Unpackers
Unpackers extract the original executable code from packed or compressed binaries. Many programs use packers to reduce file size and obfuscate code, making unpacking an essential skill for reverse engineers.
Common Packers
- UPX - Ultimate Packer for eXecutables, very common
- ASPack - Popular Windows executable packer
- PECompact - Executable compression tool
- Themida - Advanced commercial packer with anti-debugging
- VMProtect - Virtualization-based protection
Unpacking Methods
There are several approaches to unpacking:
- Automatic unpackers - Tools that handle common packers automatically
- Manual unpacking - Using a debugger to dump memory after unpacking
- OEP finders - Tools that locate the Original Entry Point
- Import reconstruction - Rebuilding the Import Address Table
Unpacking Tools
- UPX - Can unpack UPX-packed files
- RL!dePacker - Universal unpacker
- Quick Unpack - Automatic unpacker plugin for OllyDbg
- Scylla - Import reconstruction tool
Manual Unpacking Process
The typical manual unpacking process:
- Load the packed executable in a debugger
- Set breakpoint on common unpacking APIs
- Run until unpacking completes
- Find the Original Entry Point (OEP)
- Dump the unpacked code from memory
- Fix imports using Scylla or similar tool