Unpacking mpress’ed PE+ DLLs with the Bochs plugin

In IDA Pro 6.1 we extended the Bochs debugger plugin to support debugging of 64bit code snippets. With IDA Pro 6.2 it will be possible to debug PE+ executables as well. Since the execution will be emulated inside Bochs, a 64bit operating system is not required and one could be equally running a 32 or 64bit Linux, Mac OS or Windows operating system and still be able to debug 64bit PE files from IDA Pro.

To illustrate this new feature, we are going to unpack and briefly analyze a PE+ trojan that is compressed with MPRESS from MATCODE Software.We will illustrate how to unpack the DLL, recover the import table and cleanup the database to get it ready for analysis.

bochs_options

Unpacking the DLL

Our target is a 64bit trojan DLL identified as “Win32/Giku”. We start analyzing this DLL by loading it in idaq64 and checking the segment list by pressing Ctrl-S:

mpress

Notice how the section names and attributes signal the presence of the MPRESS packer.

To debug this DLL, make sure that “Bochs debugger plugin” is selected in PE and 64bit emulation mode.

After starting the debugger, we observe the following code which calls the unpack():

bochs_unpacked

If we step a bit further, we reach the code that reconstructs the imports by calling LoadLibrary()/GetModuleHandle() in a loop followed by another nested loop that calls GetProcAddress() and stores the result in the IAT:

bochs_restore_imports

Noting down the value of the rdi register once just before the stosq is executed will give us the IAT start address and by noting rdi once more at the end of both the loops we get the IAT end address.

Shortly after the IAT has been restored, we notice the jump to the original entry point:

bochs_jump_oep

And the entry point code:

nosigs

This is the real DllEntryPoint() of the unpacked program. Now with the OEP and the IAT start/end values at hand, we are ready to cleanup the database so it represents the unpacked program.

Reconstructing and cleaning the database

There are many ways to clean the database from stale / unused information after the program has been unpacked. This involves the following steps:

  1. Locating the IAT and creating an XTRN segment to represent the imports
  2. Deleting the packer’s entry point and adding the original entry point (after unpacking)
  3. Re-analyzing the code
  4. Applying FLIRT signatures
  5. Deleting the unused packer’s segments (optional)

Steps 1 to 3 can be automated using the uunp plugin that ships with IDA. Select from the menu “Edit/Plugins/Universal unpacker manual reconstruct”:

uunp_reconstruct_plg

to invoke the uunp plugin directly after reaching the OEP. Fill in all the previously gathered information:

uunp_dlg

and press OK. A new imports segment will be created, the code segment will be reanalyzed and finally a memory snapshot of the unpacked program will be taken.

We are now ready to apply the appropriate FLIRT signatures:

apply_sig

After selecting the “vc64rtf” signature from the signatures window (Shift-F5) we notice how IDA identified library functions and colored them with light blue making reverse engineering even easier.

Analyzing the unpacked code

After the code is unpacked, a quick inspection, the strings window reveals a set of encrypted strings:

decrypt_str1

With the help of cross-references, the decryption function was identified. After giving it a proper prototype, we can Appcall it to decrypt the strings:

decrypt_str2

We got a URL pointing to an encrypted text file. After digging a bit in the database, the function used to decrypt files was located:

decfileasm

And this is the Appcall version of decrypt_file():

decfile

We use it to decrypt spm.txt:

spm

x32.jpg is DLL packed with UPX and x64.jpg is a PE+ DLL packed with mpress.

Hope you found this blog post useful. Comments and suggestion are welcome.

This entry was posted in IDA Pro. Bookmark the permalink.

4 Responses to Unpacking mpress’ed PE+ DLLs with the Bochs plugin

  1. vitaly says:

    MPRESS is quite good multi-platform packer. But it’s not a software protector.
    btw. Why did you add another section and didn’t reuse the loader section “.MPRESS2″ which is not used anymore?

  2. Elias Bachaalany says:

    I added another segment and not section. In IDA segments are just logical units to separate areas. So I split the mpress2 segment to describe the .idata in a different segment with “XTRN” class.

    How the segments are displayed in IDA do not have to mean anything regarding the PE file format.

  3. someone says:

    it’d be great if the 64bit processor module was made available as part of the standard edition of ida pro since a lot of the new features (also of past updates) seem to be available with the advanced edition only.

  4. Han says:

    Nice, i’m looking for unpack mpress with IDA and now i’m read

    I trackback this article in :

    http://idelit.com/index.php?page=226

    Thanks!