OALabs | Unpacking Quick Tip: Two Breakpoints to Unpack Hermes Ransomware @OALABS | Uploaded 5 years ago | Updated 1 hour ago
Just a quick malware unpacking tutorial for one of our subscribers... how to unpack Hermes ransomware with two breakpoints expand for more...
-----
OALABS DISCORD
discord.gg/6h5Bh5AMDU
OALABS PATREON
patreon.com/oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
unpac.me/#
-----
Once you have unpacked this sample and you load it in IDA you will see they dynamically resolve their APIs, you can quickly fix this by loading the PE in a debugger, adding a breakpoint after the first function, run until breakpoint. Then use scyla to dump and fix imports!
Original packed sample:
cape.contextis.com/analysis/28853
Unpacked:
cape.contextis.com/analysis/28851
We use the Ollydbg CiM build because I am on holidays and don't have my full VM tools but you can use x64dbg the commands are the same : )
x64dbg.com/#start
FLOSS is a great too used to find strings in a binary:
github.com/fireeye/flare-floss
We will be back to full tutorial videos soon so stay tuned : )
Feedback, questions, and suggestions are always welcome : )
Sergei twitter.com/herrcore
Sean twitter.com/seanmw
As always check out our tools, tutorials, and more content over at openanalysis.net
Just a quick malware unpacking tutorial for one of our subscribers... how to unpack Hermes ransomware with two breakpoints expand for more...
-----
OALABS DISCORD
discord.gg/6h5Bh5AMDU
OALABS PATREON
patreon.com/oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
unpac.me/#
-----
Once you have unpacked this sample and you load it in IDA you will see they dynamically resolve their APIs, you can quickly fix this by loading the PE in a debugger, adding a breakpoint after the first function, run until breakpoint. Then use scyla to dump and fix imports!
Original packed sample:
cape.contextis.com/analysis/28853
Unpacked:
cape.contextis.com/analysis/28851
We use the Ollydbg CiM build because I am on holidays and don't have my full VM tools but you can use x64dbg the commands are the same : )
x64dbg.com/#start
FLOSS is a great too used to find strings in a binary:
github.com/fireeye/flare-floss
We will be back to full tutorial videos soon so stay tuned : )
Feedback, questions, and suggestions are always welcome : )
Sergei twitter.com/herrcore
Sean twitter.com/seanmw
As always check out our tools, tutorials, and more content over at openanalysis.net