Downloading Unpacked File¶
Downloading unpacked files requires additional permissions. Please contact us for these permissions.
MAGIC provides a fully automated generic unpacking service. All uploaded files are automatically sent to this service. The unpacked file will be available for download once the service completes. See Uploading Files for how to upload a file for analysis and Querying Analysis Status for how to check if unpacking is complete.
The unpacked relationship is not a one-to-one relationship. A single packed file may have more than one unpacked version and an unpacked file can have multiple sources. The former case usually occurs when the same file is unpacked multiple times. Running the same file through the MAGIC unpacker multiple times may result in unpacked files with different SHA1 values. These unpacked files should be similar to each other, they just aren’t guaranteed to be exactly the same. The latter case, when an unpacked file has multiple sources, occurs when different packing mechanisms were used on the same payload. This results in multiple distinct packed files that when unpacked result in files with the same SHA1.
There are two
vbclient actions that are useful for downloading
unpacked files. The first action,
-a download, downloads the
unpacked version directly using either the SHA1 of the unpacked file or
the SHA1 of the original file. The second action,
-a map, creates a
csv that maps the SHA1 of the original, packed file to the SHA1 of the
unpacked version. This is useful when downloading multiple files at a
time, or when there is more than one unpacked version of a given file.
vbclient -a download SHA1 --enable_malware_download
-a download action of the MAGIC client will download the file
with SHA1 to the folder ./Results. If the SHA1 is of an original file,
the unpacked version of the file will automatically be downloaded and
placed in the same folder. All original, packed files will be named
SHA1 is of the original file. All unpacked files
will be named
UNP_SHA1 is the SHA1 of the
The download command downloads a number of additional files. The use of these additional files is deprecated and they will be removed in the future.
- vbclient -a map SHA1
-a map action will create the csv file
./Results/vb-srlUnpacker.map that maps the SHA1 of original, packed
files to the SHA1 of their unpacked version. Each row of the csv file is
of the format:
The map command creates a number of additional files. The use of these additional files is deprecated and they will be removed in the future.