Wednesday, December 18, 2013

Manual Unpacking of UPX Packed Binary File

FileName: calc.exe
MD5: 829e4805b0e12b383ee09abdc9e2dc3c
File Size: 114688
Source: C:\WINDOWS\system32
OS Used: Windows XP Pro SP3 (English)

Create UPX Packed binary using below command
upx -9 -o calc_upx9.exe calc.exe
File Size after packing is 57856 bytes

Packer Info


Lets start unpacking, load the file to OllyDBG. OllyDBG detects and warns about the Packer, ignore the message (click NO).

0x01020250  is the current Entry Point
01020250  60               PUSHAD

Real OEP = OEP find in Olly - Image Base
Real OEP = 0x01020250 - 0x01000000

After ignoring the warning, step over (F8) POPAD, right click on ESP(0x0006FFA4) and follow in dump.
POPAD will push all the REGISTERs values onto Stack.


In the dump window select first 2/4 bytes and go for a hardware breakpoint on access as shown below. First 4 bytes selected is the value of EDI Register on Stack in little endian format.

Run the binary (F9) after setting the breakpoint, will stop execution when hits a break point (0x010203CE). When breakpoint is hit the CPU is
010203CD   61               POPAD
010203CE   8D4424 80        LEA EAX,DWORD PTR SS:[ESP-80]
010203D2   6A 00            PUSH 0
010203D4   39C4             CMP ESP,EAX
010203D6  ^75 FA            JNZ SHORT calc_upx.010203D2
010203D8   83EC 80          SUB ESP,-80
010203DB  -E9 9520FFFF      JMP calc_upx.01012475

Put a breakpoint at 0x010203DB (first JUMP instruction after POPAD), press F9 and when we hit the breakpoint single step (F8) one time from JUMP, will land at
01012475   6A 70            PUSH 70
01012477   68 E0150001      PUSH calc_upx.010015E0

Right click on 0x01012475 and "Dump debugged process", copy the value in Modify text box which will be our OEP and  click on Dump button which will create a new binary (dump_test.exe here).

dump_test.exe is not executable since it doesn't have proper Import Address Table (IAT). Executing the binary will throw below error


Load the original binary (calc.exe) into ImportREC, paste the OEP copied from Modify text field when creating dump file. Click on AutoSearch to automatically search IAT's. Will give below log message
Original IAT RVA found at: 0000120C in Section RVA: 00001000 Size:00018000

Now click on GetImports which will throw below log if everything goes fine.
IAT read successfully.
------------------------------------------------
Current imports:
6 (decimal:6) valid module(s) (added: +6 (decimal:+6))
84 (decimal:132) imported function(s). (added: +84 (decimal:+132))

Now click on FixDump and select  dump_test.exe, ImportREC will fix dump_test.exe and creata a new file dump_test_.exe, see below logs
*** New section added successfully. RVA:00029000 SIZE:00001000
Image Import Descriptor size: 78; Total length: 908
C:\Documents and Settings\praveen\Desktop\UnpackMe\upx_calc\dump_test_.exe saved successfully.

To cross verify load the newly created file into PEiD

Done :-) !!! 

Manual unpacking of AHpack can be found at


8 comments:

  1. Praveen, one of my twitter buddies (Josh) pointed out couple problems with this, mainly you need the original file and it's import address table, not interrupt address table.

    -BK

    ReplyDelete
  2. good post...
    nicely explained...
    if we use latest olly dbg, it will directly unpack...
    with the old ollydbg, there is a plugin called pe peeler, it will unpack, it.
    thanks for sharing this post.

    ReplyDelete
    Replies
    1. Hey Bro.. How to save the unpacked file in new ollydbg.. kindly explain bro.

      Delete
  3. Hi BK, thank you for pointing the error, corrected now.

    ReplyDelete
  4. zerocoolnews, Thank you for the pointers :-), will check them

    ReplyDelete
  5. ignore the linkedin haters. nice post!

    ReplyDelete
  6. Love to read it,Waiting For More new Update and I Already Read your Recent Post its Great Thanks. Binary options recovery

    ReplyDelete