Vulnerability Development mailing list archives
RE: unpacking UPX or PE-packed binaries
From: "Kayne Ian (Softlab)" <Ian.Kayne () softlab co uk>
Date: Fri, 23 Apr 2004 12:17:11 +0100
Karma, Softice and a bit of patience. At any point, a compressed exe must be uncompressed by the compressor stub so that it can be properly executed. The trick is to find the call that jumps from the stub to the actual worm code once unpacked. There are a lot of ways to do this, it's too long to document here. Suffice to say you need working knowledge of Softice and x86 asm. I'm sure someone else will post a url to a good tutorial (fravia is always a handy place to start for reverse engineering info). Once you've found the jmp, patch it in Softice to jmp to esi, putting the code into an infinite loop. Next, get a copy of procdump and save it out to disk. Hey presto, the worm code ready for you to investigate. Hope that gives you somewhere to start. Ian Kayne Technical Specialist - IT Solutions Softlab Ltd - A BMW Company
-----Original Message----- From: Karma [mailto:steve () frij com] Sent: 23 April 2004 03:26 To: "Undisclosed-Recipient:;"@securityfocus.com Subject: unpacking UPX or PE-packed binaries Hi List, Just interested in how AV R&D companies unpack worms with complex UPX and PE pack protocols. Been trying to disect the recent Gaobot variants and getting no where with my generic UPX-unpacker. Since this is more and more commonly used, I thought I would be wise to consult the Lists. Cheers, Karma
******************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use of the information contained within this email or attachments is strictly prohibited. Internet communications are not secure and Softlab does not accept any legal responsibility for the content of this message. Any opinions expressed in the email are those of the individual and not necessarily those of the Company. If you have received this email in error, or if you are concerned with the content of this email please notify the IT helpdesk by telephone on +44 (0)121 788 5480. ********************************************************************
Current thread:
- unpacking UPX or PE-packed binaries Karma (Apr 22)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 23)
- Re: unpacking UPX or PE-packed binaries Inode (Apr 26)
- Re: unpacking UPX or PE-packed binaries Blue Boar (Apr 23)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 26)
- Re: unpacking UPX or PE-packed binaries Henrik Bøgh (Apr 26)
- <Possible follow-ups>
- RE: unpacking UPX or PE-packed binaries Kayne Ian (Softlab) (Apr 23)
- Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 26)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 27)
- Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 27)
- Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 26)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 23)
- Re: unpacking UPX or PE-packed binaries Suresh Ponnusami (Apr 27)