Ax1al
Published in

Ax1al

A brief introduction to Packing and Obfuscation

Photo by Alexander Sinn on Unsplash

Packing and obfuscation are common techniques used in malware to evade pattern based detection and to give Malware analyst/Reverse engineer a hard time reaching to the malicious content . These techniques are not only used by malicious file these are also used by some legitimate software to prevent reverse engineer getting to the original source code or to crack the software. In this blog we will talk about both the technique one by one with the help of some packed and obfuscated files .

Packing

As we already discussed packing is used by malware to evade detection but Packers were originally created to reduce the size of file so that it can be transferred easily because networks were not so fast earlier as the internet grew the need of packers also diminished so it is quite suspicious to use packers now days. The most common of packers is Run time packers these packers unpack the file in memory after they are executed one of them is UPX many malwares have used this packer but now if you use this packer for packing a legitimate file also many antivirus will flag it as a malicious file.

How does UPX works ?

Upx is commonly used packer so lets talk about how it works . Upx create an executable which contains 3 main part which are

  1. Stub : This contains the code to decompress the compressed executable this is the entry point of the packed executable.
  2. Compressed executable : This is the original executable that is compressed with upx packer which going to be decompressed by unpacking stub.
  3. Empty space : Empty space is used to store the unpacked executable. If you notice all the section in packed executable in pe studio you will get a section(generally UPX0) which have 0 raw-size and large virtual-size which means size of that section is going to be larger during runtime which makes sense because the packed executable is going to be unpacked and executed so it need space to reside.
Sections of a packed executable

How unpacking works ?

Good thing about packing is if you want to execute a code you will have to unpack the code because packed code cannot be executed . If a malware is packed it will have to unpack itself to run so a reverse engineer knows he will just have to find the unpacking method to get to the malicious code ,it can be a unpacking code present in malware itself or a C2 command that does that . Above we talked about packed file now lets talk how does this file will get unpacked . The file which are packed with UPX gets unpacked when we execute them because of unpacking stub. The stub not just only unpacks the executable but also do the following

  1. Extracting packed file
  2. Resolving imports
  3. Restoring file permissions
  4. Jumping to the Original entry point(Unpacked executable’s entry point)

After unpacking the original code into the UPX0 section imports of the original files are resolved if you notice import section in pe studio of a packed you will find very less number of imports than the actual file uses these imports are resolved after unpacking . After restoring the file permission using VirtualProtect, execution flow is then transferred to the entry point of the original file. We can use UPX itself to unpack a upx packed file or we can just do it manually with the help of debugger .

Check out this article to know how to manually unpack a UPX packed file.

Obfuscation

As we have already talked that Obfuscation is the technique used by developers to make their code unreadable so that it become hard for the reverse engineer to reverse the source code and malware also use this techniques for the same reasons . Obfuscating code or strings allows malware to hide suspicious code or strings which can alarm malware analyst about the malicious intentions of the file and it also helps in evade detection if a particular string/command is flaged by an antivirus suspicious . For eg : If a file contains shell command :- echo “Malware” and the developer want to make it unreadable textually the following command can do the job:

aaa = e ;

fff=o ;

ccc=h ;

bbb=c ;

command = $aaa$bbb$ccc$fff ; //dollar sign is used to get the value of variable

$command “Malware”

Packers can also be considered as obfuscators because code of original file is unreadable until it is unpacked. Obfuscators can also use different encoding and encrypting techniques as simple as xoring , base64 encoding or as complicated as AES,DES encryption . There are lot more obfuscation techniques that an obfuscator use you can read them here.

There are many online obfuscators which allows user to obfuscate their code one of them is javascript obfuscator. This obfuscator allow user to obfuscate their javascript code with string and identifier transformation.

Left side : Obfuscated code — Right side: original cde

If you observe code on both the side you can hardly find both relevant to each other but both the code are same the different is just that the left side code is obfuscated version of the right side code . In the obfuscated code hexadecimal characters are being used in the place of strings and names to confuse the user who want to know what the code is doing.

How to Deobfuscate?

De-obfuscation of a code does not require a lot of thing ,one just had to be good in debugging and that’s it . Because no matter how complicated an obfuscation is the code that has to be executed must be converted to respective syntax. So if you want to know what a particular function do or a variable store just put a breakpoint or print the value after it is getting assigned or before that function returning the value.

If we had no clue what the above obfuscated code is doing since it’s javascript we would just have to paste it in our browser console and run it . As we already know our code prints “Hello world” to console , if we want to figure out how the code is producing this output we will just put console.log statements at appropriate positions .

We have put console.log at line 24 because variable _0x587c6f is being used at line 25 to print something . Now we know _0x587c6f contains a function which is present on line 2 so we have also put the console.log on line 4 and 6 to know what does _0x17dfbf contains because it is being used as an index at line 5 and what does the function is returning. The output after the hi() function is called looks something like this.

As we can see the variable _0x587c6f contains a function

_0x17dfbf contains the value 1 which is being used as a index for array _0x53f6 (line 1) which contains “Hello world” at position 1.

Output confirms that the variable _0x53f6da does contain “Hello world” which is being returned by the function. Thus we now know this is just a basic function printing “Hello world ” to console. In similar manner we can deobfuscate code of different languages with the help of some debugging skills.

More to read

In todays blog we discussed about Packing and obfuscation in brief if you want to read more about on this please do give a read to these article. Follow Axial for more blogs on the related topic.

https://tech-zealots.com/reverse-engineering/dissecting-manual-unpacking-of-a-upx-packed-file/

http://security.cs.rpi.edu/courses/malware-spring2013/Using_UPX_as_a_security_packer.pdf

Summary :

This blog was very introductory when it comes to understanding packers & obfuscators, if you feel there’s any sort of misinformation, please feel free to let me know.

Blog by Nerd of AX1AL. Join us at our discord server.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gaurav yadav

Gaurav yadav

I like to learn things which challenges me . I am a Developer ,reverse engineer and very much addicted to games.