Jason Geffner (JasonGeffner) <jasongefmicrosoftcom>

Sunday, December 18 2005 21:33.00 CST

"You got a pocket pager? What are you, a doctor?"
- Dr. Gillian Taylor, Star Trek IV

No, Im not a doctor. Im the Virus Analyst on-duty this week. But I am carrying around a pager (in case an important new threat comes out).

As luck would have it, one such threat came up yesterday. Dasher.C was released (thanks, Jose), and as the off-hours Analyst on-duty, it was my job to analyze it.

Dasher.C was packed with Upack, an interesting little packer. At first, I thought the sample file was corrupt, since its PE header looked all screwed up and when I loaded it into OllyDbg, OllyDbg gave an error and landed in ntdll. Before I classified it as corrupted though, I tried running it (F9 in OllyDbg). Sure enough, it ran fine.

So what was going on? Well, OllyDbg didnt like the look of the headers any more than I did, and dropped me into ntdll instead of breaking at the entry-point of the sample. Once I realized that it wasnt corrupted after all, I looked up the entry-point with a PE editor, reloaded the sample in OllyDbg and set a breakpoint on the entry-point address, and let it run. OllyDbg then hit the breakpoint at the entry-point, and I was able to trace it easily to the OEP.

Whats the takeaway?
Short: No matter how corrupt something looks, always try running it before throwing it away.
Long: When dealing with Upack or similar packers, setting a breakpoint on the EP after loading the sample into OllyDbg works just fine, despite the error message and ntdll screenful.
Bonus: Quoting Star Trek IV is now considered the "cool" thing to do :)