 Hello, and welcome to my second unpacking tutorial. Today, I want to show you that sometimes it's not necessary to run a file in a debugger or to unpack it, or to do any complicated stuff. Sometimes it's actually enough to have a hex editor in the scripting language. And yeah, let's see what this packed file shows. Well, what we can do with this packed file here. I usually look at files at first in the hex editor, because sometimes it will just shorten the time you need to analyze it. Because, well, in this case, I will show you why. Take a look at this. I don't know. I did never analyze the step of this packed file. The only thing I did so far was looking at a hex editor. And this is a DOS step message, but not really. It's kind of every third byte is kind of different encoded or something. And if you look at the zero areas in the file, the areas that will contain mostly zero bytes, you have this pattern of v14358 and zero. So this tells you that this is an XOR encryption, because if you encrypt something with XOR and you don't use a one-time pad, you will see the key in the zero areas. And that's basically it. That's our XOR key. And you also see it here. But it's missing the zeros in between. So let's just unpack it, right? I need to look for the beginning of the file. I think it's here, because there's the mz. Then just copy the block. We will just copy everything starting from here. So it really doesn't matter if you pent something to the end of the file for analyzing it. Because what I want to do is I want to cut this out, decode it, and then analyze it. And so that it's a valid PIFAR. And it's a valid PIFAR if there's stuff at the end that doesn't belong to it. OK, create a new file, paste, and save it as a dump. So this is our encrypted file. Let's say encoded. It's not really an encryption. Now I will just open up Python. And I know I want to open our dump file. So I set a file handler to open dump. And the mode would be R for reading. And it's also binary file, so let's just B for binary. I want to read the whole file into an array. So array is, I'm not sure if I can use array, just shorten it. And we will read everything. OK, now for the encryption, we need the key. And the key, OK, I have to open it up again. The key is this. Can I copy it from here? Maybe I would have been faster with writing it. But copying it will prevent any typos. So OK, it doesn't prevent any typos. Invalid syntax, what's the problem? Ah, there it is. I forgot the comma here. OK. Now I want to read every byte in that array. And I want to, let's print it in there. Yeah, I want to XOR it with our key. So that would be the outline of what I can use it to write like this. I have to initialize the index first. And I have to, well, I don't want to print the byte value. But let's take the OK, it compiles I to X0. OK, and now again, this will print the single bytes. And it can't be correct. The index needs to be incremented. So we do not always use 0. And furthermore, we need to start at the beginning of the key array once we are at the last key. So it would be more like this. And of course, this doesn't serve as anything if we cannot really see if this is correct. So print it as charts. And it's not correct. There's still this pattern. And if it had been correct, there would be more zeros in here. So I know why. We need to set the index again to 0. Otherwise, it will just use where I stopped the last time. Maybe this is working now. OK, there it is. Perfect. There's the dot step message. That means we can now unpack it. OK, let's set it to 0 again so we don't forget. We need an output. So let's open decoded. And we want to append each byte in the loop. I know that this is not efficient, but this is a throwaway code. And no one cares if the decoding takes a second longer or not. So we will just append byte by byte. Usually, if you write a efficient code, it would be a whole buffer that you write to the file and not every single byte. OK, there's our, let's say, outright. Let's see if that works. OK, and now we have our decoded file here. Let's check if everything worked fine. And now, of course, it will complain that it is used in another process and cannot be open for reading. And that's why I always told you to close your streams while I was still known as they are the queen. Now I close the stream, and now it works. And we see the unpacking was correct. And we have our unpacked file. Great. OK, and that's it. And I think I had quite a couple of files like these. So spare yourself some work and do the easy thing first. Look in the hex editor for anything that looks like a DOS stub or an embedded file and then see what you can do without putting too much work into it. Because now, yeah, we decoded, we unpacked the file in a few minutes without opening up any debugger, without looking at any disassembled code. So that's awesome, right? OK, see you next time. Bye-bye.