Vulnerability Development: Re: unpacking UPX or PE-packed binaries

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: unpacking UPX or PE-packed binaries

From: Henrik Bøgh <henrik.list () boegh net>
Date: Sat, 24 Apr 2004 10:34:22 +0200

On Friday 23 April 2004 04:25 Karma wrote to 
"Undisclosed-Recipient:;"@securityfocus.com:

[...]

Been trying to disect the recent Gaobot variants and getting no where with
my generic UPX-unpacker. Since this is more and more commonly used, I
thought I would be wise to consult the Lists.


In the case of at least one of the Gaobot's the UPX-header was (probably 
deliberately by the author) mangled after the binary was packed. This method 
"obfuscating" code has been seen before. If you could restore the original 
UPX-header unpacking the code should be trivial.

Karma


-- 
Venlig hilsen / Kind regards
Henrik Bøgh ( henrik.list () boegh net )
  "Hva' glor du på? Det' sgu'da bare en hammer mand!"
   -- Søren Pilmark som Grethe i 'Ørkenens sønner'

By Date By Thread

Current thread:

unpacking UPX or PE-packed binaries Karma (Apr 22)
- Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 23)
  - Re: unpacking UPX or PE-packed binaries Inode (Apr 26)
- Re: unpacking UPX or PE-packed binaries Blue Boar (Apr 23)
  - Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 26)
- Re: unpacking UPX or PE-packed binaries Henrik Bøgh (Apr 26)
- <Possible follow-ups>
- RE: unpacking UPX or PE-packed binaries Kayne Ian (Softlab) (Apr 23)
  - Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 26)
    - Re: unpacking UPX or PE-packed binaries Gadi Evron (Apr 27)
    - Re: unpacking UPX or PE-packed binaries Clint Bodungen (Apr 27)
- Re: unpacking UPX or PE-packed binaries Suresh Ponnusami (Apr 27)