -- set a breakpoint on where you think the OEP is, and it'll just run without breaking.

  3. #3
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Yep, TLS callbacks can be nasty. There are some Olly plugins that make sure that execution is paused on these too though, e.g. the "NtGlobalFlag" plugin:

    http://www.woodmann.com/forum/showthread.php?t=8875

    http://www.reversing.be/article.php?story=20050603193932184

    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

Similar Threads

  1. (Win)Upack 0.39final by dwing
    By linhanshi in forum Tools of Our Trade (TOT) Messageboard
    Replies: 9
    Last Post: December 21st, 2005, 02:04
  2. Upack
    By maze in forum OllyDbg Support Forums
    Replies: 3
    Last Post: July 29th, 2005, 07:13

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •