"You got a pocket pager? What are you, a doctor?"
- Dr. Gillian Taylor, Star Trek IV
No, Im not a doctor. Im the Virus Analyst on-duty this week. But I am carrying around a pager (in case an important new threat comes out).
As luck would have it, one such threat came up yesterday. Dasher.C was released (thanks, Jose), and as the off-hours Analyst on-duty, it was my job to analyze it.
Dasher.C was packed with Upack, an interesting little packer. At first, I thought the sample file was corrupt, since its PE header looked all screwed up and when I loaded it into OllyDbg, OllyDbg gave an error and landed in ntdll. Before I classified it as corrupted though, I tried running it (F9 in OllyDbg). Sure enough, it ran fine.
So what was going on? Well, OllyDbg didnt like the look of the headers any more than I did, and dropped me into ntdll instead of breaking at the entry-point of the sample. Once I realized that it wasnt corrupted after all, I looked up the entry-point with a PE editor, reloaded the sample in OllyDbg and set a breakpoint on the entry-point address, and let it run. OllyDbg then hit the breakpoint at the entry-point, and I was able to trace it easily to the OEP.
Whats the takeaway?
Short: No matter how corrupt something looks, always try running it before throwing it away.
Long: When dealing with Upack or similar packers, setting a breakpoint on the EP after loading the sample into OllyDbg works just fine, despite the error message and ntdll screenful.
Bonus: Quoting Star Trek IV is now considered the "cool" thing to do :)
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}