I was browsing my laptop when I found UPX lying there, so gave it a go. The compression ratio was pretty impressive too. What about decompression?
Well, it turned out, it was way too easy to unpack the UPX packed executable. There was no protection at all. So, don't even think of depending on UPX if you want to protect your precious executable! I'll show you why.
Tools needed:
- Immunity Debugger or OllyDbg.
- OllyDump plugin.
- A brain!
First instruction is usually PUSHAD i.e. before starting the decompression routine, it saves all register's contents. Now, the instructions following are basically decompressing the original code. We're not gonna explore that today. What we're looking for is the place or instruction where this code jumps to the actual code. If you scroll down a bit you'll find instructions like this
POPAD simply restores the original content of all registers. So, this is probably the place where decompression ends. Take a good look and you'll find a JMP instruction (JMP Packed.0040114C, as in this case). Put a breakpoint at the instruction and continue execution. At this point you know the decompression routine has executed and is ready to jump at your original code. Press F7 (step into) and you should now be at the first instruction of your original code. Now? Time to dump the process!
Right click or Plugins > OllyDump
Make sure you have checked "Fix Raw Size & ...." and click "Get EIP as OEP" to set the current EIP as the entry point of your dumped executable. Check "Rebuilt Import" if you want the plugin to rebuilt the IAT for you.
That's it. You've successfully unpacked an UPX packed executable. Wasn't that easy? ;]
0 comments:
Post a Comment