Home page logo

basics logo Security Basics mailing list archives

RE: unpacking UPX or PE-packed binaries
From: "Dan Kelly" <dan () kelly9759 fsnet co uk>
Date: Thu, 29 Apr 2004 22:01:23 +0100

Karma wrote:

Hi List,

Just interested in how AV R&D companies unpack worms with complex UPX and
pack protocols.

Been trying to disect the recent Gaobot variants and getting no where with
my generic UPX-unpacker. Since this is more and more commonly used, I
thought I would be wise to consult the Lists.




Unpacking UPX is a very easy task to achieve. You can either download UPX
(upx.sourceforge.net) and unpack via the command line:

   upx -d [exe filename]

Or, you can manually unpack using a debugger and memory dumper. I think in
all versions of UPX you can trace until you reach code like:

  0040CA7E popad               <- set a breakpoint here, use memory dumper
to dump to disk.
  0040CA7F jmp     00401000    <- jump to the Original EntryPoint.

Once dumped you can fix the entrypoint to become 0040100. This address
changes in almost every program you come across.
If you use OllyDbg with any memory dumper plugins you can step over the jump
back in to the "real" program code and dump there aswell.

- Dan

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]