Windows Reverse Engineering - Unpackers (Page 6 of 9 )
Many commercial software programs are compressed with commercial “packers” (e.g., AsPack from http://www.aspack.com) in order to save space or to frustrate disassemblers. Unfortunately, you will not be able to disassemble a binary if it is packed. Fortunately, there are tools to unpack a packed binary. This section reviews the tools and methods used for unpacking a compressed application so that you may proceed to reverse engineer it.
The science of unpacking compressed binaries is very complex and comprises an entire subspecialty of RCE.
The PE file format IThe native file format of Windows is the Portable Executable (PE). “Portable” means that all Windows platforms and processors recognize the program. In order to understand the process of unpacking a compressed application, it is first necessary to understand the structure of the Win32 PE file format (Figure 2-8). This format has remained relatively constant over the years, even with newer 64-bit Windows platforms.

The programmer’s assembler or compiler creates the PE sections automatically. The purpose of the DOS MZ header is so that if you happen to run DOS (Disk Operating System), DOS can recognize the program. In contrast, the DOS stub is simply a built-in executable provided to display an error message (e.g., “This program cannot be run in MS-DOS mode”) in case the operating system does not recognize DOS.
We are most interested in the third section, the PE header, a structure that contains several fields used by the PE loader. When you execute the program on an operating system that can process the PE file format, the PE loader uses the DOS MZ header to find the starting offset of the PE header, thus skipping the DOS stub.
The data in a PE file is grouped into blocks called sections. These sections are organized based on common attributes, rather than on a logical basis. Thus, a section can contain both code and data, as long as they have the same attributes.
Following the PE header is an array of structures known as the section table. A structure holds section-specific data such as attribute, file offset, and virtual offset.
During program execution, the PE header maps each section into memory based on the information stored in the sections. It also assigns attributes to each section in memory based on information in the section table. After mapping the PE file into memory, the PE loader imports data from an array known as the import table.
ProcDump For educational purposes, at some point you may want to learn how to manually unpack an unknown binary. However, the RCE scene has developed useful tools to help you save time by addressing many commercial packers (make sure to get permission from all relevant software manufacturers before reverse engineering their code). In addition, there are tools to help unpack even unknown compression schemes. ProcDump, written by G-RoM, Lorian, and Stone, is a powerful tool to help with unpacking. Figure 2-9 shows the startup screen, which lists open tasks and modules. Simply press Unpack to start the unpacking wizard.

After starting ProcDump, you’ll see a split-screen GUI. The top contains a list of processes running under Windows; the bottom of the GUI lists all modules attached to a certain process. On the right side of this screen, you’ll see the following six buttons:
Unpack -- Unpacks an executable or a dump file
Rebuild PE -- Rebuilds the PE header of a executable or dump file
PE Editor-- Allows you to edit a PE header
Bhrama Server -- Starts the Bhrama Server (which allows you to write your own custom plug-ins for ProcDump)
About -- Provides application info
Exit -- Ends ProcDump
To unpack an application, start by clicking the Unpack button. Then, choose the name of the commercial or other packing program that protects the program. Next, an Open Dialog will pop up. Choose the executable you want to unpack and click Open. ProcDump will load the executable in memory. When this is done, hit OK, and the program will unpack automatically.
 | If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
Visit the O'Reilly Network http://www.oreillynet.com for more online content. |
Next: Personal Firewalls and Install Managers >>
More Windows Security Articles
More By O'Reilly Media