A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #14927  by hanan
 Mon Jul 30, 2012 12:57 pm
Hi,

I have downloaded the malware sample from http://www.kernelmode.info/forum/viewto ... 693#p13781,
and its VirusTotal is https://www.virustotal.com/file/8711146 ... /analysis/, i have tried to unpack it and get an unpacked EXE file as a result since i would like to read it in IDA Pro.

I have manged to get the OEP of the malware (actually i have two 0x40660 and 0x4042A0) but i can't dump it to an EXE file, i have tried to do it with OllyDump and LordPE but both give me the same error like this:
Image

I would like to get your help on this, since i am in the learning stages I would like to get a more detailed solution.

Thanks.
 #14936  by hanan
 Mon Jul 30, 2012 5:49 pm
@ISergey256, Thanks it is working, But i have some questions.
1. Is the dumped file has the unpacking stub in it ? in other words is full dump with PE tools just copy what ever is it right now on the memory ?
2. why should i correct the IAT once if have done full dump ?
3. at which stage the dump has its OEP changed to the unpacked one (e.g. 0x404660) ?
4. why LortPE can't handle full dump, Is that mean that the malware has some kind of mechanism to prevent that ?

Thanks.
 #14971  by Mr.Bojangles
 Thu Aug 02, 2012 6:02 am
hanan wrote:@ISergey256, Thanks it is working, But i have some questions.
1. Is the dumped file has the unpacking stub in it ? in other words is full dump with PE tools just copy what ever is it right now on the memory ?
2. why should i correct the IAT once if have done full dump ?
3. at which stage the dump has its OEP changed to the unpacked one (e.g. 0x404660) ?
4. why LortPE can't handle full dump, Is that mean that the malware has some kind of mechanism to prevent that ?

Thanks.
1.no
2.IAT was obfuscated and table need rebuilt from calls
3.trace it and see
4.IAT and original code obfuscated

PE is simple(except for some MSIL encryptions that take manual decryption and undocumented VM protectors). Also olly is a runtime debugger for windows only, it's a poor choice for any level of user. IDA is better for dozens of reasons. Olly also has annoying disassembler bugs some protectors and packers actually use; IDA does too, but there are less.