Vulnerability Development: Re: unpacking UPX or PE-packed binaries

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: unpacking UPX or PE-packed binaries

From: Blue Boar <BlueBoar () thievco com>
Date: Thu, 22 Apr 2004 21:11:18 -0700

Karma wrote:

Just interested in how AV R&D companies unpack worms with complex UPX and PE
pack protocols.

The modified UPX packing is a pretty small change usually. Compare onewith a standard UPX header for the same version. There are a variety ofunpackers out there. Take a look at the X86emu work by Chris Eagle for aninteresting direction that unpackers might be taking:

http://ida-x86emu.sourceforge.net/

Worst case, you've always got the option to carefully step through it witha debugger to the point where it's unpacked. You may have to deal with afew anti-debugger tricks along the way, and once you've got a few unpackedsegments, you'll probably have to manually put the import table backtogether, but it's doable. I like Ollydbg for this kind of thing:

http://home.t-online.de/home/Ollydbg/

Just take care that you're running in a sandbox of some kind, in case youstep too far, or accidentally press the "run" key.

BB

By Date By Thread

Current thread:

unpacking UPX or PE-packed binaries Karma (Apr 22)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 23)
  - Re: unpacking UPX or PE-packed binaries Inode (Apr 26)
- Re: unpacking UPX or PE-packed binaries Blue Boar (Apr 23)
  - Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 26)
- Re: unpacking UPX or PE-packed binaries Henrik Bøgh (Apr 26)
- <Possible follow-ups>
- RE: unpacking UPX or PE-packed binaries Kayne Ian (Softlab) (Apr 23)
  - Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 26)
    - Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 27)