j u s t b a s e 64 d e c o d e this: IzQxOGZhNzQ5YSBJIGhhdmUgYSBwcm9ibGVtIHVucGFja2luZyB0aGlzIHByb2dyYW0uIElmIHlvdSBjYW4gdW5wYWNrIHRoaXMgaSBjYW4gZ2l2ZSB5b3UgNTAgZG9sbGFycyEgSGVyZSB0aGUgcHJvZ3JhbTogaHR0cDovL3d3dy5tZWRpYWZpcmUuY29tL2ZpbGUvMjlzZm9uNXJuMWljdHkzL3RhcmdldC43ei9maWxlICM0MThmYTc0OWE=

j u s t b a s e 64 d e c o d e this: IzdkNzdkN2RhOCBJIGhhdmUgYSBwcm9ibGVtIHVucGFja2luZyB0aGlzIHByb2dyYW0uIElmIHlvdSBjYW4gdW5wYWNrIHRoaXMgaSBjYW4gZ2l2ZSB5b3UgNTAgZG9sbGFycyEgSGVyZSB0aGUgcHJvZ3JhbTogaHR0cDovL3d3dy5tZWRpYWZpcmUuY29tL2ZpbGUvMjlzZm9uNXJuMWljdHkzL3RhcmdldC43ei9maWxlICM3ZDc3ZDdkYTg=

Thats why we built www.unpac.me/ : ))

Glad you enjoyed the video! Thanks again for the neat sample to look at, you always have great questions and suggestions. We really appreciate the support! Thanks!

@@OALABS hey, I know it’s been three years but I have a dilemma. I’m trying to unpack a program which does not create a child process (as far as I can tell, at least). It’s a console application and conhost.exe always launches when the program is run, but I don’t think it’s the program creating that? I’m not sure. My question is, does the CreateProcess trick only work if the program creates a child process to load the unpacked code into? Whenever I try to set a breakpoint on CreateProcessW or CreateProcessInternalW, it never hits it, which leads me to believe it doesn’t use the function at all. Yet, I’m not sure what to think about the fact that it launches the console to display text and get input from the user, does that not count as a child process and would it not use CreateProcess in some form to launch conhost?

Hey that's awesome to hear, thanks for the encouragement! We have some more in-depth reversing stuff planned for this year so stay tuned : )

Thanks! Awesome to hear you enjoyed the tutorial. There is some amazing in-depth analysis of Emotet from our friend d00rt that you might enjoy here github.com/d00rt/emotet_research

Thank you very much, it's always great to hear when folks find our tutorials interesting : )) As for our backgrounds I've replied to a few questions about this and maybe we will make an "about us" video in the future but there is nothing really exciting about our backgrounds. Personally I was a developer first, and I am just very curious about how things work, always have been. So that progressed into more and more reverse engineering. It's still fascinating to me to explore how applications are designed and figure out what makes modern systems work. As for the resources I used to learn how to reverse engineer, the simple answer is everything I could find on the Internet. Back when I was first learning there wasn't a ton of information like there is today... it was mostly the cracking community and some forums so that is where I spent my time. Things are really different today, there are tons of free online resources. If you are motivated and you have the time all the info is there ... anything from very formal training opensecuritytraining.info/IntroductionToReverseEngineering.html all the way to the videos that we produce here. A big part of why we make these videos is because these are the types of tutorials that we wish had been around when we were first learning. The same for the amazing tutorials from Hasherezade kzbin.info/door/NWVswPNgn5kutPNa5sprkg, Karsten kzbin.info/door/VFXrUwuWxNlm6UNZtBLJ-A, Todd kzbin.info/door/SLlgiYtOXZnYPba_W4bHqQ, Colin kzbin.info/door/ND1KVdVt8A580SjdaS4cZg, and LiveOverflow kzbin.info/door/lcE-kVhqyiHCcjYwcpfj9w. If you have questions about specific topics you want to learn let us know and we will cover them in a video. Anything to do with reversing really... except maybe how to unpack themida ; ) Just let us know!

No this was for unpacking stage 1 of the malware. Stage 2 would be the modules and so much ash changed that I don't think it would be as applicable now. If emotet remains active now that it has returned we may look into making a updated version of this.

@@OALABS Got it, appreciate the response. Great content overall, I subscribed.

That is a really good question, and something that I should have explained better. So this packer actually unpacks and self-injects the payload PE. Then the injected payload makes the copy of the file and executes it (as a way to hide I guess). So when we break on CreateProcessInternalW we are looking for the self-injected PE, not a PE that is mapped into a new process. In other videos we cover packers where the PE is going to be written into a remote process and in those you will see we don't look for ERW sections since the payload doesn't need to be executable, as you correctly pointed out.

This is a great point! You may have seen me doing this in other videos where I alter both the virtual address size and the raw address size to fill the entire space between the current section start and the next section start. I don't think you need to do this as the original sizes will still accurately represent the size of the actual data that matters in each section, and most tools (and the windows loader) will be unaffected by the size not accurately reflecting what is in the file. However, I usually do adjust the size because I feel it is more accurate, I just didn't in this case because I was lazy or forgot : ) So in short, you don't need to adjust that size but usually I do.

Thanks : ) We will keep an eye out for an interesting .NET sample to analyze but in the mean time I would recommend the tutorial videos over at the MalwareAnalysisForHedgehogs channel. I've personally learned a ton from from the ones on .NET kzbin.info/www/bejne/hWS2XoBoo6Z-o6c kzbin.info/www/bejne/ZnW5YpWeo9OCr68

Hmm, so that looks like winappdbg is unable to resolve the pointers to API names. Unfortunately that could mean a few different things... If you are running this on a 64bit host winappdbg may be having issues resolving the APIs, I vaguely remember having a similar problem. Probably the easiest way to troubleshoot is to add a print iat_ptrs statement on line 153 in pyiatrebuild.py then run the script again and use x32dbg to verify that the iat_ptrs addresses actually point to APIs. If they do then you know that winappdbg is broken somehow. If they don't then maybe there is a bug in our call_scan function. Troubleshooting blindly in KZbin comments leaves something to be desired : ) If you want just send us an email (link on our website) and I can follow up.

Oh also good point about turning off relocations. That won't cause the issue you are seeing here but it may be important for extracting other PE files (DLLs) in the future. This article explains the concept will.io/blog/2013/05/31/disable-aslr/ and you can achieve this quickly using something like pefile for python. pe = pefile.PE(data=pe_data, fast_load=True) IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = 0x0040 pe.OPTIONAL_HEADER.DllCharacteristics &= ~IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE pe_data_fixed = str(pe.write())

Also got "Unable to find imports in code!" . Installing 32-bit version of python solved the issue.

Hey saw your comment on our other tutorial, responded there. It's a good idea : ))

@@OALABS :) It had been very nice :D

Are you serious? You are clearly trying to make malware. Why else would you want to bypass anti debug? "Scammer alert"

👊👊👊💯

Interesting... when you look in the "Breakpoints" tab is the breakpoint listed there as enabled? If it's enabled there I'm not sure what else to suggest without more info go on?

OALabs yes I can see the breakpoint in the breakpoint section as enabled .. But still not sure why it terminated. I also have another question, how can I turn the dumbed '.bin' file to a working '.exe' file?

Hi, I know that is too late but I also got the same problem. I had a Win10 virtual machine and program terminated. After that I think that there may be a virtual machine protection on that sample. I simply followed oalabs malware lab reference and installed win7. Now it works fine and I can follow video instructions.

That's a good question, but unfortunately it really just comes down to searching in memory after each hit on your breakpoints. There are ways to speed this up and even automate it that we may cover in later videos. But if you are doing it manually it's just the same process we show here.

Unfortunately we cannot provide support for removing malware or dealing with malware infections in our comment section. We only cover reverse engineering on this channel. However I can point you to the BleepingComputer forum where they will be more than happy to help www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-help/ Good luck!

Hi Marc, the link to the sample is in the description of the video. You will need to sign up for a free account with malshare and they will give you an API key. You can then go to the "pull sample" page and submit the hash with your new API key and pull the sample. P.S. I'm a huge fan of the work you do, it's awesome to know that you watch our videos thanks : )))

Oops in the description of the video I mixed up the unpacked sample hash with the packed sample. It's fixed now... sorry about that : (

Lol very true. The better anti-analysis packers enumerate the windows names instead of just the process list but they are less common so this usually works. I guess we could patch out the binary if we really needed to but in my experience it's rare. Great point though! Definitely something to be aware of : )

Hey this might not be the answer you are looking for but we highly recommend debugging using a Win7 VM, and Win7 x86 if the malware PE is 32bit. The later versions of Windows introduced a lot of junk that you need to disable/configure before you have a decent debugging VM. We even have some instructions on how to get a free copy etc. oalabs.openanalysis.net/2018/07/16/oalabs_malware_analysis_virtual_machine/