At the end of our BlackHat presentation on which we unveiled our TitanEngine project we promised to keep supporting it and to publish one unpacker demo per week. And this was true since our first update release for TitanEngine contained quite a few samples.

But since the next update isn't all that close we will stick to our word and publish and blog about the samples ReversingLabs itself contributes. In that spirit we are revisiting the packer we created for mPack ages ago.
So why is mPack interesting? Just because we haven't yet published a source for unpacker that uses overlay to store the compressed file. Interested? Read on...

Ovelay is by definition a piece of data appended to the end of the PE file. In this case that appended data is a compressed executable which sounds logical since we know that mPack was written in Delphi as a proof of concept packer, and since overlay packing is the most simplest form of packing it was used here. The trouble with this is that the compression method weren't documented so we need to "guess" what kind of compression was used and how it was implemented. Which is the fun part of reverse engineering.

There are two things we can do here and we are going to use both approaches for both supported and known version of mPack. Firstly we can reverse the stub which decompresses the packed overlay and this is fairly easy. We can set a few breakpoints on CreateFileA and ReadFile to see when the overlay is read and then just trace until we find the algorithm in charge of decompression and just rip it so that it can be used to unpack compressed memory segment. When talking about mPack 0.2 you need to realize that compressed overlay is segmented and compressed by chunks of 0x1000 bytes of code. Each segment in the compressed overlay begins with the DWORD which tells you the size of the compressed segment. Therefore you need to keep decompressing and reconstructing the  file while that DWORD is greater then zero. Once all segments are unpacked you are done.

Second approach can be used and applied to mPack 0.3. This is a lazy man approach and that means no code tracing whatsoever. Like it? We did too. So what you want to do is just extract the overlay and take a look at the compressed overlay. Once again there is a DWORD before the compressed data. Since that DWORD is greater then the size of the overlay and its a nice and round number its safe to assume that that is the size of decompressed that. But what compression algorithm was used. First byte of the compressed overlay is 0x78, so one quick Google search and we get to this website which kindly points us to zlib compression. Yes, just that easy. No code tracing at all. But same info could be found if we got our hands dirty for a few seconds and did some file analysis.

Once the two are put together you come up with a nice unpacker which demonstrates how to use TitanEngine to write static unpackers, more specifically how to unpack packers which store compressed binaries inside overlay. And that is something we haven't shown in our samples which makes this a nice Monday exercise.

More News

log4j shell vulnerability graphic

Iran-backed APT actors utilize CVEs to carry out cyber attacks on critical infrastructure

Learn More about Iran-backed APT actors utilize CVEs to carry out cyber attacks on critical infrastructure
Iran-backed APT actors utilize CVEs to carry out cyber attacks on critical infrastructure

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top
ReversingLabs: The More Powerful, Cost-Effective Alternative to VirusTotalSee Why
Skip to main content
Contact UsSupportLoginBlogCommunity
reversinglabs
ReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsRL at RSAC
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu