I decide to include some unpacking posts in my personal blog. So here it is.

VirtualAlloc is the api that malware use to allocate memory for the unpacking process so we can use it to unpack malware. I’ve found some tutorials for this strategy but they are not suitable for the sample here. You can check it yourself.


Here is a video using the same method to unpack a malware.

So this is the beginning of the unpacking.

First, we input “bp VirtualAlloc” in the command input here.

We can see now there is a breakpoint.

Then you press F9 to run it. You come to here.

Here is the code in DLL. Now you use “ALT+F9” to come back to the user code. Then you have to press F8 to continue going and you will finally find a “jmp” which lead you to the OEP.

Actually, for this sample, using ESP should be much easier. But we can see even we are using the VirtualAlloc, there are still some difference for different samples. Those links that I provide can verify this. So always be patient when you are unpacking a malware.