[F]aster [U]niversal [U]npacker

Hi!,

after a while without any post of any kind, we are back!. This time is to let you know about another plugin update for FUU. This new plugin is for PeX, currently, we support PeX 0.99 but if you want us to support another version just send us the sample 🙂

I will show you just a few things about this simple packer.

This is the EP of PeX 0.99. If you look at the address where we are, you’ll see that the addresses belongs to the SFX section of the packed executable:

This is just the first “layer” of the packer.

We have this other piece of code where the addresses change drastically:

If you look at the [ESP], you’ll see RETF address:

In this case, 0x330000 is the address where the second layer will be executed, where imports are redirected and the JMP to the OEP is taken.

Then, we have the place where the IAT is redirected, here LoadLibrary is called to load into memory all the DLLs imported by the packed executable file:

Then, we have the GetProcAddress code that get all the imported functions from the packed file:

After this code is executed (redirection table), when we reach the OEP, we will see that all the indirect jumps from the IAT are redirected:

To fix the IAT wen can write a script for ODBScript (or OllyScript) by getting the original values from registers and overwrite the bad pointers with the good ones or simply look for the “magic” jump (yes, PeX has a magic jump that avoid the IAT redirection like many other packers):

we can find this jump by tracing the code mentioned above (GetProcAddress and LoadLibrary procedures) and analyzing it 😛

The last thing is the code that reach the OEP:

if we trace that piece of code, we’ll see that that the PUSH-RET combination will take the OEP’s address at the top of ESP:

This is just the value in the PUSH above plus 1:

That’s all folks!.

If you have any doubt, just email me!.

As always, all comments are welcome 😛

Here, you have the unpacker for PeX (dePeX) (binary) and here the sources.

See you soon!.