[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: unpacking UPX or PE-packed binaries



http://www.nostarch.com/frameset.php?startat=crackproof  <~~~~ good softice
tutorial

http://www.amazon.com/exec/obidos/tg/detail/-/1931769222/103-6041023-9422268?v=glance
<~~~~~ in case any readers here need a bare bones asm tutorial concerning
disassembly... it's cheesy though if you already have a solid understanding
of asm.


----- Original Message ----- 
From: "Kayne Ian (Softlab)" <Ian.Kayne@xxxxxxxxxxxxx>
To: "Karma" <steve@xxxxxxxx>; "VulnDev" <vuln-dev@xxxxxxxxxxxxxxxxx>
Sent: Friday, April 23, 2004 6:17 AM
Subject: RE: unpacking UPX or PE-packed binaries


> Karma,
>
> Softice and a bit of patience. At any point, a compressed exe
> must be uncompressed by the compressor stub so that it can
> be properly executed.
>
> The trick is to find the call that jumps from the stub to
> the actual worm code once unpacked. There are a lot of ways
> to do this, it's too long to document here. Suffice to say
> you need working knowledge of Softice and x86 asm. I'm sure
> someone else will post a url to a good tutorial (fravia is
> always a handy place to start for reverse engineering info).
>
> Once you've found the jmp, patch it in Softice to jmp to esi,
> putting the code into an infinite loop. Next, get a copy
> of procdump and save it out to disk. Hey presto, the worm
> code ready for you to investigate.
>
> Hope that gives you somewhere to start.
>
> Ian Kayne
> Technical Specialist - IT Solutions
> Softlab Ltd - A BMW Company
>
> > -----Original Message-----
> > From: Karma [mailto:steve@xxxxxxxx]
> > Sent: 23 April 2004 03:26
> > To: "Undisclosed-Recipient:;"@securityfocus.com
> > Subject: unpacking UPX or PE-packed binaries
> >
> >
> > Hi List,
> >
> > Just interested in how AV R&D companies unpack worms with
> > complex UPX and PE
> > pack protocols.
> >
> > Been trying to disect the recent Gaobot variants and getting
> > no where with
> > my generic UPX-unpacker. Since this is more and more commonly used, I
> > thought I would be wise to consult the Lists.
> >
> > Cheers,
> >
> > Karma