[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: unpacking UPX or PE-packed binaries



Karma wrote:
Just interested in how AV R&D companies unpack worms with complex UPX and PE
pack protocols.

The modified UPX packing is a pretty small change usually. Compare one with a standard UPX header for the same version. There are a variety of unpackers out there. Take a look at the X86emu work by Chris Eagle for an interesting direction that unpackers might be taking:
http://ida-x86emu.sourceforge.net/

Worst case, you've always got the option to carefully step through it with a debugger to the point where it's unpacked. You may have to deal with a few anti-debugger tricks along the way, and once you've got a few unpacked segments, you'll probably have to manually put the import table back together, but it's doable. I like Ollydbg for this kind of thing:
http://home.t-online.de/home/Ollydbg/

Just take care that you're running in a sandbox of some kind, in case you step too far, or accidentally press the "run" key.

						BB