Sample

Metadata

SHA256: 0ad4f87dfa9b814b78e9db2360a89ea7940fb5ad919637bbaacb1222fb44098d
Difficulty: medium
Platform: Windows
Tags: emulation peunion write unpacker anti-emulation
Likes: 0
Views: 4
Submitter: struppigel

Analysis

Goal

Write an emulation-based unpacker for this crypter. Use the native 32-bit stub and RunPE shellcode. Ignore .NET.

Description

The referenced file is the packer, not the packed file. Pack calc.exe with it, then try to unpack it with your emulation script. I recommend Mandiant's speakeasy for this task.
PEUnion has an in-depth description on Github: https://github.com/bytecode77/pe-union
It features anti-emulation that you need to defeat when writing the unpacker.

Recommended Tools

speakeasy Ghidra

Solutions

Writing an Unpacker for a 3-Stage Stub with Emulation via Speakeasy Reference by struppigel

Image

Video

Solution by struppigel: Writing an Unpacker for a 3-Stage Stub with Emulation via Speakeasy

Comments

Please login to view and post comments.