See the approach @0x6d696368 mentioned in #7. Dynamically allocated chunks could be placed in a second section. We should also do import unhooking (static imports) as well as include dynamic imports in the import table.

How can I add new unpacker (for example, for Armadillo)?

Use a logger with different log levels, if possible with the ability to retroactively dump a report from the shell

When I run unipacker.py, I get Invalid Syntax Error in this line.

Line 73: ("End of unpacking stub:", f"0x{endaddr:02x}" if endaddr != sys.maxsize else "unknown"),

With an I/O plugin, we could do things like r2 unipacker://<host>:<port> and let it connect to our current unipacker instance. Then, live disassembling can happen during emulation, without needing to dump all the data and importing it into r2/cutter. This would provide a similar experience to r2frida, providing the ability to analyse and modify the complete memory space of unicorn on the fly.

I have error in file shell.py (line 251, print_imports). Really file has no imports, only sections UPX0, UPX1 and .rsrsc. Die reports that it is packed with UPX 3.03[NRV,best].

We should put the code belonging to the actual emulation into a separate class so that it can be separated from the shell.
For interaction we could introduce an API for emulation control (start, stop, pause, step etc) and make the user (e.g. the shell) register callbacks for events like handling when the emulation pauses (e.g. breakpoint hit, section hopping etc).
This would also make it easier for things like batch processing (see #7) or using unipacker as an external library, which don't need the shell.

Steps:

• Migrate global variables into a single state class
• Move unpacking engine into own class
• Create dedicated API with callbacks for emulation control

Some packers provoke exceptions (e.g. access violations or CPU exceptions) to trick debuggers, and then continue execution in the corresponding exception handler

Provide ability to import API call implementations from external python files: provide access to internal apicall.py state, then each API call implementation can handle their respective task but can be customized by the user, or even extended by further API calls. Unimplemented ones should be dumped from MSDN, including the number of parameters and default return value, and converted to default implementation stubs that can then be customized.

Traceback (most recent call last):
File "C:\Users\Source\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 196, in _run_module_as_main
return run_code(code, main_globals, None,
File "C:\Users\Source\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 86, in run_code
exec(code, run_globals)
File "C:\Users\Source\AppData\Local\Programs\Python\Python310\Scripts\unipacker.exe_main.py", line 4, in
File "C:\Users\Source\AppData\Local\Programs\Python\Python310\lib\site-packages\unipacker\shell.py", line 13, in
from cmd2 import Cmd
File "C:\Users\Source\AppData\Local\Programs\Python\Python310\lib\site-packages\cmd2_init.py", line 13, in
from .cmd2 import Cmd, Statement, EmptyStatement, categorize
File "C:\Users\Source\AppData\Local\Programs\Python\Python310\lib\site-packages\cmd2\cmd2.py", line 48, in
from . import utils
File "C:\Users\Source\AppData\Local\Programs\Python\Python310\lib\site-packages\cmd2\utils.py", line 73, in
default_values: collections.Iterable = ()):
AttributeError: module 'collections' has no attribute 'Iterable'

Provide the ability to assemble and emulate user-defined assembly chunks when the program is currently paused at a breakpoint

If we manage to get it running nicely with GDB, things like #25 #26 and #27 will be available at the same time

Use cases:

• no packer recognized -> manually select one
• wrong packer recognized -> override selection

While running on a sample (sha provided), encountered this error.
No result was written to the disk.
Output:

$ unipacker f011ba0a6de7dde6db6345f75e23abdab80683e5a510ea4be325ef2c5f45d05d.exe 
Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.
Next up: Sample: [PEtite] f011ba0a6de7dde6db6345f75e23abdab80683e5a510ea4be325ef2c5f45d05d.exe
Emulation starting at 0x40c9d0
Message Box (ERROR): This file has been tampered with and
MAY BE INFECTED BY A VIRUS!
Unimplemented API call at 0x104014: ExitProcess, first 6 stack items: ['0x40c9d0', '0x80000', '0x80000', '0x201000', '0xffffeff7', '0x439000']
Error: Invalid instruction (UC_ERR_INSN_INVALID)

Emulation of f011ba0a6de7dde6db6345f75e23abdab80683e5a510ea4be325ef2c5f45d05d.exe finished.
--- Saved to ./unpacked_f011ba0a6de7dde6db6345f75e23abdab80683e5a510ea4be325ef2c5f45d05d.exe ---

I noticed that Armadillo is very common in my repository, it would be useful to add it:

I have installed Python 3.6 and also installed all requirements. I ran the unpacker with command <python3.6 unipacker.py>
I get only one option shown when I start the Unipacker.
I give 0 and when asked for path of file I gave relative path to current directory.
I get the following output from which I am unable to infer anything. Please tell me what this is and what should be done to make it work properly.

TIA.

I install it without any errors but now it shows these with test by any exe
Python39>unipacker
v1.0.3

Your options for today:

    [0]  New sample...

Enter the option ID: 0
Please enter the sample path (single file or directory): 1.exe
OPT Magic: 523
Wrong Optional Header Magic. Aborting...
Could not initialize 1.exe:
Traceback (most recent call last):
File "c:\users\administrator\appdata\local\programs\python\python39\lib\runpy.py", line 197, in _run_module_as_main
return _run_code(code, main_globals, None,
File "c:\users\administrator\appdata\local\programs\python\python39\lib\runpy.py", line 87, in run_code
exec(code, run_globals)
File "C:\Users\Administrator\AppData\Local\Programs\Python\Python39\Scripts\unipacker.exe_main.py", line 7, in
File "c:\users\administrator\appdata\local\programs\python\python39\lib\site-packages\unipacker\shell.py", line 738, in main
Shell()
File "c:\users\administrator\appdata\local\programs\python\python39\lib\site-packages\unipacker\shell.py", line 82, in init
self.shell_event.wait()
AttributeError: 'Shell' object has no attribute 'shell_event'

anybody can help?

Add ability to print disassembly with capstone, either manually or when logging instruction trace

Hi,

I am going to use your software to uncompress the upx file. But this error is received:

Enter the option ID: 0 Please enter the sample path (single file or directory): /usr/bin/uname.upx e_magic = 17791 Wrong DOS Magic Value (MZ). Aborting... Could not initialize /usr/bin/uname.upx: Traceback (most recent call last): File "/usr/local/bin/unipacker", line 11, in <module> sys.exit(main()) File "/usr/local/lib/python3.6/site-packages/unipacker/shell.py", line 742, in main Shell() File "/usr/local/lib/python3.6/site-packages/unipacker/shell.py", line 82, in __init__ self.shell_event.wait() AttributeError: 'Shell' object has no attribute 'shell_event'

what is the reason?

Thank you.

Hi, I'm facing this when trying to unpack an ASPack executable:

+$ unipacker
 _   _         __  _  __                    _       v1.0.7
| | | |       / / (_) \ \                  | |
| | | |_ __  | |   _   | | _ __   __ _  ___| | _____ _ __
| | | | '_ \/ /   | |   \ \ '_ \ / _` |/ __| |/ / _ \ '__|
| |_| | | | \ \   | |   / / |_) | (_| | (__|   <  __/ |
 \___/|_| |_|| |  |_|  | || .__/ \__,_|\___|_|\_\___|_|
              \_\     /_/ | |
                          |_|
Your options for today:

        [0]  ASPack:        main.exe.vpn
        [1]  New sample...

+Enter the option ID: 0

Next up: Sample: [ASPack] main.exe.vpn
Traceback (most recent call last):
  File "/home/mim/projects/gc/gc2-client/venv/bin/unipacker", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/home/mim/projects/gc/gc2-client/venv/lib/python3.11/site-packages/unipacker/shell.py", line 786, in main
    Shell()
  File "/home/mim/projects/gc/gc2-client/venv/lib/python3.11/site-packages/unipacker/shell.py", line 89, in __init__
    self.sample_loop()
  File "/home/mim/projects/gc/gc2-client/venv/lib/python3.11/site-packages/unipacker/shell.py", line 121, in sample_loop
    self.init_engine()
  File "/home/mim/projects/gc/gc2-client/venv/lib/python3.11/site-packages/unipacker/shell.py", line 135, in init_engine
    self.engine = UnpackerEngine(self.sample, "unpacked.exe")
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/mim/projects/gc/gc2-client/venv/lib/python3.11/site-packages/unipacker/core.py", line 159, in __init__
    self.init_uc()
  File "/home/mim/projects/gc/gc2-client/venv/lib/python3.11/site-packages/unipacker/core.py", line 519, in init_uc
    curr_hook_addr = self.apicall_handler.add_hook(self.uc, func_name, dll_name)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/mim/projects/gc/gc2-client/venv/lib/python3.11/site-packages/unipacker/apicalls.py", line 412, in add_hook
    uc.mem_write(curr_hook_addr, hexstr)
  File "/home/mim/projects/gc/gc2-client/venv/lib/python3.11/site-packages/unicorn/unicorn.py", line 443, in mem_write
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory write (UC_ERR_WRITE_UNMAPPED)

Only activate the breakpoint on specific value in specific register (eax == 42), specific value in any register (r32 == 42), when register points to a certain string etc.

Enhance decorator system to provide transparent support for wide-string API call variants: E.g. use a shared implementation for LoadLibrary's A and W versions and provide string parameter extraction through the decorator

Can you add ability to remove existing breakpoint(s)?

• Get rid of state class: Move all the variables into their correct classes
• Create Sample class that contains the current unpacker and does all the necessary initialization work

Hello,

I'm having an issue with my unpackerr configuration. First, I'll post the compose.yml I'm using for docker compose:

unpackerr:
container_name: unpackerr
user: 1000:1000
image: golift/unpackerr
environment:
  - TZ= America/New York
  # General config
  - UN_DEBUG=false
  - UN_LOG_FILE=
  - UN_LOG_FILES=10
  - UN_LOG_FILE_MB=10
  - UN_INTERVAL=2m
  - UN_START_DELAY=1m
  - UN_RETRY_DELAY=5m
  - UN_MAX_RETRIES=3
  - UN_PARALLEL=1
  - UN_FILE_MODE=0644
  - UN_DIR_MODE=0755
  # Sonarr Config
  - UN_SONARR_0_URL=http://sonarr:8989
  - UN_SONARR_0_API_KEY=[apiiii]
  - UN_SONARR_0_PATHS_0=/downloads
  - UN_SONARR_0_PROTOCOLS=torrent,usenet
  - UN_SONARR_0_TIMEOUT=10s
  - UN_SONARR_0_DELETE_ORIG=true
  - UN_SONARR_0_DELETE_DELAY=5m
  # Radarr Config
  - UN_RADARR_0_URL=http://radarr:7878
  - UN_RADARR_0_API_KEY=[apiiii]
  - UN_RADARR_0_PATHS_0=/downloads
  - UN_RADARR_0_PROTOCOLS=torrent,usenet
  - UN_RADARR_0_TIMEOUT=10s
  - UN_RADARR_0_DELETE_ORIG=true
  - UN_RADARR_0_DELETE_DELAY=5m
security_opt:
  - no-new-privileges:true
logging:
  driver: json-file
  options:
    max-file: "10"
    max-size: 200k
networks:
  default: null
restart: unless-stopped
volumes:
  - /mnt/hdd/data:/downloads

Next, maybe the errors I'm getting?

[INFO] 2024/04/04 21:12:32 [Radarr] Completed item still waiting: home.movie.1.1995.bluray no extractable files found at: /data/downloads/user/complete/movies/home.movie.1.1995.complete.bluray (stat err: stat /data/downloads/user/complete/movies/home.movie.1.1995.complete.bluray: no such file or directory)

[INFO] 2024/04/04 21:12:32 [Radarr] Completed item still waiting: home.movie.2, no extractable files found at: /data/downloads/intermediate/home.movie.2(stat err: stat /data/downloads/intermediate/home.movie.2 no such file or directory)

[INFO] 2024/04/04 21:12:32 [Radarr] Completed item still waiting: fond.memories, no extractable files found at: /data/downloads/user/complete/movies/fond.memories stat err: stat /data/downloads/user/complete/movies/fond.memories no such file or directory)

[INFO] 2024/04/04 21:12:32 [Radarr] Completed item still waiting: wedding.day.footage no extractable files found at: /data/downloads/user/complete/movies/wedding.day.footage (stat err: stat /data/downloads/user/complete/movies/wedding.day.footage: no such file or directory)

[INFO] 2024/04/04 21:12:32 [Unpackerr] Queue: [4 waiting] [0 queued] [0 extracting] [0 extracted] [0 imported] [0 failed] [0 deleted]

[INFO] 2024/04/04 21:12:32 [Unpackerr] Totals: [0 retries] [0 finished] [0|0 webhooks] [0|0 cmdhooks] [stacks; event:0, hook:0, del:0]

[INFO] 2024/04/04 21:13:32 [Unpackerr] Queue: [4 waiting] [0 queued] [0 extracting] [0 extracted] [0 imported] [0 failed] [0 deleted]

[INFO] 2024/04/04 21:13:32 [Unpackerr] Totals: [0 retries] [0 finished] [0|0 webhooks] [0|0 cmdhooks] [stacks; event:0, hook:0, del:0]

It seems like unpackerr knows where to look? If I go to the directories it's saying the files don't exist, the files are there.

Any help would be appreciated.

using radare2 commit: 3cde905a209a39fbc88ba03557705fb5467aff6e build: 2019-02-19__12:15:40
using r2pipe (1.2.0)
in order to be able to run your script I had to modify "Sj" to "iSj".
(it seems that iSj is for rabin)

Most packers directly write into an empty section, but some allocate additional memory chunks. Those might also be relevant for analysis

Hello, thanks a lot for the great work! There are two minor things that we would love to adjust for integration purpose. It will be great if we can adjust the verbosity of the printing or logging level with log.info/error. Also If we understand the code correctly, the current implmentation always generate unpack.exe and then move the the user supplied dest path. However, this prevents us having parallel runs for unpacking (they always ends up the same file). Could we make it part of the arguments for UnpackerEngine? So far our workaround is:

dest = file + '_unipacker'
def _dump(_self, uc, apicall_handler, sample, path=dest):
  _self.dumper.dump_image(uc, _self.BASE_ADDR, _self.virtualmemorysize, apicall_handler, sample, path)

uni_sample.dump = _dump

Again, thanks a lot for the great work!

Useful command. Can you add it?

Hello!

In our test, init_uc can take a really long time for certain file that is intentionally made large e.g.
https://bazaar.abuse.ch/sample/c92af6007b3c7f48e9c18d73dd99d889dd08dbccfe12c346724a149ba483ec2c/

So we can't set timeout on this function. Can we move the call for init_uc to engine.emu ?

Break at any address, whenever a certain condition about register values etc holds

I have installed unipacker but it cannot unpack PECompact samples:

It gives following errors:
`Next up: Sample: [PECompact] lbop20_PECompact.exe
Traceback (most recent call last):
File "/home/wnm/anaconda3/envs/sunflower/bin/unipacker", line 33, in
sys.exit(load_entry_point('unipacker==1.0.7', 'console_scripts', 'unipacker')())
File "/home/wnm/anaconda3/envs/sunflower/lib/python3.8/site-packages/unipacker-1.0.7-py3.8.egg/unipacker/shell.py", line 786, in main
Shell()
File "/home/wnm/anaconda3/envs/sunflower/lib/python3.8/site-packages/unipacker-1.0.7-py3.8.egg/unipacker/shell.py", line 86, in init
IOHandler(samples, args.dest, args.partition_by_packer)
File "/home/wnm/anaconda3/envs/sunflower/lib/python3.8/site-packages/unipacker-1.0.7-py3.8.egg/unipacker/io_handler.py", line 17, in init
self.handle_sample(sample, dest_dir, partition_by_packer)
File "/home/wnm/anaconda3/envs/sunflower/lib/python3.8/site-packages/unipacker-1.0.7-py3.8.egg/unipacker/io_handler.py", line 30, in handle_sample
engine = UnpackerEngine(sample, dest_file)
File "/home/wnm/anaconda3/envs/sunflower/lib/python3.8/site-packages/unipacker-1.0.7-py3.8.egg/unipacker/core.py", line 159, in init
self.init_uc()
File "/home/wnm/anaconda3/envs/sunflower/lib/python3.8/site-packages/unipacker-1.0.7-py3.8.egg/unipacker/core.py", line 446, in init_uc
self.uc.mem_write(self.sample.BASE_ADDR, self.sample.loaded_image)
File "/home/wnm/anaconda3/envs/sunflower/lib/python3.8/site-packages/unicorn_unipacker-1.0.3b7-py3.8-linux-x86_64.egg/unicorn/unicorn.py", line 441, in mem_write
status = _uc.uc_mem_write(self._uch, address, data, len(data))
ctypes.ArgumentError: argument 3: <class 'TypeError'>: wrong type

• still running -`

Enables use cases like delegating the unpacking process to a more powerful cloud server

Hello!
Seems like I am following installation instructions to the letter, but install still fails with this error:
ERROR: Command "'c:\program files (x86)\python37-32\python.exe' -u -c 'import setuptools, tokenize;file='"'"'D:\cygwin64\tmp\pip-install-wb408v9s\unicorn-unipacker\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record 'D:\cygwin64\tmp\pip-record-t15lv_bc\install-record.txt' --single-version-externally-managed --compile" failed with error code 1 in D:\cygwin64\tmp\pip-install-wb408v9s\unicorn-unipacker\

Could somebody please help? Thanks in advance!

Some samples deliberately try to crash non-genuine loaders like pefile by using corrupted headers or relocation information. We should investigate creating an own loader that extends pefile's capabilities by supporting this kind of behavior

I have error while dumping UPX-file.
image_dump.py (line 208, fix_imports_by_rebuilding->line 170, find_iat): IndexError in lx = possible_ptrs[-1].
Before dumping I had some errors like raiseUcError(status) Invalid memory write (UC_ERR_WRITE_UNMAPPED) after message GetProcAddress:..... accept
Unfortunately I cannot place trace log here.

Is possible to use unipacker to unpack packed files automatically in batch?

When an image base address is smaller than 0x100000 (see reloaderd) we have a problem as this clashes with the stack space (0x0 - 0x100000). We need to move the stack dynamically depending on whether it fits at this place. This also influences things like hook space, allocs, headers for import fixing etc.

The emulation engine should just ask the unpacker if a specific address should be allowed to be executed. Then it is up to the unpacker whether it needs to use a white- or blacklisting approach

Unipacker fully supports PEtite, so why does it not recognize it? Asks for start and end address.

Hi, this is not about an issue.
I came to know about this wonderful project while I was looking into malware unpackers.
So, I wrote a RESTful API interface for your project using Docker.
This is my repo: https://github.com/rpgeeganage/restful4up
I hope it will help this awesome project.