Attackers go to great lengths to protect their binary from anti-virus detection and to make it difficult for a malware analyst to perform static analysis and reverse engineering. Malware authors often use packers and cryptors (see Chapter 2, Static Analysis, for a basic introduction to packers and how to detect them) to obfuscate the executable content. A packer is a program that takes a normal executable, compresses its contents, and generates a new obfuscated executable. A cryptor is like a packer instead of compressing the binary; it encrypts it. In other words, a packer or cryptor transforms an executable into a form that is difficult to analyze. When a binary is packed, it reveals very less information; you will not find strings revealing any valuable information, the number of imported functions will be lower, and the program instructions will be obscured. To make sense of a packed binary, you need to remove the obfuscation layer (unpack) applied to the program; to do this, it is important to first understand the workings of a packer.

When a normal executable is passed through a packer, the executable content is compressed, and it adds an unpacking stub (decompression routine). The packer then modifies the executable's entry point to the location of the stub and generates a new packed executable. When the packed binary is executed, the unpacking stub extracts the original binary (during runtime) and then triggers the execution of the original binary by transferring the control to the original entry point (OEP) as depicted in the following diagram:

To unpack a packed binary, you can either use automated tools or do it manually. The automated approach saves time, but it's not completely reliable (sometimes it works and sometimes it doesn't), whereas the manual method is time-consuming, but once you acquire the skills, it is the most reliable method.