Geek Answers Handbook

In the unpacking, do you find the ECX value or the ESP value for Aspack 2.12?

I am learning how to do malware analysis. When I tried to analyze the malicious file detected on the USB drive, it occurred to me that this malware was packaged in Aspacker 2.12 (PEiD). I have not come across Aspack before, and a quick Google search led me to this video: http://www.youtube.com/watch?v=I3QeEqC4-jE These guys say to find the ECX register to find the entry point.

another google search led me to another tutorial on the site that calls tuts4you (I can't post the link because you need to upload a file to view the tutorial), but THIS guy says you need to find the ESP register and EDI register and do the same .

They both use ollydbg and import REC, and it seems like the tutorials show the same thing: OEP lookup for unpacking ASpack.

Since I am new to this, someone could not explain which one is correct and why?

+4
source share
1 answer

I hope the question is not too outdated ... There are several more ways to achieve this. You can follow the steps in the mentioned tutorial or try other ways (usually depending on the version / options of the packers, etc.). To mention one alternative approach, try finding the following instructions in your packaged executable:

6800000000 push 0 C3 retn

Set a breakpoint in this push 0 instruction and run the executable. This command will be changed during the removal of the packer code, and 0 (DWORD 0x000000) will be replaced by the address (DWORD) of the original entry point (so that the instruction will look like push 00451000 , for example).

After execution, the OEP address will be pushed onto the stack, and the next ret command will accept it as the return address, where execution should continue .... thus setting the EIP (instruction pointer) to the initial entry point.

To search for these instructions, I recommend using some kind of hex editor or HIEW32 ... look for the following hex pattern: 6800000000C3

+3
source

More articles:


All Articles