Unpack last stage of h1n1 loader

h1n1_emu.py

import sys
import pefile
from unicorn import *
from unicorn.x86_const import *

    
pe = pefile.PE(sys.argv[1])
for s in pe.sections:
    if s.Name.strip("\x00") == '.rsrc':
        code_section = s
    if s.Name.strip("\x00") == '.Upack':
        data_section = s

base = pe.OPTIONAL_HEADER.ImageBase
ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint + base
STACK = 0x90000

mu = Uc(UC_ARCH_X86, UC_MODE_32)

#mmap_binary(mu,pe)
## map binary
mu.mem_map(base, 0x1000)
mu.mem_map(base + code_section.VirtualAddress,code_section.Misc_VirtualSize)
mu.mem_map(base + data_section.VirtualAddress,data_section.Misc_VirtualSize)

#map stack - two pages
mu.mem_map(STACK,4096*2)
mu.mem_write(base, pe.get_data()[:pe.OPTIONAL_HEADER.SizeOfHeaders])
mu.mem_write(base + code_section.VirtualAddress,code_section.get_data())

mu.reg_write(UC_X86_REG_ESP,STACK+4096)


### add some hooks
#mu.hook_add(UC_HOOK_WRITE_UNMAPPED,unmaped_hook)
#mu.hook_add(UC_HOOK_MEM_READ_UNMAPPED | UC_HOOK_MEM_WRITE_UNMAPPED, hook_mem_invalid)
#mu.hook_add(UC_HOOK_CODE, hook_code)
try:
    mu.emu_start(ep,16)
except UcError as e:
    print("ERROR: %s" % e)

data = mu.mem_read(base+data_section.VirtualAddress,data_section.Misc_VirtualSize)
data_section.SizeOfRawData = len(data)
data_section.PointerToRawData = code_section.PointerToRawData
data_section.Name = ".code".ljust(8,"\x00")
pe.set_bytes_at_rva(data_section.VirtualAddress,str(data))
code_section.PointerToRawData = 0
code_section.SizeOfRawData = 0
pe.write('/tmp/h1n1_unpacked.exe')
#raise UcError('done')