Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
LibPeConv-based unpacker for sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd
#include <stdio.h>
#include <windows.h>
#include "peconv.h"
// for the sample: bd47776c0d1dae57c0c3e5e2832f13870a38d5fd
// from: "Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1"
// https://www.youtube.com/watch?v=HfSQlC76_s4
int (__cdecl *unpack_func)(BYTE* blob, DWORD blob_size, LPCSTR lpFileName, char r_val) = nullptr;
int main(int argc, char *argv[])
{
if (argc < 2) {
std::cerr << "Args: <path to the malware>" << std::endl;
system("pause");
return 0;
}
DWORD blob1_offset = 0xC030;
DWORD blob1_size = 0x11000;
DWORD blob2_offset = 0x1D038;
DWORD blob2_size = 0x50000;
DWORD unpack_func_offset = 0x4520;
size_t v_size = 0;
LPCSTR mal_path = argv[1];
std::cout << "Reading module from: " << mal_path << std::endl;
BYTE *malware = peconv::load_pe_executable(mal_path, v_size);
if (!malware) {
return -1;
}
std::cout << "Loaded" << std::endl;
ULONGLONG func_offset = (ULONGLONG)malware + unpack_func_offset;
unpack_func = (int (__cdecl *) (BYTE*, DWORD, LPCSTR, char)) func_offset;
DWORD res1 = unpack_func((BYTE*)((ULONGLONG) malware + blob1_offset), blob1_size, "blob1_unpack.bin", 'r');
std::cout << "Unpacked blob1, res:" << res1 << std::endl;
DWORD res2 = unpack_func((BYTE*)((ULONGLONG) malware + blob2_offset), blob2_size, "blob2_unpack.bin", 'r');
std::cout << "Unpacked blob2, res:" << res2 << std::endl;
peconv::free_pe_buffer(malware, v_size);
return 0;
}
@hasherezade

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.