Gravitation: Packing and Unpacking Executable files and protection

The last time we wrote a program that consisted of two files. Now we make the Reverse Engineering of multifile programs, try to pack them and unpack and see the code in IDA Pro and Ollydbg. The packing of executable files helps to protect them against reverse.

What is the packing of program.

Executable compression is any means of compressing an executable file and combining the compressed data with decompression code into a single executable. When this compressed executable is executed, the decompression code recreates the original code from the compressed code before executing it. In most cases this happens transparently so the compressed executable can be used in exactly the same way as the original. Executable compressors are often referred to as "runtime packers", "software packers", "software protectors" (or even "polymorphic packers" and "obfuscating tools"). A compressed executable can be considered a self-extracting archive, where compressed data is packaged along with the relevant decompression code in an executable file. Some compressed executables can be decompressed to reconstruct the original program file without being directly executed.

Most compressed executables decompress the original code in memory and most require slightly more memory to run (because they need to store the decompressor code, the compressed data and the decompressed code). Moreover, some compressed executables have additional requirements, such as those that write the decompressed executable to the file system before executing it.

So we have a program. hotel.exe

The code in C.
/* usehotel.c --the program allow to make order in hotel*/

/*compile together hotel.c*/

#include <windows.h>

#include <commctrl.h>

#include <stdio.h>

#include "resource.h" /*defines constants declares functions*/

int main(void)

{

int nights;

double hotel_rate;

int code;

while ((code = menu()) != QUITE)

{

switch (code)

{

case 1 : hotel_rate = HOTEL1;

break;

case 2 : hotel_rate = HOTEL2;

break;

case 3 : hotel_rate = HOTEL3;

break;

case 4 : hotel_rate = HOTEL4;

break;

default: hotel_rate = 0.0;

printf("Error! \n");

break;

}

nights = getnights();

showprice(hotel_rate, nights);

}

printf("Thank you for using our resourse and have good luck. \n");

return 0;

}
=====================================================================

/*hotel.c --- the functions to manage the hotel programm "resource.h" */

#include <stdio.h>

#define QUITE 5

#define HOTEL1 180.00

#define HOTEL2 225.00

#define HOTEL3 225.00

#define HOTEL4 355.00

#define DISCOUNT 0.95

#define STARS "********************************************"

int menu (void)

{

int code, status;

printf("\n%s%s\n", STARS, STARS);

printf("Enter the digit dealing with chosen hotel: \n");

printf("1) Fairfield Arms 2) Hotel Olympic \n");

printf("3) Chertworthy Plaza 4) The Stockton \n");

printf("5) exit\n");

printf("\n%s%s\n", STARS, STARS);

while ((status = scanf("%d", &code)) != 1 || (code < 1 || code > 5))

{

if (status != 1)

scanf("%*s"); //noninteger input exclusion

printf("Enter the digit from 1 till 5. \n");

}

return code;

}

int getnights(void) //declare the function which does not accept anythng and returns

{ //variable data integer getnights

int nights;

printf("How many nights do you want to book the room? ");

while (scanf("%d", &nights) != 1)

{

scanf("%*s"); //noninteger input exclusion

printf("Enter the digit as 2. \n");

}

return nights;

}

void showprice(double rate, int nights) //decraler the function which doesnt return anything, but accept

//arguments double rate, int nights

{

int n;

double total = 0.0;

double factor = 1.0;

for (n = 1; n <= nights; n++, factor *= DISCOUNT)

total += rate * factor;

printf("The total summ is $%0.2f. \n", total);

}

Now we use LordPE to see the executable file inside.

Now we Open the Edit SectionHeaders the make the file writable or not.

Next, we pack executable file using upx307w program. Packing executable code use to protect against unauthorized copying and disassembling. Here we see the work of this program.

Accordingly, if we open it through PEiD we will see how it is packaged and its other characteristics. We see that the executable file is packed UPX 0.89.6 - 1.02 / 1.05 - 2.09

Recall that is executable.

Executable (executable) module executable (English executable file.) - A file containing the program in the form in which it can be performed by a computer. Before the execution of the program is loaded into memory, and perform some preliminary tasks (setting environment, libraries download).

Typically, in an executable file data (information) stored in any format (e.g., ELF; see list.) And consist of several parts:

headlines;

instructions (code);

Portable Executable (PE, «portable executable") - a format executable files, object code and dynamic libraries used in 32-bit and 64-bit versions of Microsoft Windows operating system. PE format is a data structure that contains all the information necessary PE-loader to display the file in memory. The executable code includes references to bind dynamic link libraries, export and import of the table API functions, data management and data thread local storage (TLS). The family of operating systems Windows NT format is used for PE EXE, DLL, SYS (device driver) and other types of executable files.

The file is not encrypt.

Here we see in Section Viewer packed file. The code has become available to us.

Now, if we open the IDA Pro, we can see that the code is the UPX packed, and no information is available to us.

Now our code is protected.
Executable compression is also frequently used to deter reverse engineering or to obfuscate the contents of the executable (for example, to hide the presence of malware from antivirus scanners) by proprietary methods of compression and/or added encryption. Executable compression can be used to prevent direct disassembly, mask string literals and modify signatures. Although this does not eliminate the chance of reverse engineering.

And now, let the inverse problem and unpack program. Tool PEiD determined that the used packer UPX. Ok. Let's try to use FUU program (Faster Universal Unpacker). Download our packed hotel.exe file