LibPeConv-based unpacker for sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd

unpack.cpp

#include <stdio.h>
#include <windows.h>

#include "peconv.h"

// for the sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd
// from: "Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1"
// https://www.youtube.com/watch?v=HfSQlC76_s4

int (__cdecl *unpack_func)(BYTE* blob, DWORD blob_size, LPCSTR lpFileName, char r_val) = nullptr;

int main(int argc, char *argv[])
{
	if (argc < 2) {
		std::cerr << "Args: <path to the malware>" << std::endl;
		system("pause");
		return 0;
	}
	DWORD blob1_offset = 0xC030;
	DWORD blob1_size = 0x11000;
	DWORD blob2_offset = 0x1D038;
	DWORD blob2_size = 0x50000;
	DWORD unpack_func_offset = 0x4520;
	size_t v_size = 0;
	LPCSTR mal_path = argv[1];
	std::cout << "Reading module from: " << mal_path << std::endl;
	BYTE *malware = peconv::load_pe_executable(mal_path, v_size);
	if (!malware) {
		return -1;
	}
	std::cout << "Loaded" << std::endl;
	ULONGLONG func_offset = (ULONGLONG)malware + unpack_func_offset;

	unpack_func = (int (__cdecl *) (BYTE*, DWORD, LPCSTR, char)) func_offset;
	DWORD res1 = unpack_func((BYTE*)((ULONGLONG) malware + blob1_offset), blob1_size, "blob1_unpack.bin", 'r');
	std::cout << "Unpacked blob1, res:" << res1 << std::endl;

	DWORD res2 = unpack_func((BYTE*)((ULONGLONG) malware + blob2_offset), blob2_size, "blob2_unpack.bin", 'r');
	std::cout << "Unpacked blob2, res:" << res2 << std::endl;
	
	peconv::free_pe_buffer(malware, v_size);
	return 0;
}

Compiled version: https://drive.google.com/open?id=1ogRJvhEB_rFV5s9wSYVl7MbAEv6xcgyU
Requires original malware, available here: https://www.hybrid-analysis.com/sample/16540597e03ac70bea055aa72bf83a7dc3276cf6a64cd6cafdb09e05ebcc198b?environmentId=100

Full tutorial: https://hshrzd.wordpress.com/2018/01/29/unpacking-a-malware-with-libpeconv-pykspa-case-study/