R2CON2018 talk of: "Unpacking the non-unpackable ELF malware"

NEW: The video of this talk has just been released in pancake's youtube. For the better quality/HD video you can see it in here.

It was a great pleasure to attend R2CON2018, a congress of reverse engineering UNIX-like binary analysis tool radare2 that I use a lot ; The CON is super awesome, I met super cool old+new friends too who are using radare2, also I met many young bright students who helps in radare2dev, and basically it was a very happy moment in the r2land.

I attended all of the slots of schedule except R2CTF and R2War, and I felt that time was not on my side. I was supposed to be in R2CON2016 which was my flight was cancelled due to typhoon, and in this year they cancelled my flight again for another typhoon.. but I am more determined to attend, so I re-routed my flight across Europe (through Germany) to make it to Barcelona, a very tough effort and expensive too.

I made a reverse engineering presentation about a new Linux packer, I called my slide as Unpacking the non-unpackable or in short: N.U.P. , that contains of three parts, which are:

  1. Appetizer: Practical ELF header basic knowledge for recognizing and fixing manipulation of VanillaUPX

  2. Some Soup: Adding knowledge on other ELF packers & introducing some recent-yet-interesting ones

  3. Main course: How I cracked the unknown new ELF packer that is difficult to statically dissect ; this part is explaining the characteristic of the packer, how it is difficult to dissect, the method to crack and purpose of some binaries that use the packer.

Many asked why I picked a silly name as the title. A packed binary, which are produced by a "packing process" (compressed in certain algorithm either with security lock or not), can be restored to its original state by what we all in RE call it in a term of "Unpacking". In the other words: we can "unpack" the binary that is "unpackable".

In the case that if a binary, after under efforts of "unpacking", can not be "unpacked", the applicable term for these binaries are: "Non-unpackable binaries", or if you like. "Un-unpackable binaries", yet, I prefer the first one since the "Un-un" sounds so funny.

The ELF binary presented in the "main course" of this presentation can not be "un-packed" in common/usual ways(statically nor emulated), yet it can be "unpacked" under a certain condition only, why I named the presentation as "Unpacking the Non-unpackable".

The presentation file is available to download from r2con repository , or you can see it online from your OSX/PC or from your mobile/tablet too, also the behind the scene note can be read in here

This new packer has been spotted quite a lot in the internet, and it is important to raise awareness for this one due to the usage of the packer are all only spotted in malicious ELF binaries. I don't find any analysis available for this packer, and it is the first analysis ever published about it, and I dedicated the announce of this packer to R2CON, the radare2 community.

The design of the NUP custom packer looks was inspired by UPX in several logics, but works in different ways, this may confuse reversers that may see it as ELF plain file or may think it as just another Vanilla UPX (I was think a lot that way too). This is why I was thinking it would be better to bring the flow of presentation from basic concept of ELF headers to UPX then introducing several other packers before we jump into the NUP. Anyhow, the material contains of nice research, I hope you would find it useful. PS: Use N.U.P. hash in video (corrected) ..not the slide's one, and you must fix its header beforehand, see the how-to in first part of the talk.

EDIT: additional link, grammar, format, video link, HD video link, additional info on N.U.P.

from @unixfreaxjp / malwaremustdie.org / r2jp