# UnSafengine64: A Safengine Unpacker for 64-Bit Windows Environments and Detailed Analysis Results on Safengine 2.4.0

**Authors:** Seokwoo Choi, Taejoo Chang, Yongsu Park

PMC · DOI: 10.3390/s24030840 · Sensors (Basel, Switzerland) · 2024-01-27

## TL;DR

This paper introduces UnSafengine64, a tool to unpack and analyze malware protected by the Safengine packer on 64-bit Windows.

## Contribution

UnSafengine64 is the first publicly available unpacker for Safengine 2.4.0, enabling detailed analysis of its anti-reversing techniques.

## Key findings

- UnSafengine64 successfully unpacks and analyzes malware protected by Safengine 2.4.0.
- The tool detects anti-debugging code and captures memory dumps for unpacked files.
- Experimental results confirm the effectiveness of UnSafengine64 in executing and unpacking obfuscated executables.

## Abstract

Despite recent remarkable advances in binary code analysis, malware developers still use complex anti-reversing techniques that make analysis difficult. Packers are used to protect malware, which are (commercial) tools that contain diverse anti-reversing techniques, including code encryption, anti-debugging, and code virtualization. In this study, we present UnSafengine64: a Safengine unpacker for 64-bit Windows. UnSafengine64 can correctly unpack packed executables using Safengine, which is considered one of the most complex commercial packers in Windows environments; to the best of our knowledge, there have been no published analysis results. UnSafengine64 was developed as a plug-in for Pin, which is one of the most widely used dynamic analysis tools for Microsoft Windows. In addition, we utilized Detect It Easy (DIE), IDA Pro, x64Dbg, and x64Unpack as auxiliary tools for deep analysis. Using UnSafengine64, we can analyze obfuscated calls for major application programming interface (API) functions or conduct fine-grained analyses at the instruction level. Furthermore, UnSafengine64 detects anti-debugging code chunks, captures a memory dump of the target process, and unpacks packed files. To verify the effectiveness of our scheme, experiments were conducted using Safengine 2.4.0. The experimental results show that UnSafengine64 correctly executes packed executable files and successfully produces an unpacked version. Based on this, we provided detailed analysis results for the obfuscated executable file generated using Safengine 2.4.0.

## Full-text entities

- **Chemicals:** Safengine (-)

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC10857144/full.md

## Figures

16 figures with captions in the complete paper: https://tomesphere.com/paper/PMC10857144/full.md

## References

38 references — full list in the complete paper: https://tomesphere.com/paper/PMC10857144/full.md

---
Source: https://tomesphere.com/paper/PMC10857144