RE: unpacking UPX or PE-packed binaries

From: Kayne Ian (Softlab) (Ian.Kayne_at_softlab.co.uk)
Date: 04/23/04

  • Next message: Greg Kilford: "RE: key material" 
    To: Karma <steve@frij.com>, VulnDev <vuln-dev@securityfocus.com>
Date: Fri, 23 Apr 2004 12:17:11 +0100

    Karma,

    Softice and a bit of patience. At any point, a compressed exe
    must be uncompressed by the compressor stub so that it can
    be properly executed.

    The trick is to find the call that jumps from the stub to
    the actual worm code once unpacked. There are a lot of ways
    to do this, it's too long to document here. Suffice to say
    you need working knowledge of Softice and x86 asm. I'm sure
    someone else will post a url to a good tutorial (fravia is
    always a handy place to start for reverse engineering info).

    Once you've found the jmp, patch it in Softice to jmp to esi,
    putting the code into an infinite loop. Next, get a copy
    of procdump and save it out to disk. Hey presto, the worm
    code ready for you to investigate.

    Hope that gives you somewhere to start.

    Ian Kayne
    Technical Specialist - IT Solutions
    Softlab Ltd - A BMW Company

    > -----Original Message-----
    > From: Karma [mailto:steve@frij.com]
    > Sent: 23 April 2004 03:26
    > To: "Undisclosed-Recipient:;"@securityfocus.com
    > Subject: unpacking UPX or PE-packed binaries
    >
    >
    > Hi List,
    >
    > Just interested in how AV R&D companies unpack worms with
    > complex UPX and PE
    > pack protocols.
    >
    > Been trying to disect the recent Gaobot variants and getting
    > no where with
    > my generic UPX-unpacker. Since this is more and more commonly used, I
    > thought I would be wise to consult the Lists.
    >
    > Cheers,
    >
    > Karma
    >

    ********************************************************************
    This email and any files transmitted with it are confidential and
    intended solely for the use of the individual or entity to whom
    they are addressed.

    If you are not the intended recipient or the person responsible for
    delivering to the intended recipient, be advised that you have received
    this email in error and that any use of the information contained within
    this email or attachments is strictly prohibited.

    Internet communications are not secure and Softlab does not accept
    any legal responsibility for the content of this message. Any opinions
    expressed in the email are those of the individual and not necessarily
    those of the Company.

    If you have received this email in error, or if you are concerned with
    the content of this email please notify the IT helpdesk by telephone
    on +44 (0)121 788 5480.

    ********************************************************************

  • Next message: Greg Kilford: "RE: key material"