Vulnerability Development mailing list archives
Re: unpacking UPX or PE-packed binaries
From: "Clint Bodungen" <clint () secureconsulting com>
Date: Fri, 23 Apr 2004 17:03:24 -0500
http://www.nostarch.com/frameset.php?startat=crackproof <~~~~ good softice tutorial http://www.amazon.com/exec/obidos/tg/detail/-/1931769222/103-6041023-9422268?v=glance <~~~~~ in case any readers here need a bare bones asm tutorial concerning disassembly... it's cheesy though if you already have a solid understanding of asm. ----- Original Message ----- From: "Kayne Ian (Softlab)" <Ian.Kayne () softlab co uk> To: "Karma" <steve () frij com>; "VulnDev" <vuln-dev () securityfocus com> Sent: Friday, April 23, 2004 6:17 AM Subject: RE: unpacking UPX or PE-packed binaries
Karma, Softice and a bit of patience. At any point, a compressed exe must be uncompressed by the compressor stub so that it can be properly executed. The trick is to find the call that jumps from the stub to the actual worm code once unpacked. There are a lot of ways to do this, it's too long to document here. Suffice to say you need working knowledge of Softice and x86 asm. I'm sure someone else will post a url to a good tutorial (fravia is always a handy place to start for reverse engineering info). Once you've found the jmp, patch it in Softice to jmp to esi, putting the code into an infinite loop. Next, get a copy of procdump and save it out to disk. Hey presto, the worm code ready for you to investigate. Hope that gives you somewhere to start. Ian Kayne Technical Specialist - IT Solutions Softlab Ltd - A BMW Company-----Original Message----- From: Karma [mailto:steve () frij com] Sent: 23 April 2004 03:26 To: "Undisclosed-Recipient:;"@securityfocus.com Subject: unpacking UPX or PE-packed binaries Hi List, Just interested in how AV R&D companies unpack worms with complex UPX and PE pack protocols. Been trying to disect the recent Gaobot variants and getting no where with my generic UPX-unpacker. Since this is more and more commonly used, I thought I would be wise to consult the Lists. Cheers, Karma
Current thread:
- unpacking UPX or PE-packed binaries Karma (Apr 22)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 23)
- Re: unpacking UPX or PE-packed binaries Inode (Apr 26)
- Re: unpacking UPX or PE-packed binaries Blue Boar (Apr 23)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 26)
- Re: unpacking UPX or PE-packed binaries Henrik Bøgh (Apr 26)
- <Possible follow-ups>
- RE: unpacking UPX or PE-packed binaries Kayne Ian (Softlab) (Apr 23)
- Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 26)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 27)
- Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 27)
- Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 26)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 23)
- Re: unpacking UPX or PE-packed binaries Suresh Ponnusami (Apr 27)