09.21
This is our last blog about MEW, we promise. We intend to keep that promise since this is the last known version of MEW. Whats so special about MEW anyway?
The reason we chose to do MEW (again) is that in its version 5 it is a simple crypter which can be used as a perfect example on how to write static unpackers for these kind of crypters. That kind would be the kind that doesn't do anything to imports but only encrypts the executable code section. Next time we revisit static unpackers we will be talking about such cases. We are going to leave that aside for now because this Monday is all about simple and fast unpacker writing. Start your timers we will do in under 10 minutes.
Minute 1 - 2:
We load our sample into Olly and see the entire MEW5 code at the entry point.
MOV ESI,0040005B LODS DWORD PTR DS:[ESI] XCHG EAX,ECX LODS DWORD PTR DS:[ESI] XCHG EAX,EBX PUSH EBX LODS DWORD PTR DS:[ESI] XCHG EAX,ESI PUSH ESI POP EDI L010: LODS BYTE PTR DS:[ESI] ROL AL,29 ADD AL,BA ROR AL,50 STOS BYTE PTR ES:[EDI] LOOPD L010 RET
Yes, that it. The whole code. So what does it do? First it loads a pointer to all internal information into ESI register. We follow ESI in the hex dump to find that there are 3 DWORDs that have the data necessary for unpacking. First DWORD is 0x3000 which is the size of the first section, second DWORD is 0x004012c0 which is the address of the original entry point and third DWORD is 0x00401000 which is the virtual address of the first section. Code following this loads 0x3000 bytes one by one and decrypts them with a custom decryption algorithm. Here instruction sequence ROL, ADD and ROR is used to decrypt data.
Minute 3 - 4:
We make a copy of existing TitanEngine SDK sample for DEF and use that as a template for our unpacker. We are making a Delphi unpacker since,... well since TitanEngine is low on Delphi samples and this is a nice and quick exercise.
Minute 5 - 9:
We code the unpacker. First we need to read the ESI pointer and read the data from the file. Once we make that we convert third DWORD to physical address inside mapped file and we also convert the original entry point address to relative one. Simple call to StaticMemoryDecryptEx makes sure that our StaticCallBack decrypts the data by executing this custom decryption algorithm. Lastly we add the code to store the new entry point to PE32 header and we're done.
Minute 9:47 - 10:
We run the compiled unpacker to test if it works... Success!
TitanEngine ReversingLabs Corporation |
Download RL!deMEW5 unpacker |
