RE: unpacking UPX or PE-packed binaries

["Dan Kelly" <dan () kelly9759 fsnet co uk>]

Karma wrote:

> Hi List,
>
> Just interested in how AV R&D companies unpack worms with complex UPX and
PE
> pack protocols.
>
> Been trying to disect the recent Gaobot variants and getting no where with
> my generic UPX-unpacker. Since this is more and more commonly used, I
> thought I would be wise to consult the Lists.
>
> Cheers,
>
> Karma


Hello,


Unpacking UPX is a very easy task to achieve. You can either download UPX
(upx.sourceforge.net) and unpack via the command line:

   upx -d [exe filename]


Or, you can manually unpack using a debugger and memory dumper. I think in
all versions of UPX you can trace until you reach code like:


  0040CA7E popad               <- set a breakpoint here, use memory dumper
to dump to disk.
  0040CA7F jmp     00401000    <- jump to the Original EntryPoint.


Once dumped you can fix the entrypoint to become 0040100. This address
changes in almost every program you come across.
If you use OllyDbg with any memory dumper plugins you can step over the jump
back in to the "real" program code and dump there aswell.

- Dan


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------