Learn How to Unpack ASPack Tutorial
0With this guide you will learn how to unpack ASPack tutorial, teaching you how to unpack a binary which is packed using ASPack.
Zero2Auto 10% Coupon Code = "GUIDEDHACKING"
https://courses.zero2auto.com/?coupon=GUIDEDHACKING
^Automatically applied with the link above^
This was originally a 1 hour unpacking tutorial but we broke it down into smaller parts for easier viewing in our How to Unpack Malware tutorial series. Defeating Commercial Packers Like a Pro - VMProtect, ASPack, PECompact, FlawedAmmyy, Ramnit Dropper and more. Learn how to unpack 5 different packers & malware samples in this malware analysis & How to Unpack tutorial series. This was originally a 1 hour unpacking tutorial but we broke it down into smaller parts for easier viewing in our How to Unpack Malware tutorial series.
Discussion: https://guidedhacking.com/threads/how-to-unpack-aspack-tutorial.16932/
Complete Playlist: https://www.youtube.com/playlist?list=PLt9cUwGw6CYGfoSL9PUlpKi23z0_R2gz-
A packer is a piece of software which obfuscates the original binary on disk, they started as very simple programs which just did a simple xor against the original bytes. The original code would be replaced with a stub, and the stub would xor the original binary, map it into memory and then execute the original code. In this way, static analysis is impossible. But in this How to Unpack tutorial series you will learn the ins and outs of unpacking binaries, including malware samples. Unpacking malware is something as a malware analyst you would have to do quite frequently, as almost all malware uses packers to evade antivirus detection. While packers have become increasing complicated over the years, unpacking them still follows the same steps and has the same goal. The point of unpacking a binary is to enable static analysis, once you have dumped the original binary to disk, you can begin to reverse engineer it.
In this How to Unpack Tutorial you will learn how to unpack a ASPack protected binary. ASPack is a cryptor or packer which compresses, obfuscates & protects programs, you use it if you want stop people from reversing engineering your software. ASPack works on all versions of Windows and can support any executables, DLLs and other executable file types. It is a good packer solution, offering multiple customization options including compression types, export compression, resource compression, code integrity check, preserve overlay, import table options. Looking for an ASPack unpacker? Sorry, not here, but you can learn how to unpack it with our tutorial.
But let's talk about this packed file and how to unpack ASPack . When we first open the file, it's clearly packed because the main function is very small and clearly packed, and this main function can't be analyzed by IDA, the stack pointer analysis fails, which typically means it's packed. We can see the import table is stripped and the strings are encrypted. After browsing around the code we find a function which is called via a function pointer in EDX, then we move into x64 dbg to take a better look, putting breakings on VirtualAllocate() and VirtualProtect() so we can catch it allocating memory for the decrypted code. After a few jumps we find the buffer filled with zeros, which then gets overwritten with data, indicating an unpacking routine. We watch the ASPack unpack routine calling virtual protect on all the sections and beginning to unpack the binary, the strings are still empty, but after a few more loops we see strings appear, indicating the unpacking has finished, at which point we can probably dump it by indicating the original entry point in Scylla. And that's it, you have successfully learned how to unpack ASPack .
Once we confirmed we have found our original entry point we breakpoint it and open up Scylla, correctly indicate the OEP and we see if we can fix the import table, typically if that works, you know you're good to go. Regardless we're pretty sure we found it, after dumping we open it in IDA and if the IDA analysis looks good, then we know we've made a good dump, and we're done!
Malware Hashes (MD5 - all on VirusBay):
Ammyy: 7fb83e646cbabc50bec4b33c8130b5ae
ASPack: 9cc1b039aa8e4a98da3c390fdacc414c
PECompact: ad8cd029b32568830c8304f6075bb805
Ramnit: 6ee3d4e6b9cec67165e90f7ee7c9c33b
VMProtect: a39b4f74b5108a2b9f1a33b2feb22cc5
Donate on our Forum : http://bit.ly/2HkOco9
Support us on Patreon : http://bit.ly/38mnveC
Follow us on Facebook : http://bit.ly/2vvHfhk
Follow us on Twitter : http://bit.ly/3bC7J1i
Follow us on Twitch : http://bit.ly/39ywOZ2
Follow us on Reddit : http://bit.ly/3bvOB57
Follow us on GitHub : http://bit.ly/2HoNXIS
Follow us on Instagram : http://bit.ly/2SoDOlu
#MalwareAnalysis #Malware #ASPack