File Size: 114688
OS Used: Windows XP Pro SP3 (English)
Create UPX Packed binary using below command
upx -9 -o calc_upx9.exe calc.exe
File Size after packing is 57856 bytes
Lets start unpacking, load the file to OllyDBG. OllyDBG detects and warns about the Packer, ignore the message (click NO).
0x01020250 is the current Entry Point
01020250 60 PUSHAD
Real OEP = OEP find in Olly - Image Base
Real OEP = 0x01020250 - 0x01000000
After ignoring the warning, step over (F8) POPAD, right click on ESP(0x0006FFA4) and follow in dump.
POPAD will push all the REGISTERs values onto Stack.
In the dump window select first 2/4 bytes and go for a hardware breakpoint on access as shown below. First 4 bytes selected is the value of EDI Register on Stack in little endian format.
Run the binary (F9) after setting the breakpoint, will stop execution when hits a break point (0x010203CE). When breakpoint is hit the CPU is
010203CD 61 POPAD
010203CE 8D4424 80 LEA EAX,DWORD PTR SS:[ESP-80]
010203D2 6A 00 PUSH 0
010203D4 39C4 CMP ESP,EAX
010203D6 ^75 FA JNZ SHORT calc_upx.010203D2
010203D8 83EC 80 SUB ESP,-80
010203DB -E9 9520FFFF JMP calc_upx.01012475
Put a breakpoint at 0x010203DB (first JUMP instruction after POPAD), press F9 and when we hit the breakpoint single step (F8) one time from JUMP, will land at
01012475 6A 70 PUSH 70
01012477 68 E0150001 PUSH calc_upx.010015E0
Right click on 0x01012475 and "Dump debugged process", copy the value in Modify text box which will be our OEP and click on Dump button which will create a new binary (dump_test.exe here).
dump_test.exe is not executable since it doesn't have proper Import Address Table (IAT). Executing the binary will throw below error
Load the original binary (calc.exe) into ImportREC, paste the OEP copied from Modify text field when creating dump file. Click on AutoSearch to automatically search IAT's. Will give below log message
Original IAT RVA found at: 0000120C in Section RVA: 00001000 Size:00018000
Now click on GetImports which will throw below log if everything goes fine.
IAT read successfully.
6 (decimal:6) valid module(s) (added: +6 (decimal:+6))
84 (decimal:132) imported function(s). (added: +84 (decimal:+132))
Now click on FixDump and select dump_test.exe, ImportREC will fix dump_test.exe and creata a new file dump_test_.exe, see below logs
*** New section added successfully. RVA:00029000 SIZE:00001000
Image Import Descriptor size: 78; Total length: 908
C:\Documents and Settings\praveen\Desktop\UnpackMe\upx_calc\dump_test_.exe saved successfully.
To cross verify load the newly created file into PEiD
Done :-) !!!
Manual unpacking of AHpack can be found at
Praveen, one of my twitter buddies (Josh) pointed out couple problems with this, mainly you need the original file and it's import address table, not interrupt address table.ReplyDelete
if we use latest olly dbg, it will directly unpack...
with the old ollydbg, there is a plugin called pe peeler, it will unpack, it.
thanks for sharing this post.
Hey Bro.. How to save the unpacked file in new ollydbg.. kindly explain bro.Delete
Hi BK, thank you for pointing the error, corrected now.ReplyDelete
zerocoolnews, Thank you for the pointers :-), will check themReplyDelete
ignore the linkedin haters. nice post!ReplyDelete
@Anonymous, thank you :-)ReplyDelete
Love to read it,Waiting For More new Update and I Already Read your Recent Post its Great Thanks. Binary options recoveryReplyDelete
Wow! Such an amazing and helpful post this is. I really really love it. It's so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also best options signalsReplyDelete