Manual Unpacking of UPX Packed PE File |
Introduction |
Here is a short tutorial on
unpacking the
UPX packed binary file. UPX is
a free, portable, executable packer for several different executable
formats. It achieves an excellent compression ratio and offers very
fast decompression.
To follow this tutorial you need to download latest UPX packer from UPX website and then pack any of the PE (windows executable) file with it. |
Unpacking Steps |
Before we begin with unpacking exercise, lets try to understand the
working of UPX. When you pack any executable with UPX, all existing
sections of that file are compressed and appended with new UPX code
which decompresses entire packed sections during run time. During the
execution of UPX packed binary file, following steps take place...
|
|
Unpacking UPX |
Manual unpacking process involves following steps
|
I am using the generic approach so
that you will be able to unpack the executable which is packed with
any version of UPX. Here I am using the
OllyDbg to unpack the PE file. Although you can use any
debugger, OllyDbg is one of the best ring 3 debugger for reverse
engineering.
That is all you needed to know before the start. Lets get into some action. Load the UPX packed binary file into the OllyDbg and start tracing the binary, until you encounter a PUSHAD instruction. Usually this is the first instruction or it will be present in the first few instructions based on the UPX version that you have used to pack the PE file. Now put the breakpoint on POPAD instruction. So when we reach POPAD instruction, all the sections will be unpacked and all imports will be resolved. After POPAD instruction, it will jump to OEP. There are many ways to set the breakpoint at the PUSHAD instruction. When you are at this instruction, you can put the hardware read breakpoint at ESP-4 address. If you have command bar plugin installed then you can just type 'hr esp-4' to set this breakpoint. Other way is to find the POPAD (opcode 61) instruction in the code and set the breakpoint for yourself. You can just scroll down in OllyDbg from the current instruction till you find all zeroes, then just few instructions above the start of zeroes you will find the POPAD instruction. Now you can directly set breakpoint on POPAD instruction. Once you have set the breakpoint, press F9 and you will break on the instruction which is immediately after POPAD or on POPAD instruction based on which method you have used. Now start tracing with F7 and soon you will encounter a instruction which will jump to OEP that is somewhere in the unpacked code section. Now you have found the OEP. Note down this address somewhere. Next task is to dump the entire binary image from memory. This can be done using OllyDmp plugin which comes with OllyDbg. Now launch this plugin and dump the entire binary file to the disk using default options. It will automatically fix the import table for you so there is no need to explicitly fix it. That's it and you are done with unpacking the UPX packed file. |
Fixing Import Table |
For most of the advanced packers,
OllyDmp will not be able to fix the import table. In such a case,
following method will be helpful. Here, we will be using the ImpREC
tool which is more advanced tool for fixing import table.
When you are at the OEP of the program, just dump the memory image of binary file using Ollydmp without asking it to fix the import table. Next launch the ImpREC tool and select the process that you are currently debugging. Then in the ImpREC, enter the OEP (enter only RVA, not a complete address) and click on 'IAT Autosearch' button to automatically search for import table. Then click on 'Get Imports' to retrieve all the imported functions. You will see all the import functions listed under their respective DLL names. If you find any import function which is invalid (marked as valid : No) then remove it by right clicking on it and then from the popup menu, press on 'Delete Thunks'. Now once the import functions are identified, click on Fix Dump button in ImpREC and then select the previously dumped file. Once you have dumped the image from memory and fixed the import table, you can verify it by executing that application. |
UPX Unpacked...! |
That's all, you have successfully
unpacked the UPX packed executable file. Its great job though its
the simplest packer without any anti debugging features.
As you move on, you will see more and more challenging protectors. Hope you have enjoyed your first unpacking lesson as I did years back..! |
References |
1. UPX: Ultimate Packer for Executables. |
2. OllyDbg: Popular Ring 3 Debugger. |
3. ImpREC: Import Reconstruction for PE files |
See Also |
Writing PESpin plugin for ImpREC. |
Faster way to enumerate process heaps. |
Finding the reference count of DLL. |
'Hacking' 카테고리의 다른 글
Problems with Penetration Testing (0) | 2008.12.08 |
---|---|
Security Job (0) | 2008.12.04 |
General IP Stack Tuning Recommendations (0) | 2008.11.29 |
Denial of Service Attacks (0) | 2008.11.29 |
Creating a Computer Security Incident Response Team: A Process for Getting Started (0) | 2008.11.29 |