Saturday, October 18, 2008

Unpacking UPX with Ollydbg

I recently participated in the malware challenge 2008 at http://malwarechallenge.info Spoiler Alert if you are taking part in this challenge don't read any further. I am giving away some secrets.

In the following post I will illustrate what steps should be taken to do low level analysis of malware. This is what is done before behavioral analysis.

The first thing you need to do is to take a look at the strings in the executable. This can be done in several different ways. The easiest way is to use the strings command in Linux or Cygwin and export the strings to a text file by using the

strings malware.exe > strings.txt.


At this point if you look at the strings and see all of the text in the clear the executable is probably not packed or obfuscated. This isn't the case most of the time. Usually the malware is packed using a packer and possibly a protector to prevent reverse engineering of the malware.

If you look through the strings and they all seem obfuscated or strange looking then it's probably a packed portable executable file. So how do you really know? We use a tool called PEiD. PEiD is a tool that can easily tell if an executable is packed. The first step is to get PEiD from http://peid.has.it/ Once we have downloaded PEiD we open it and it looks like this.

We then hit the button with three dots in the upper right hand corner. This lets us browse to our executable. In this case our executable is named malware.exe. We point to the executable and then hit open. Once open it will try to detect the packer. In the case of this challenge it will only report correctly if you change the mode to deep or hardcore. It will then show something like the following image.



Notice we are now reporting the malware is packed with UPX. Ok so lets unpack the UPX. If you try the upx packer tool it will report that the executable can't be unpacked. This is pretty typical, it means that the UPX in the executable is obfuscated or it's so old the unpacker doesn't understand it. So what now?

Enter Ollydbg. Olly is a great tool for analysis of malware. Olly can be used for all sorts of reverse engineering fun but in this case we are going to use Olly for unpacking the malware. Before we start we also need the Ollydump plugin.

  1. To unpack the UPX we first open Ollydbg. Then we choose open and the executable file we are trying to analyze.
  2. Once open we scroll down until we find the PUSH AD instruction. This is the beginning of the loading of the program into memory.
  3. Next we scroll down and find the POP AD instruction. Then we set a breakpoint on the POPAD instruction by right clicking and choosing breakpoint.
  4. Then we hit f9. It will then break on the POP AD instruction.
  5. Then we hit F7 several times until we see it hit a JMP instruction. if you look at the hex address next to this statement this is our OEP or original entry point.
  6. Write down the address next to the JMP instruction
  7. Then open the plugins menu, Choose Ollydump then change the size to the last 5 digits of the OEP. Make sure you check rebuild import, finally hit dump then give the executable a name. See below.
  8. Try running the executable to make sure it works.
  9. If it runs then you have successfully unpacked the UPX.




Alright so there's no more UPX on this executable. Now we can use the strings command again and we should see several more strings. Including the commands to control an IRC bot. Once you have those commands you can find out just how dangerous a botnet can be.

No comments: