Downloading Unpacked File

Note

Downloading unpacked files requires additional permissions. Please contact us for these permissions.

MAGIC provides a fully automated generic unpacking service. All uploaded files are automatically sent to this service. The unpacked file will be available for download once the service completes. See Uploading Files for how to upload a file for analysis and Querying Analysis Status for how to check if unpacking is complete.

The unpacked relationship is not a one-to-one relationship. A single packed file may have more than one unpacked version and an unpacked file can have multiple sources. The former case usually occurs when the same file is unpacked multiple times. Running the same file through the MAGIC unpacker multiple times may result in unpacked files with different SHA1 values. These unpacked files should be similar to each other, they just aren’t guaranteed to be exactly the same. The latter case, when an unpacked file has multiple sources, occurs when different packing mechanisms were used on the same payload. This results in multiple distinct packed files that when unpacked result in files with the same SHA1.

API Endpoints

GET /download/(api_key)/(sha1)

Download the unpacked file with SHA1 of (sha1). See Querying Analysis Status for how to get the SHA1 of an unpacked file.

CLI Commands

There are two vbclient actions that are useful for downloading unpacked files. The first action, -a download, downloads the unpacked version directly using either the SHA1 of the unpacked file or the SHA1 of the original file. The second action, -a map, creates a csv that maps the SHA1 of the original, packed file to the SHA1 of the unpacked version. This is useful when downloading multiple files at a time, or when there is more than one unpacked version of a given file.

vbclient -a download SHA1 --enable_malware_download

The -a download action of the MAGIC client will download the file with SHA1 to the folder ./Results. If the SHA1 is of an original file, the unpacked version of the file will automatically be downloaded and placed in the same folder. All original, packed files will be named SHA1.exe where SHA1 is of the original file. All unpacked files will be named UNP_SHA1.unp.exe where UNP_SHA1 is the SHA1 of the unpacked file.

Warning

The download command downloads a number of additional files. The use of these additional files is deprecated and they will be removed in the future.

::
vbclient -a map SHA1

The -a map action will create the csv file ./Results/vb-srlUnpacker.map that maps the SHA1 of original, packed files to the SHA1 of their unpacked version. Each row of the csv file is of the format:

original_file_sha1,packed_file_sha1

Warning

The map command creates a number of additional files. The use of these additional files is deprecated and they will be removed in the future.