Reverse engineering executables is always a very challenging procedure especially if the analyzed executable has been packed or encrypted.  I’ve been talking a lot about packers and unpackers (take a look to these posts here) but the technique I am going to show you is totally new respect to those already described.  As you might know the most difficult procedure of reversing a packed (or encrypted) executable is to find out the original entry point (OE). Again, there are tons of ways to figure out if an executable is packed or not (aka PEiD) but there is no a universal known way to unpack it. The following image shows PEiD in action.
PEID finds out that the executable has been packed with Aspack v2.12. Nowadays you might find specific unpackers (unpackers designed for a specific packing procedure)  but there is no way to have an ultimate universal unpacker. Here you can find many of those packers. YES, I know, there are universal unpackers too, but those unpackers are signature based, meaning that they are not able to unpack “new” packing procedure (algorithms), they must include the signature of every used algorithms. The following pictures shows one of my favorite Unpackers: Faster Universal Unpacker from RCE.
A group of the New Mexico Tech designed a visualization tool based on Entropy (system calls, oriented graphs and so on) called VERA (read more here, here and here).  By using this tool you are able to distinguish between packers / encryptors STUB and unpacked / decrypted code by simply analyzing the execution of the executable. The following image shows the notepad.exe (yes the one in WinXP) traced by PIN and visualized by VERA. I traced notepad.exe by fixing 2 minutes of execution here the result:
The blue label represents the Start address (which in this particular case corresponds to OE), yellow color means normal entropy, numbers in labels (you probably cannot see them because the image is too small) are the called addresses. The following image shows the same executable packet by using UPX. 
As you may see the are sections (calls to addresses) that have high entropy (meaning be packed or encrypted) represented with RED labels. This alerts us about the presence of a packer / encryptor. Where the is a continuously low entropy labels (purple) we can find the OE. This because the encryptor / packer STUB finished its job and unpacked / decrypted the executable code giving to the OE the control flow. The following image shows notepad.exe packed by BroExePacker.
In this case BroExePacker introduces a two levels of compression STUBs, you can easily distinguish them by looking at the red labels that are present in two points during the execution. This shows a typical two stage decompression. A first STUB decompress the function that decompress the real function who will decompress the original byte code (RED -PURPLE-RED-PURPLE). The OE is placed after the second RED labels. The following image shows the same executable (notepad.exe) compressed by the same BroExePacker but by using a different algorithm.
Again, we can easily discover that this executable has been packed, this time with one level STUB. The OE could be in a couple of positions. Experience will help a lot in finding the OE, but this Visualization tool considerably decrease the complexity of such operation. VERA could be integrated to IDA pro by installing an IDA Pro plugin making IDA Pro communicating to VERA through sockets. This integration makes a lot easier the interaction between the tracer (IDA Pro) and the visualization tool VERA. I  am not going to cover in this post how to integrate VERA with IDA, but I am rather cover how to use VERA and PIN in a very quick way. Once you download and  install VERA from its website ,  you will get the visualization tool (VERA) and a small installation of PIN.  PIN is the tracer, the one who will produce the  .trace file by executing the analyzed executable, the .trace file who will get VERA to elaborate  its diagram.  The following picture shows hot to run PIN with VERA template.
PIN is now running and tracing the analyzed executable. Let it running for a while (the time you decide) and then close the executable in a normal way (File -> Close, or whatever). Now opera VERA and click on Open. Select the file produced by PIN. Now VERA asks you about the original file and ask where to put its own graph file. The following image shows this process
Once you done with that, VERA will take a while and finally it will show you a graphic traced path. You will find more details on VERA and PIN manual. 
Summing up, I wanted to describe a new way to figure out if a executable has been packed or encrypted, and a new way to discover the Original Entry Point of the packed/encrypted executable. My experience in this field let me say that this is a great way to proceed and to learn about packers/encrypters.

Published by marcoramilli

Ethical Hacking, Advanced Targeted Attack Expert and Malware Evasion Expert

52 thoughts on “ A New Way to Detect Packers ”

  5. This has been a very significant blog indeed. I’ve acquired a lot of helpful information from your article. Thank you for sharing such relevant topic with us. I really love all the great stuff you provide. Thanks again and keep it coming. LocalMedWaste.Com

  9. Informative post.The best thing is that your blog really informative and critical.You can also get best transportation and moving service from gmpackersindia.in ,so try packaging and moving service from us.

  17. Real Cargo Packers & Movers Bangalore take immense pleasure in introducing ourselves as one of the leading, reliable packers and movers services and standing in the field of Packers & movers services with an experience of Packers & movers. Real Packers & Movers team is confident to handle any type of Packers & movers work and execute them in an efficient manner for ensuring complete customer satisfaction. Real Packers & Movers are one of the leading Lucknow based trustworthy, reliable and economical packers & movers services to pack and move safely.

  21. NICE INFORMATION!!! It such a great difficulty shifting from one location to another because we never manage all the things and doesnt understand how to reach goods from one place to another in limited time but now with the help of packers and movers, shifting from one place to another becomes easier which provides the safest facilities with no losses like damage or broking of expensive goods etc. If any people looks for packers and movers in Jaipur, they can go through http://www.manglammovers.com. Thanks !!!

  30. packers and movers
    packers and movers lucknow
    packers and movers ghaziabad
    packers and movers noida
    packers and movers delhi
    packers and movers hyderabad
    packers and movers chandigarh
    packers and movers raipur
    packers and movers kolkata
    packers and movers kolkata
    packers and movers gurgaon
    packers and movers bangalore
    packers and movers mumbai
    packers and movers ranchi
    packers and movers chennai
    packers and movers pune
    packers and movers faridabad
    packers and movers jaipur
    packers and movers ahmedabad

  47. I really feel good and the information is really good.

    Sahara Packers | Sahara, Domestic International Packers and Movers in India for Packers India, International Movers, Domestic Packers, Movers India, Packing Services India, Unpacking Services, India Domestic Movers, Loading Unloading Services, International Couriers, Packers Delhi, Bangalore Packers, Movers Mumbai etc. are the helpful words that’s help our customer to easily make a best deal over the Internet with Sahara Packers & Movers. Sahara Packers is one of the best all Re-Allocation service provider in India.

    Packers India | International Movers | Domestic Packers |

  48. Thanks for your posting about vera. I have a question vera's pin.exe. How to use pin.exe if packed dll file?

    Thanks for read it.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.