[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: unpacking UPX or PE-packed binaries


Softice and a bit of patience. At any point, a compressed exe
must be uncompressed by the compressor stub so that it can 
be properly executed.

The trick is to find the call that jumps from the stub to
the actual worm code once unpacked. There are a lot of ways
to do this, it's too long to document here. Suffice to say
you need working knowledge of Softice and x86 asm. I'm sure
someone else will post a url to a good tutorial (fravia is
always a handy place to start for reverse engineering info).

Once you've found the jmp, patch it in Softice to jmp to esi,
putting the code into an infinite loop. Next, get a copy
of procdump and save it out to disk. Hey presto, the worm
code ready for you to investigate.

Hope that gives you somewhere to start.

Ian Kayne
Technical Specialist - IT Solutions
Softlab Ltd - A BMW Company

> -----Original Message-----
> From: Karma [mailto:steve@xxxxxxxx]
> Sent: 23 April 2004 03:26
> To: "Undisclosed-Recipient:;"@securityfocus.com
> Subject: unpacking UPX or PE-packed binaries
> Hi List,
> Just interested in how AV R&D companies unpack worms with 
> complex UPX and PE
> pack protocols.
> Been trying to disect the recent Gaobot variants and getting 
> no where with
> my generic UPX-unpacker. Since this is more and more commonly used, I
> thought I would be wise to consult the Lists.
> Cheers,
> Karma

This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom 
they are addressed. 

If you are not the intended recipient or the person responsible for 
delivering to the intended recipient, be advised that you have received 
this email in error and that any use of the information contained within 
this email or attachments is strictly prohibited. 

Internet communications are not secure and Softlab does not accept 
any legal responsibility for the content of this message. Any opinions 
expressed in the email are those of the individual and not necessarily 
those of the Company. 

If you have received this email in error, or if you are concerned with 
the content of this email please notify the IT helpdesk by telephone 
on +44 (0)121 788 5480.