VMUnpacker from DSWLab

[sowhat-x]

Very good generic unpacker,provided as free for personal use download,
from a Chinese Anti-Virus company called DSWLab (stands for Data Security Workbase Lab):

http://www.dswlab.com/d3.html

Direct link to VMUnpacker - Latest version is 1.4:
(NOTE:Although their page states v1.4 is released,
their official server doesn't seem to have been updated to v1.4 yet.
I guess we'll have to wait a few hours until they get the archive fixed.)
hxxp://update4.dswlab.com/vmunpacker.zip

[justincase]

download links seems broken, found mirror here:
http://www.xfocus.net/tools/200708/1226.html

btw, many thanks for all your cool links.

[sowhat-x]

...latest days the VMUnpacker links in the DSWLab servers seem to be inaccessible,
I've also noticed this...hope it will get fixed sooner or later....
I have to note though that I don't suggest running binaries downloaded from not official sites,
eg.Xfocus is not exactly what someone would call a "white-hat" site,you get the point... 

Xfocus...he-he,learned quite a few stuff regarding security from there in the past...
some of them probably in a...not so politically correct way,whatever this means,lol...
Quite a few of interesting hacking-related source codes posted there from time to time...
I also remembered the cnhonker's site/team/whatever,
they had published a ton of exploits for win32 systems...
usually they had hardcoded address for Chinese versions of Windows,
and everyone was trying to modify the offsets in order to match English/universal editions,lol...
But it seems like their "days of glory" period has faded nowadays...
my guess,mainly because "full disclosure" has turned from a movement/way of thinking,
(that most people/companies firstly accused as irresponsible way),
to nowadays be the established "main stream" when it comes to security researching...

I'll try checking my personal copy of VMUnpacker later...
to see if the checksum matches...although I don't think there will be a problem...
If interested,you can also check the following thread on TeamFurry's forum,
just a couple of days ago,there was a similar topic raised,
so,there's no need to replicate stuff... 

http://www.teamfurry.com/index.php?topic=15.0

[justincase]

Xfocus link is 1.2 Public Release, for 1.3 Public Release :
http://download.pchome.net/utility/antivirus/trojan/download_66883.html

Moore explicit URL :-)

[sowhat-x]

VMUnpacker MD5 hashes...until the DSWLab server problem gets resolved:

For v1.3:
c697f70a1e0177aa3e5e7fe1d8079357 *dbghelp.dll
ba50d448140a4ce8667ffa055a274094 *unarc.dll
0ae9b1abbcd0d48db19893c519bb1694 *unpack.avd
04ececd3d4c888e3e1968eba6c94b5d3 *VMUnpacker.exe
0a82bd5a4b187cfea78e02bd722209c5 *VUnpackSDK.dll

For the older v1.2:
c697f70a1e0177aa3e5e7fe1d8079357 *dbghelp.dll
ba50d448140a4ce8667ffa055a274094 *unarc.dll
eac0fc687c6e6d88f4a918f8074c37c1 *unpack.avd
5ecd9e31a0dfa7899848c677d448b530 *UnpackSDK.dll
5976a641ea3526336026ee88ef8c5915 *VMUnpacker.exe

[sowhat-x]

VMUnpacker got updated to v1.4,check 1st post in the thread... 

[VirusBuster]

1.4 and more recent 1.4.3 version seem to be not public versions but only for customers.

Also I don´t consider VMUnpacker to be a generic unpacker. You can verify this doing a simple test. Just try to unpack an unsupported packer. VMUnpacker will show a text message saying "Unidentified packer [...]".

Anyway VMUnpacker is a good application. Other unpackers like ap0x´s RL!Depacker may execute the file while unpacking, which is dangerous if you are dealing with malware. With VMUnpacker this problem does not exist.

The problem I see with VMUnpacker is you can not unpack a set of files automatically as the tools requires user intervention. I have asked authors to release a console version (which could be called as many times as required in a batch file ie) but they asked money to do it. I hope soon or late they will do it anyway.

[sowhat-x]

ap0x´s RL!Depacker is excellent,and gets the trick done for most stuff out there...
Here's the link for those not already aware of it:

http://ap0x.jezgra.net/unpackers.html

But yes,as you've already mentioned,it's not 'static':
in most cases,it will trace/execute the sample in question in order to unpack it.

VMUnpacker on the other hand,is 'static'...
no need for running it under VMware/DeepFreeze or such.
Note of course that I would NEVER suggest something like this,
ie.you never can be 100% sure what can go wrong and what not...
this thought in it's simplest form:
you can never be assured that some crap-head malware author out there,
has figured out an exploit/weakness for VMunpacker itself...
it's not wise to rely in a single one protection layer,no matter how good it might be.

ap0x´s RL!Depacker,by not relying exclusively in internal sigs for static unpacking,
has an extra benefit also...at least,that's what my personal experience has showed:
it can unpack way more samples than VMunpacker,not just already known packers.
Ie.privately hex-edited crap and similar...

And well,as you pretty much already said...DSWLab aims at commerce,
targeting the Chinese AV products market area,at least from my understanding....
This makes quite reasonable the fact that VMunpacker's latest versions are private,
they have to earn a living as well...
ap0x on the other side,at least from what I know,
he has never showed similar intentions to the day as per above...
ie.to sell his unpackers and such.The only thing sold in 'private' by him,
is the full version of RLPack,his current commercial project...
which is also sold at a very small price for what it offers,at least in my humble opinion.
It's unfortunately flagged by many AV procucts...kind of annoying attitude...
since it's 'light' edition,not only is free,but open-sourced also:
this should make the job far more easier for them,but well...
we all know their usual reaction to packers,even if legitimate...
they're bored of writing proper detections... 

[VirusBuster]

ap0x on the other side,at least from what I know,
he has never showed similar intentions to the day as per above...
ie.to sell his unpackers and such.

You are wrong about this. I was talking with ap0x at Google´s chat and he commented that he coded a solution of RL!DePacker which does not execute the file to unpack but sadly he sold it to 'some security company - name removed/see below'.

[sowhat-x]

...sorry,but I had to edit/remove the name of the company in question above,
because I'm not really sure if ap0x (and of course the security firm itself),
want information regarding their personal commercial activities to be shared in public... 
If either of them has spoke of this in some public announcement,
then please,do feel free to post the company's name,further details etc...

I'm obviously not aware of...all of ap0x's commercial activities,
as I'm certainly not his 'sales department agent',he-he...
I've never spoked with him directly...or even more,
discussed what kind of offers he's got from the AV industry...
after all,in what way would this interest me...I wouldn't get a share out of it!... 
And this goes up for anyone else for that matter...
I can only be aware of "the intentions showed up to day"...
from statements/actions made by persons in public and only.For example...

http://research.pandasecurity.com/archive/Mal_2800_ware_2900_formation-statistics.aspx

Thereby,what you commented above certainly doesn't come to a surprise...
himself had stated clearly in Panda's blog way back in May 2007,that...
"I am also working on a commercial depacking and detection project sponsored by a security company'.
And well,my guess he probably had his reasons for not mentioning which company this was,
as it is/was something that does/did not concern the public at that moment...

When speaking about him not have shown intentions of "selling his unpackers and such",
I was pretty clear in what I meant...not selling them to the public via his site.
There's tons of unpackers free to download and make use of in his site,
and for which he's never charged anyone out there a single penny.
So,in very simple words,regarding the 'comparison' with VMunpacker made above...

...That while they 'advertise' private newer unpackers in order to attract customers,
(nothing wrong with it obviously - it's just their marketing model for their AV products),
ap0x on the other side,at least by reading his public threads,
has never advertised 'private' tools to end-users from his site,in order to sell his stuff.
The general attitude that gets revealed by his public actions seems to be...:
if I want to share something with the public,I share it...(and he's shared a lot obviously...)
if I want to sell something in order to also to make a living in this world,I do so...
and if I coded something 'private',well,I simply keep it 'private',
no need to shout about it around the world,he-he...
Seems pretty reasonable to me... 

[ap0z]

You seem interested in work I'm doing and I think that is only fair to shad some light to the subject. As I said over at Panda research blog I'm working on a very complex unpacking solution which is designed to handle a large amount of files packed/protected with known and unknown packer/protector/crypter formats. Solution itself is an SDK which can be easily implemented in any environment. Techniques used are static (about 1/3 of supported formats), dynamic (about 2/3 of supported formats) and generic for certain cases where such unpacking is safe (overlay packers, etc.). Currently the number of fully supported formats (with all protection stripping. AntiDump, etc. making every unpacked file as close to virgin as possible) is a little over 100. SDK itself is not limited only to PE32 but it can be used for archive unpacking no matter if an archive is a single file or an SFX or an installer format. My idea is that this engine becomes all-in-one solution for unpacking everything you can think of.

But this will never be a public thing do to its nature and work put into it. This is not really up to me but be sure that I'm trying very hard to make at least some parts of this free and public. One of those things will be a free script language that will use the free unpack SDK to unpack PE32 files. There are other projects that I'm working on which will also be free but all in good time. A lot more things need to be done before all of this is at least presented to the public.