ASPack is a Win32 executable file compressor which also protects the executable against basic Reverse Engineering. Although there are automated tools like IDA Pro's Universal Malware Unpacker or can probably be unpacked using techniques defined in BitBlaze Renovo, we analyzed ASPack protected executables using Dynamic Analysis particularly as an exercise for our upcoming training on Reverse Engineering and Malware Analysis at Nullcon 2012 Delhi.
Following analysis is based on Free version of ASPack 2.29.
ASPack-2.29 Generated Executable Overview
ASPack compresses each section of the input executable along with adding two of its own section: .aspack and .asdata - the former containing the decoder and loader code however it is currently not clear about the purpose of the later as it seem to be empty (SizeOfRawData = 0).
Comparing the Section Listing of the original and packed executable above, following assumptions can be made:
Analysis Approach
The approach was conventional - start with Static Analysis to have a basic idea of the decoder logic and look for possible anti-debug or anti-diassambly technique and acquire enough knowledge to proceed with Dynamic Analysis. We needed to identify important code blocks like decoder loop, section mapping, control transfer to Original Entry Point (OEP) etc before we can proceed with automated unpacking.
Static Analysis
The entry point code in .aspack section in the packed executable uses a bunch of fake long and short jump op-codes (0xe9, 0xeb) to break the disassembler (Note: IDA 6.3 can detect such obfuscation technique and disassemble correctly without manual intervention). After little manual fix-up the code can be analyzed and IDA 5.0 (free) can build the Flow Graph correctly as shown below.
Three APIs as shown below in the disassembly were found to be resolved early in the loader code. Based on this logic, we made an assumption that those APIs will be used in order to decode and map sections and hence are perfect analysis points during Dynamic Analysis.
Dynamic Analysis
Phase1
We needed to verify that the decoded code is executed from its original location (as mapped by the PE Loader). Since our test executable was a GUI application (calc.exe) which inevitably calls GetMessageW, we set a breakpoint on the API and on breakpoint hit we could verify that the original code was decoded and execute from its original location only.
Little trial and error proved that ASPack loader does not seem to have any random or metamorphic component and hence this particular code above is always at an offset 0x420 from the base of .aspack section. The 0x00 above is patched with the computed OEP address at runtime.
Workflow for Automatic Unpacking
The Tool
The tool is written using the wonderful Metasm Framework, without it a LOT of work would have been required. The core logic is as below:
Closing Note: ASPack is not really meant for executable protection as such, it is more of a compression system similar to UPX. For serious requirement, appropriate tools like ASProtect, Themida, VMProtect etc. should be considered.
Advertising:
We will be conducting a 2-days workshop on Reverse Engineering and Malware Analysis at Nullcon 2012 Delhi which includes topic as described above along with other interesting topics like Dynamic Binary Instrumentation, Binary Patch Analysis etc. If you are new to Reverse Engineering, we will try our best to equip you with the basics of x86 ASM and Win32 platform components so that you can benefit from open information available on the internet. Do check out if you are interested.
Reference
http://www.aspack.com/
http://metasm.cr0.org/
http://bitblaze.cs.berkeley.edu/
Following analysis is based on Free version of ASPack 2.29.
ASPack-2.29 Generated Executable Overview
ASPack compresses each section of the input executable along with adding two of its own section: .aspack and .asdata - the former containing the decoder and loader code however it is currently not clear about the purpose of the later as it seem to be empty (SizeOfRawData = 0).
Section List for Original Executable
Section List for Packed Executable
Comparing the Section Listing of the original and packed executable above, following assumptions can be made:
- ASPack keeps the original sections intact including the section RVA however it sets the section mapping permission to RWX instead of the original R_X.
- ASPack adds two news sections - .aspack and .adata among which the purpose of .adata is unknown as it is empty.
- As understandable, the original entry-point is redirected to point somewhere within .aspack section.
Analysis Approach
The approach was conventional - start with Static Analysis to have a basic idea of the decoder logic and look for possible anti-debug or anti-diassambly technique and acquire enough knowledge to proceed with Dynamic Analysis. We needed to identify important code blocks like decoder loop, section mapping, control transfer to Original Entry Point (OEP) etc before we can proceed with automated unpacking.
Static Analysis
The entry point code in .aspack section in the packed executable uses a bunch of fake long and short jump op-codes (0xe9, 0xeb) to break the disassembler (Note: IDA 6.3 can detect such obfuscation technique and disassemble correctly without manual intervention). After little manual fix-up the code can be analyzed and IDA 5.0 (free) can build the Flow Graph correctly as shown below.
Three APIs as shown below in the disassembly were found to be resolved early in the loader code. Based on this logic, we made an assumption that those APIs will be used in order to decode and map sections and hence are perfect analysis points during Dynamic Analysis.
Dynamic Analysis
Phase1
We needed to verify that the decoded code is executed from its original location (as mapped by the PE Loader). Since our test executable was a GUI application (calc.exe) which inevitably calls GetMessageW, we set a breakpoint on the API and on breakpoint hit we could verify that the original code was decoded and execute from its original location only.
Phase2
Once it is verified that ASPack decoder decodes and execute original code in-place, we wanted to discover the decoder code block. For this we set a break-on-write (ba w4 addr-range in WinDBG) at the base address of the mapping containing the packed code.
Phase3
During Phase1 we noticed that the memory mapping of the decoded .text section is changed to R_X before execution from its original RWX permission as seen in the packed executable. From this we inferred that VirtualProtect must have been used before control is transferred to OEP.
Using this logic we were able to determine the exact point where ASPack loader transfers control to the OEP in the decoded .text section as shown below:
Little trial and error proved that ASPack loader does not seem to have any random or metamorphic component and hence this particular code above is always at an offset 0x420 from the base of .aspack section. The 0x00 above is patched with the computed OEP address at runtime.
Workflow for Automatic Unpacking
- Set breakpoint on entry point
- On breakpoint hit
- Set breakpoint on OEP Caller address (push)
- On breakpoint-hit
- Dump the PE
- Update entry point in PE Optional Header
- TODO: Re-construct IAT
The Tool
The tool is written using the wonderful Metasm Framework, without it a LOT of work would have been required. The core logic is as below:
The full code is available here.
Closing Note: ASPack is not really meant for executable protection as such, it is more of a compression system similar to UPX. For serious requirement, appropriate tools like ASProtect, Themida, VMProtect etc. should be considered.
Advertising:
We will be conducting a 2-days workshop on Reverse Engineering and Malware Analysis at Nullcon 2012 Delhi which includes topic as described above along with other interesting topics like Dynamic Binary Instrumentation, Binary Patch Analysis etc. If you are new to Reverse Engineering, we will try our best to equip you with the basics of x86 ASM and Win32 platform components so that you can benefit from open information available on the internet. Do check out if you are interested.
Reference
http://www.aspack.com/
http://metasm.cr0.org/
http://bitblaze.cs.berkeley.edu/
can you give your email or yahoo messenger? i wanna ask about .dll file that are packed with aspack 2.29, please send me email / add my yahoo messenger : Phantomz_Whizard@yahoo.com , thanks a lot
ReplyDeletei really need your help to open this .dll file packed with aspack 2.29 , if you dont mind please help me through my email above, to explain more and help me. i really appreciate that. thanks
ReplyDeleteThanks for the article. It is really worth reading.
ReplyDeleteThanks for the article. It is really worth reading. Kinemaster Gold
ReplyDeletegreat post
ReplyDeletehttps://hectorprny540.exposure.co/customer-acquisition-companies-expectations-vs-reality?source=share-hectorprny540
Nice amazing and excellent info providing by your post about unpacking I really like to read it thank you so much for sharing with us.
ReplyDeleteWhen considering property managers in Saint Louis, it's crucial to find professionals with a solid track record. With their expertise, property managers in Saint Louis can effectively handle tenant screenings, rent collection, and maintenance requests. Their local knowledge is invaluable in navigating the market and ensuring optimal rental income. By entrusting your property to reliable property managers in Saint Louis, you can enjoy peace of mind, knowing that your investment is in capable hands. Their attention to detail and commitment to client satisfaction sets them apart. Look no further than these dedicated professionals for all your property management needs in Saint Louis.
ReplyDelete"Fascinating deep dive into ASPack-2.29 unpacking through dynamic analysis! 🕵️♂️💡 Understanding the techniques behind it is key to enhancing security.
ReplyDeleteTCS Tracking PK is a reliable tool for tracking shipments handled by TCS, Pakistan's leading courier and logistics company. It offers real-time updates and detailed information on parcel status, ensuring efficient and transparent delivery tracking for both senders and recipients.
ReplyDeleteSNGPL Bill Check is an online service that allows customers to easily verify and view their gas utility bills issued by Sui Northern Gas Pipelines Limited. It provides a convenient way to manage billing details and ensure timely payments.
ReplyDeleteQMS (Quality Management System) processes are structured activities and procedures that ensure a company's products or services meet consistent quality standards. These processes help organizations improve efficiency, reduce errors, and enhance customer satisfaction by adhering to established guidelines and continuous improvement practices.
ReplyDeleteThe Sui Gas online bill service allows customers to conveniently view and pay their gas bills through a user-friendly digital platform. This service simplifies billing management, offers instant access to account details, and provides secure payment options.
ReplyDeleteThe TCS office in DG Khan provides efficient courier and logistics services to the local community, ensuring timely and reliable delivery of parcels and documents. For assistance or to track shipments, customers can visit the office directly or use their online services.
ReplyDeleteSonic milkshakes are creamy, hand-mixed treats available in a variety of classic and unique flavors, from vanilla and chocolate to Oreo and peanut butter. Known for their rich taste and thick texture, Sonic's milkshakes make for a delicious dessert or snack.
ReplyDeleteDiscover Gold Rate
ReplyDelete, your ultimate destination for the latest gold prices in Kuwait. Whether you're an investor, a jewelry enthusiast, or simply curious about market trends, we provide accurate, up-to-date rates and insights to guide your decisions. Dive into a world of gold knowledge, from karats to investment tips, all tailored for Kuwait’s vibrant market. Stay informed, stay golden!
TCS (Tata Consultancy Services) Tracking is a system used to monitor and track shipments and deliveries handled by TCS. It allows customers to easily check the real-time status and location of their packages using a unique tracking number, ensuring transparency and timely updates throughout the delivery process.
ReplyDelete