Security Basics mailing list archives
RE: unpacking UPX or PE-packed binaries
From: "Dan Kelly" <dan () kelly9759 fsnet co uk>
Date: Thu, 29 Apr 2004 22:01:23 +0100
Karma wrote:
Hi List, Just interested in how AV R&D companies unpack worms with complex UPX and
PE
pack protocols. Been trying to disect the recent Gaobot variants and getting no where with my generic UPX-unpacker. Since this is more and more commonly used, I thought I would be wise to consult the Lists. Cheers, Karma
Hello, Unpacking UPX is a very easy task to achieve. You can either download UPX (upx.sourceforge.net) and unpack via the command line: upx -d [exe filename] Or, you can manually unpack using a debugger and memory dumper. I think in all versions of UPX you can trace until you reach code like: 0040CA7E popad <- set a breakpoint here, use memory dumper to dump to disk. 0040CA7F jmp 00401000 <- jump to the Original EntryPoint. Once dumped you can fix the entrypoint to become 0040100. This address changes in almost every program you come across. If you use OllyDbg with any memory dumper plugins you can step over the jump back in to the "real" program code and dump there aswell. - Dan --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- unpacking UPX or PE-packed binaries Karma (Apr 24)
- Re: unpacking UPX or PE-packed binaries Niek (Apr 26)
- RE: unpacking UPX or PE-packed binaries Dan Kelly (Apr 30)
- Re: unpacking UPX or PE-packed binaries Niek (Apr 26)