Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: Un-packing UPX packed exes

  1. #1
    peter
    Guest

    Question Un-packing UPX packed exes

    Im not sure were to post this as its a question reguarding Sice symbol loader and manual un-packing.

    heres my problem, I am trying to manually un-pack a upx packed exe but when i try to load the module into Sice symbol loader i get a message saying problem translating module,load module anyway. So i load the module and Sice doesnt break. I have edited the PE characteristics section from upx0 E000080 to E000020 as it says in all the tuts that i have read,but the symbol loader still wont load the exe.

    So my question is, is it a fault with my symbol loader or am i doing something wrong,i have followed every tut i can find on the subject but still no joy, also could any one tell me useful break points to use in Sice to find the OEP in UPX packed exes Thanx in advance

    I am using Softice driver suite v2.7 on Win xp Home edition sp1
    thanx again
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Nebob
    Guest
    upx -d yourfile.exe
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    either that, or, if the header is mangled, use Ollydbg (freeware) and search for the jump. Shouldn't take more than 5 minutes to unpack and have it working. No need to use Softice on something as simple as UPX.

  4. #4
    Gaia
    Guest
    Better use Break & Enter of LordPe to break at entrypoint


    Gaia
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    S3ri@l CoDe9x
    Guest

    Buff..

    Enter Here:

    http://zor.org/krobar/ <---- remember change http


    U were finding many tutoriales on upx ( In Unpacking Section)


    Best Regards!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Kilby
    Guest
    Assuming that it really is packed with UPX.

    An alternate methods is to use break & enter in lordpe for loading the target.

    Kilby...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    But on a more technical level (i.e., not just "use this and that and it will work"), what can cause an exe-file not to break on the first instruction in Softice, except the well known section characteristics trick (bug?)? It seems like such an elemenary thing to break on the first instruction in the program, so I simply cannot understand why Softice could have even the slightest problem doing this? Someone mentioned a "mangled header", could anyone elaborate on that?

    Anyone?

  8. #8
    Kilby
    Guest
    Tyhe only reason I have come across for an .exe not to break is the section charisterics.

    Though after multiple runs you may find that it will not break on loading, if this happens then disable all break points and try again (I think this is a bug in the loader).

    Of course the thing is to be sure that's it's really UPX that has been used to pack the .exe.

    As for the UPX scramblers, it just changed the .exe ehough to stop upx from unpacking the file.

    Regards,

    Kilby...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Shoob
    Guest
    Its very easy with olly, set an bp on the oeip, jump with F9 to it and then dump the whole process. Change OEP to the new one. What i forgot in the past was to change the Base of Code and Base of Data in the Optional Header. Else Olly will tell you by dissambling, that Entry Point is outside the range. This fact is also not reported by any UPX tut.

    Usefull BP is GetProcAdress. Dunno if anyone is interest in an little upx tut defeading with olly..
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10

    DS2.7 XP SP1

    Hi,
    Maybe it's not specific to your UPXed file !
    There is a pb with DS 2.7 under XP SP1, if you're interested pm me your email !

  11. #11


    I never changed the BOC or BOD in a UPX packed file as the entry point should be an RVA from image base anyway. So why does Ollydbg complain ? The resulting exe's work fine under both XP and 98, so I'm a little puzzled.

  12. #12
    peter
    Guest

    Talking

    It is definetly packed with upx,as i have un-packed it with an un-packer. I just want to learn un-packing and as far as im aware upx is one of the easiest to start with. as i am a newbie to un-packing i thought id start with an easy one
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    Shoob
    Guest
    Yes squidge you don't have to change the BOC and BOD the file will run without any errors. But i got the error "entry point is outside the code (as specified in the pe header)" under olly if i don't change the BOC to the Virtual Offset of UPX0 (.Code) and the BOD to the VO of UPX1(.Data).

    I have probs at imprec, it fucked up the API imports so the fixed dump run, but the imported API's couldn't be resolved by win32dasm and olly. Any suggestions?. every api looks like kernel32.#307 etc.. With Revirgin all works fine.
    Last edited by Shoob; March 31st, 2003 at 10:01.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    If this is till UPX, why are you bothering? No need for either imprec or Revirgin as the IAT is as virgin as they come

  15. #15
    Shoob
    Guest
    sorry i was to lazy to open an new thread. I know by upx packed files no need for rebuilding but for example Asprot, neolite its nessesary.

    imprec is even a very good program but with this confusing iat rebuilding i cannot deal with it.
    Last edited by Shoob; March 31st, 2003 at 16:06.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 6
    Last Post: July 23rd, 2011, 01:07
  2. Trying to ID the packing in a BIOS file
    By WaxfordSqueers in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: June 5th, 2009, 02:37
  3. What is packing/unpacking ?
    By binarycoder2k in forum The Newbie Forum
    Replies: 3
    Last Post: May 2nd, 2007, 13:50
  4. Size of Delphi exes..
    By riPPadoGG in forum Malware Analysis and Unpacking Forum
    Replies: 13
    Last Post: January 11th, 2002, 10:30
  5. Good packing tutorials?
    By sludge in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: June 14th, 2001, 12:51

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •