Topic created on: September 4, 2011 13:05 CDT by eigma .

I'm trying to identify the packer used on a sample of malware. PEiD doesn't find anything.

The unpacking process is two-stage. First, the entry point has a large (100 bytes) obfuscated jmp to the second-stage. This involves calling some APIs and getting a specific error back, which is used as a constant for the rest of the first stage. The second stage is a few KB later in the file, and is about 15K in total.

The control flow in the second stage is obfuscated after every instruction. Each useful instruction is followed by a block of instructions that basically a short obfuscated jmp to the next instruction.

There are three types of these short obfuscated jmps, each used a few hundred times each across the second stage:

.text:00409E12 F8                     clc
.text:00409E13 F2 90                  repne nop
.text:00409E15 90                     nop
.text:00409E16 FC                     cld
.text:00409E17 0F 83 C3 15 00 00      jnb     loc_40B3E0


.text:0040B3C9 57                     push    edi
.text:0040B3CA BF FB C4 40 00         mov     edi, offset loc_40C4FB
.text:0040B3CF 87 3C 24               xchg    edi, [esp]
.text:0040B3D2 C3                     retn


.text:0040C21F 55                     push    ebp
.text:0040C220 8B EC                  mov     ebp, esp
.text:0040C222 90                     nop
.text:0040C223 C9                     leave
.text:0040C224 90                     nop
.text:0040C225 E9 FF 03 00 00         jmp     loc_40C629

Does any of this ring a bell to anyone?