Li Sun, RMIT University, Australia and Tim Ebringer, Tim Ebringer, Witham Laboratories, Australia ![]() We present a new and efficient generic unpacking algorithm which effectively locates the OEP area of a packed program. The algorithm is based upon the dual observation that (a) even in a packed program, the OEP bytes are almost always only executed once, and (b) that most packers unpack the original program to an area of memory which has not been previously executed. Given this, the technique relies upon creating a histogram of the addresses of executed instructions (EIP on x86). Whilst others have done this, the trick is to order the histogram by the last time an address is executed. Decryption, decompression and copying appear as large spikes at the start of the histogram, followed by a flat section, of height one, which is usually the OEP. We attach figures showing the histogram for Upack, on both linear and log scales, which clearly illustrate the OEP after the massive unpacking "hump". ![]() |
Program >