Binary unpacking is the process of extracting embedded data from a file to analyze its contents or to reverse engineer the program. Our unpacking process employs a series of recursive static and dynamic unpackers to handle various types of packed files, followed by a classifier that determines the process halt state and selects the best output to return to the user. The submitted file is referred to as a Parent, and an extracted file is called a Child or, in plural, Children.
During the unpacking process if the extracted data is also a packed file, the recursive unpacking process continues, applying the same static and dynamic unpackers to the Child files. This process repeats until the classifier determines that all of the files have been unpacked.
Once the recursive unpacking process is complete, a classifier is employed to select the best output to return to the user. The classifier compares the extracted Children and assigns a score to each based on the chosen criteria. The file with the highest score is then selected as the best output to be returned to the user.
This advanced binary unpacking process, with its recursive unpacking and use of a classifier, ensures that even complex packed files can be analyzed effectively, providing the user with the best possible output.
The Parent and all Children are also processed through a series of File Analysis modules that extract information about the binary including PE metadata, strings, and malware configuration information.
Unpacking Limitations
The following limitations apply to the unpacking process.
PE Files Only
Only PE files are returned to the user from the unpacking process. Though shell code may be extracted during the unpacking process only full PE Files are returned to the user.
In some cases a PE file may be constructed by the unpacking process using recovered segments of code prior to returning the file to the user. In these cases the PE file may have the following characteristics.
- The PE header and section table may be altered or fabricated.
- The PE file may be corrupted and not executable.
- The PE file may be missing or have corrupted imports.
Network Access
During the unpacking process the samples and unpacking processes are NOT exposed to the Internet. No outbound traffic is permitted during dynamic analysis and samples are not permitted to download subsequent stages or additional malware. All Children are extracted directly from the Parent.
Commercial Packers (VMProtect / Themida)
UnpacMe can unpack some versions of VMProtect and Themida but there are many limitations.
- We only unpack malware.
- Submitting commercial software such as games for unpacking will result in the suspension and possible termination of your account.
- We will not attempt to devirtualize protected methods.
- In cases where the protection settings prevent full unpacking our system may return a memory dump of the partially unpacked Parent. In these cases the Child will not be executable though some static analysis may be possible.
Obfuscation
Obfuscation is different from packing. With a packer the majority of the original binary can be recovered from the unpacking process. With obfuscation the original binary is transformed such that the original binary is not recovered however the obfuscated binary may be processed to make the output easier to analyze.
Currently we only unpack samples we do not deobfuscate them. This disproportionally effects .NET submissions due to the widespread use of obfuscation tools for .NET.
Failures
Unpacking failures do occasionally occur either due to misidentification of the packer or a failure of the classifier to select the appropriate Children. We are continually updating and deploying new unpacking modules and can often quickly respond to failures.
If you suspect a submission has failed to unpack we encourage you to log a bug with our integrated Bug Reporting system.
Status
The status window at the top of the Results page provides information about the submitted Parent, the time the submission was made (UTC), and the status of the analysis process. The following states are possible during the unpacking process.
- Validating – The Parent is being validated prior to submission.
- Unpack-Queued – The Parent has been queued for unpacking. This can occur when using a non-dedicated API during periods of high submission volume.
- Unpacking – The Parent is being unpacked.
- Unpack-Requeue – The unpacking process has been interrupted and the Parent re-queued for unpacking. This can occur if a new version of UnpacMe is deployed during the unpacking process.
- Analyzing – The Parent and any unpacked Children are being processed through a series of static analysis modules.
- Complete – The analysis process has completed and results are available.
- Waiting – The UnpacMe web application is waiting for an update from the backend API.
- Timeout – The analysis process has timed out without completing. Some information may be returned when an analysis times out though the results are not complete.
- Fail – The analysis process has failed.
- Invalid – The Parent sample is invalid and unable to be processed.
File Hierarchy
The Parent and unpacked Children are displayed as a list of interactive windows. The title of each window can be clicked to display the full analysis of the file.
Parent
The Parent file (1) is the original submission and the root of the analysis. All analysis reports will have a Parent file. The Parent designation does not indicate the packed status of the file.
Child
A Child file (2) is the result of unpacking a Parent. A Parent may have multiple Children (unpacked samples) but a Child can only have, and must have, a single Parent. When a Parent has a Child the Parent is considered packed.
Bulk Actions
In addition to interacting with each Child separately all children can be acted upon with one of two bulk actions (3).
- Copy Child Hashes – This action will copy the SHA256 hash of each child into the clipboard.
- Download All Children – This action will download all children in a single ZIP file.
Downloads
Unpacked Children and the Parent sample can be downloaded by clicking the Download button next to the sample window. Downloads are metered with the Download Quota defined by your Plan.