PMA 121: Unpacking with OllyDbg and pestudio (50 pts extra)

What you need

Purpose

To examine how EXE files work, and how the UPX packer modifies them.

Use the FLARE-VM

All these steps are done in your FLARE-VM, which is Windows 10 plus many malware analysis tools.

Getting PuTTY

We'll use this program as an example of normal executable to work on.

Download this file, and put it on your desktop:

https://samsclass.info/127/proj/putty.exe

Unblocking the File

Right-click putty.exe and click Properties. At the bottom, click Unblock. Click OK.

Check the Hash

Download and install Hashcalc from:

https://www.slavasoft.com/hashcalc/

Verify that the hash of putty.exe matches the value shown below.

Launching PuTTY

Double-click putty.exe.

The program opens, as shown below.

Close the PuTTY Configuration window.

Compress the File with UPX

Open a Command prompt and execute these commands, as shown below:
cd Desktop
upx -o puttycomp.exe putty.exe
UPX compresses the file, reducing its size by about 50%, as shown below.

Check the Hash

Calculate the hash of puttycomp.exe. The hash is different, as shown below.

Launching PuTTYcomp

Double-click puttycomp.exe.

The program opens, just as the original did. The packed file is smaller on the disk, but retains the full functionality of the original file.

Close the PuTTY Configuration window.

pestudio

Download pestudio from

https://www.winitor.com/download/

In pestudio, open putty.exe.

Launch a second instance of pestudio and open puttycomp.exe.

Notice these items, as shown below:

Sections in PuTTY

In the pestudio window examining putty.exe, in the left pane, click sections.

In the right pane, notice these items, as shown below:

Sections in PuTTYcomp

In the pestudio window examining puttycomp.exe, in the left pane, click sections.

In the right pane, notice these items, as shown below:

Imports in PuTTY

In the pestudio window examining putty.exe, in the left pane, click imports.

In the right pane, scroll through the list, as shown below, to get a feeling for the many API calls used by even a very simple Windows application.

Some of them are blacklisted, and some even have MITRE techniques listed, showing how they are used by attackers.

Imports in PuTTYcomp

In the pestudio window examining puttymod.exe, in the left pane, click imports.

In the right pane, the list is very short, as shown below, because the unpacker does only one simple job.

Get the Malware Samples

If you don't already have them, get the malware samples here:

https://practicalmalwareanalysis.com/labs/

PMA 121.1: Entry Point (10 pts)

If you don't already have them, download the malware samples from:

https://github.com/mikesiko/PracticalMalwareAnalysis-Labs

Examine sample Lab01-02.exe. Find its entry-point. That's the flag, covered by a green box in the image below.

Getting OllyDbg

Download Odbg110.zip from

https://www.ollydbg.de/

Unzip it into its own folder, as shown below.

http://www.openrce.org/downloads/details/108/OllyDump

Unzip the g_ollydump221b.zip file. Move the OllyDump.dll file into the same folder as the OllyDbg executable, as shown below.

Examining PuTTY and PuTTYcomp with OllyDbg

In OllyDbg, open putty.exe.

Launch a second instance of OllyDbg.

In OllyDbg, open puttycomp.exe.

A "Compressed code?" box pops up. Click No.

Note these features, as shown below:

Memory Maps

In both OllyDbg windows, click View, Memory.

Olly shows the memory map.

Find the putty sections. Note these features, as shown below.

Dumping Sections

In the OllyDbg windows showing putty, right-click the .text line and click Dump.

In the OllyDbg windows showing puttycomp, right-click the UPX0 line and click Dump.

As shown below, putty's .text section contains machine code instructions, but the UPX0 section is filled with zeroes.

Notice how large this section is: it goes from 00401000 to 00448FFF.

In the OllyDbg windows showing putty, right-click the .data line and click Dump.

In the OllyDbg windows showing puttycomp, right-click the UPX1 line and click Dump.

As shown below, putty's .data section contains a few values, but it's mostly zeroes.

The UPX0 section contains compressed data. Olly has tried to interpret it as assembly code, but it's nonsense, as shown below. From the entropy value we saw earlier, we know this data is almost totally random.

Viewing the Unpacking Stub

In the OllyDbg window examining puttycomp.exe, in the top left pane, you see code starting with the PUSHAD instruction/

Scroll down in this pane to see the unpacking code and find where it ends. The last instruction is

JMP puttycom.004550F0

as shown below.

This JMP jumps into the UPX0 memory section, which contained only zeroes when we dumped it. The unpacker must put code there before this JMP, or the program would crash.

Click on the JMP instruction. Press the F2 key to put a breakpoint there, as shown below.

Running the Unpacking Code

Press the F9 key to run the program.

The program runs to the breakpoint.

Press the F7 key to execute one more instruction.

The program proceeds to the PUSH 60 instruction, as shown below.

This code contains the instructions for the real, unpacked, putty text section. OllyDbg only disassembles the first few instructions, because it thinks this is a data section, but the actual bytes match the unpacked putty code.

Building an Executable from Memory

We have now unpacked the code, so it can run in OllyDbg. But to create an EXE file, we need to gather the pieces together and rebuild the PE header, including the import table which was destroyed by UPX.

For simple cases, we can use the automated tool OllyDump to do that.

Using OllyDump

In the OllyDbg window examining puttycomp.exe, from the menu bar, click Plugins, OllyDump, "Dump debugged process".

An OllyDump box pops up, showing the sections of code, the Entry Point, and the method it will use to rebuild the import table, as shown below.

Check to see that the Start Address plus the Modify address matches the address you see in the upper left pane of OllyDbg. In this case, it does, because the file loaded at the expected address of 400000.

Accept the default options and click the Dump button.

Save the file as puttydumped.exe.

Examining the Dumped File in pestudio

Open pestudio and examine puttydumped.exe.

The imports section is now largely restored, although the process is not perfect, as shown below--the original putty had 312 imports but OllyDump only restored 277 of them.

PMA 121.2: Entry Point (10 pts)

Examine the sections of puttydumped.exe. Find its entry-point. That's the flag, covered by a green box in the image below.

PMA 121.3: Strings (15 pts)

Unpack the Lab18-01.exe sample. Examine the strings of the unpacked file and find the URL. That's the flag, covered by a green box in the image below.

PMA 121.4: Password (15 pts)

Download and examine this EXE:

upxflag2c1.exe

First run it in a Command Prompt.

It's a password guessing game, as shown below.

Unpack it and examine the strings to get the flag.

Hint: check the Start Address in OllyDump

Sources

The Basics of Packed Malware: Manually Unpacking UPX Executables
Example malware unpacking and analysis: part 1, unpacking
Manual Unpacking Of Upx Packed Executable Using Ollydbg and Importrec
Triaging suspicious files with pestudio
PeStudio Standard
The Study of Evasion of Packed PE from Static Detection
MUP With OllyDbg for Really Beginner
How to prevent “upx -d” on an UPX packed executable?
UPX Anti-Unpacking Techniques in IoT Malware

Posted 9-17-2020
Updated 6-13-2021
Memory address explanation corrected 6-24-2021
Minor fix 7-14-21