The document discusses manual unpacking of packers and protectors. It begins with an overview of packers like UPX and Themida. It then describes the unpacking process for UPX, which involves extracting headers, packed data, and unpack code to decompress the files and redirect the execution flow. Finally, it summarizes the unpacking process for different versions of Themida, which uses self-extracting archives and multiple layers of encoding.

1. Manual Unpack
By Debugger
2012-12-01
A-FIRST
고흥환 책임연구원
www.CodeEngn.com Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
7th CodeEngn ReverseEngineeringAll rights reserved.
Copyright (c) AhnLab, Inc. 1988-2012. Conference

2. Contents Packer
Debugger Detection
Virtual Machine Detection
Anti Tracing
Manual Unpack UPX
Manual Unpack Themida 1.9.X
Manual Unpack Themida 2.1.8.0
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

3. Packer
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 2

4. Name Latest stable Software license x86-64 support
.netshrink 2.3 (March 29, 2012 (2012-03-29))[1] Proprietary Yes
Armadillo Packer 8.60 (July 6, 2011 (2011-07-06)) Proprietary Yes
ASPack 2.29 (August 3, 2011 (2011-08-03)) Proprietary ?
Executable compression
= Runtime Packer ASPR (ASProtect) 1.64 (September 1, 2011 (2011-09-01)) Proprietary ?
= Packer BoxedApp Packer 2.2 (June 16, 2009 (2009-06-16))[2] Proprietary Yes
is any means of CExe 1.0b (July 20, 2001 (2001-07-20)) GPL No
compressing an executable Enigma Protector 3.80 (August 2, 2012 (2012-08-02))[3] Proprietary Yes
file and combining the
compressed data with EXE Bundle 3.11 (January 7, 2011 (2011-01-07))[4] Proprietary ?
decompression code into a EXE Stealth 4.14 (June 29, 2011 (2011-06-29))[5] Proprietary ?
single executable.
eXPressor 1.8.0.1 (January 14, 2010 (2010-01-14)) Proprietary ?
MPRESS 2.19 (January 2, 2012 (2012-01-02)) Freeware Yes
I. Encryption Obsidium 1.4.6 (July 18, 2012 (2012-07-18))[6] Proprietary Yes
II. Compression PELock 1.0.694 (January 23, 2012 (2012-01-23))[7] Proprietary No
III. Redirection PESpin 1.33 (May 3, 2011 (2011-05-03)) Freeware Yes
IV. Substitution RLPack Basic 1.21 (October 31, 2008 (2008-10-31)) GPL No
V. Obfuscation Smart Packer Pro 1.7 (November 5, 2011 (2011-11-05)) Proprietary Yes
VI. Polymorphism Themida 2.2.1.0 (July 25, 2012 (2012-07-25)) Proprietary ?
VII. Metamorphism 3.08 (December 12, 2011 (2011-12-12))
UPX GPL No
VIII.Protection
VMProtect 2.1 (September 26, 2011 (2011-09-26)) Proprietary Yes
IX. Virtualization
XComp/XPack
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.
0.98 (February 18, 2007 (2007-02-18)) Freeware No 3

5. Themida & UPX
PeCompact FSG ASM
MPRESS (0.45%)
(1.3%) (0.87%) (0.69%)
Anti007 ASProtect (0.40%)
(1.3%)
etc Themida (0.38%)
ASPack (3.5%) SFX (0.38%)
(1.5%) nSPack (0.31%)
Upack (0.21%)
VMProtector (0.13%)
Not a Valid PE Armadillo (0.12%)
(1.6%)
Nullsoft
(2.1%) Microsoft C
(22.2%)
PolyCryptor
(6.4%)
UPX Invalid
(7.8%) Delphi (21.1%)
(8.0%) Nothing
Visual Basic
(14.2%)
(4.4%)
2011 AhnLab 10,000,000 파일 대상
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 4

6. Debugger Detection
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 5

7. BeingDebugged (PEB+0x2)
PEB_LDR_DATA(PEB+0x0C)
ProcessHeap (PEB+0x18)
Flags(ProcessHeap+0x0C)
ForceFlags (ProcessHeap+0x10)
NtGlobalFlag (PEB+0x68)
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

8. IsDebuggerPresent()
TEB (Thread Environment Block)
PEB (Process Environment Block)
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

9. CheckRemoteDebuggerPresent(ProcessId, &bPresent)
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

10. timeGetTime(), GetTickCount(), NtQueryPerformanceCounter(), RDTSC
Garbage Codes
timeGetTime()
Garbage Codes
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

11. SEH (Structured Exception Handler)
Stack
Exception Handler
Exception Handler
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

12. CreateFileA “.SICE”
“.SIWVID”
“.NTICE”
HANDLE WINAPI CreateFile(
__in LPCTSTR lpFileName,
__in DWORD dwDesiredAccess,
__in DWORD dwShareMode,
__in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes,
__in DWORD dwCreationDisposition,
__in DWORD dwFlagsAndAttributes,
__in_opt HANDLE hTemplateFile
);
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

13. FindWindow “FilemonClass”
“File Monitor – Sysinternals: www.sysinternals.com”
“Filem”
“DeepFrz”
“PROCMON_WINDOW_CLASS”
“Process Monitor – Sysinternals: www.sysinternals.com”
“PROCEXP”
“RegmonClass”
“Registry Monitor – Sysinternals: www.sysinternals.com”
“18467-41”
“REGMON”
“regsys”
“sysregm”
“PROCMON”
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

14. NtQuerySystemInformation “iceext.sys”
“ntice.sys”
“Syser.sys”
“HanOlly.sys”
“extrem.sys”
“FRDTSC.sys”
NTSTATUS WINAPI NtQuerySystemInformation(
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

15. RegOpenKeyA "SOFTWARENuMegaDriverStudio"
RegQueryValueEx “InstallDir"
LoadLibraryA "~SoftIceNMTRANS.DLL“
GetProcAddress “NmSymIsSoftICELoaded“
Call NmSymIsSoftICELoaded
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 14

16. Anti Tracing
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 15

17. STI, INT 1
SetEvent, DelayExecution
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

18. Garbage Code - Linear Sweep Disassembly
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

19. DbgUiRemoteBreakin Patch
DbgBreakPoint Patch
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

20. Virtual Machine Detection
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 19

21. I. Virtual Machine Artifacts
in Processes, File System, and Registry
II. Virtual Machine Artifacts
in Memory
III.Virtual Machine Specific Virtual Hardware
IV.Virtual Machine Specific Processor
Instructions and Capabilities
< On the Cutting Edge : Thwarting Virtual Machine Detection 참조 >
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

22. RegOpenKeyA “SoftwareWine”
"HARDWAREACPIDSDTVBOX__"
LONG WINAPI RegOpenKey(
__in HKEY hKey,
__in_opt LPCTSTR lpSubKey,
__out PHKEY phkResult
);
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

23. RegOpenKeyA “HARDWAREDESCRIPTIONSystem”
RegQueryValueEx “SystemBiosVersion"
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

24. Vmware
010603FB B8 68584D56 MOV EAX,564D5868 // Magic Number "VMXh"
01060400 B9 14000000 MOV ECX,14 // BACKDOOR_COMMAND_NUMBER
01060405 66:BA 5856 MOV DX,5658 // Port Number
01060409 ED IN EAX,DX // I/O command
0105F878 B9 0A000000 MOV ECX,0A
0105F87D B8 04D75548 MOV EAX,4855D704
0105F882 05 6481F70D ADD EAX,0DF78164
0105F887 BB 65D48586 MOV EBX,8685D465
0105F88C BA 40B63400 MOV EDX,34B640
0105F891 81EA E85F3400 SUB EDX,345FE8
0105F897 ED IN EAX,DX // I/O command
0105F898 81FB 68584D56 CMP EBX,564D5868
0105F89E 75 0A JNZ SHORT 0105F8AA
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

25. Manual Unpack UPX 1.9.3
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 24

26. IMAGE DOS HEADER
IMAGE NT HEADER
.UPX0 HEADER
.UPX1 HEADER
.rsrc HEADER
Extracted Data
Packed Data
Unpack Code EntryPoint
resource
IAT Table
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

27. EntryPoint
Initialize
Decompress
Extracting
Yes E8 09 or
Address Correction E9 09
No
Retrieves the API
Address
JUMP OEP
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

28. UPX0 – Compressed Data / UPX1 – Decompressed Data
Extracting Algorithm
…
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

29. E8 09 (CALL) / E9 09 (JMP) Address Correction
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

30. Retrieves the address
UPX->IAT
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

31. Manual Unpack Themida 1.9.X
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 30

32. Themida ?
l Themida
Advanced Windows Software
Protection System
l WinLicense
Professional Software Protection
& Licensing Management
l Code Virtualizer
Total Obfuscation against
Reverse Engineering
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 31

33. Version 1.9.X
IMAGE DOS HEADER
IMAGE NT HEADER
.UPX0 HEADER
.UPX1 HEADER
.rsrc HEADER
Packed Data
.rsrc Section
.idata Section
SFX EntryPoint
IAT Table
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

34. Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 33

35. VirtualAlloc, CreateFile, ReadFile “ADVAPI32.DLL”
VirtualAlloc, CreateFile, ReadFile “USER32.DLL”
VirtualAlloc, CreateFile, ReadFile “KERNEL32.DLL”
Subsystem Virtualization
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 34

36. Multi-Thread
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 35

37. Themida SFX
1’st Decoding & Processing
2’st Decoding & Processing
SFX (Self-Extracting Archive) Algorism
3’st Decoding & Processing
4’st Decoding & Processing
… …
n’st Decoding & Processing
UnPacking
Decode & ReEncode
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 36

38. Manual Unpack Themida 2.1.8.0
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 37

39. New Version 2.1.8.0
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 38

40. Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 39

41. Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 40

42. Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved. 41

43. Version 2.1.8.0
IMAGE DOS HEADER
IMAGE NT HEADER
.UPX0 HEADER
.UPX1 HEADER
.rsrc HEADER
Packed Data
.rsrc Section
.idata Section
Extracted SFX
Encoded SFX
Decode Code EntryPoint
Copyright (c) AhnLab, Inc. 1988-2012. All rights reserved.

44. … 어렵다
www.CodeEngn.com
7th CodeEngn ReverseEngineeringAll rights reserved.
Copyright (c) AhnLab, Inc. 1988-2012. Conference