More advanced unpacking - Part II
With "More advanced unpacking - Part II" I show you how to decrypt an infamous real-life malware called WSNPOEM, (aka Infostealer.Banker.C) The binaries are usually created with a tool called ZEUS Builder, and there exist lots of different versions in the wild. I found samples with and without rootkit functionality. They are also "ontop" packed binaries, meaning they are additionally protected/packed with tools like Aspack, ACProtect, Polycrypt and so forth. We will discuss all 3 types and how to deal with them in 3 different ways.
1. Manual unpacking + import fixing
2. Manual unpacking + Auto import fixing
3. Auto unpacking/import fixing
Stage 2 introduces a nice tool called "Universal Import Fixer" and Stage 3 shows how to automate unpacking/import fixing with OllyDbgScript.