Abstract
Reverse engineering packed binaries remain a tedious challenge as code packing is continuously being used by malware to hinder detection and analysis. The problem of automatically unpacking binaries has previously been investigated. However, current generic unpackers either do not offer any dump of the unpacked binary at all or produces a set of memory dumps that each lack several structures that make them well-suited for further analysis. In this paper, we present RePEconstruct, a tool that unpacks packed binaries and reconstructs them in a manner well suited for further analysis. RePEconstruct deploys a model of self-modifying code similar to previous work but goes the step further by also utilizing a novel, aggressive, approach to rebuilding the import address table. Our approach relies on both static and dynamic analysis. We build RePEconstruct as a DynamoRIO client and successfully evaluate it against a set of packed applications.