UPX utilities is a well-known tools to compress almost any executable file including several type of dynamic and different OS executable. But it just for making your file smaller and not for protection at all. In this tutorial, I will show you an example how to unpack UPX packed file with a few tools. Of course, you can find this kind of tutorial any where on the internet but mostly not complete to make people understand. Before we get started,
Here it is what you need:1.
OllyDbg (or Immunity Debugger,
OllyICE, etc.)
2.
ImportREC3.
IDA ProHands-on1. Example UPX Packed file (
gms.exe or download here)
Let's get Started:1. Load your
gms.exe (or any UPX packed file) into your OllyDbg. Once you loaded the file, you will get into the first stop of the PUSHAD offset. For
gms.exe the offset is 558B40. Other file might be differ but it doesn't matter.
Figure 1
2. Next, scroll down until you find
POPAD instruction or just press CTRL+F and type
POPAD, hit Enter and you'll be jumped into that instruction as highlighted (A) on Figure 2 below. How do I know
Figure 2
3. Press
F7 to step into until
JMP as highlighted on the image above (B), so there it is the
OEP that we are looking for. For this tutorial it is
406A94. Press
F2 to make breakpoint on that offset.
4. Run the program by pressing
F9 and wait until it stop to the breakpoint. At this point,
right click on CPU window and click
Dump debugged process. Why choosing that? This because at this point the program has been decompressed into memory. So, what you need to do, dump the process into a file and save it anywhere. For example:
C:\Documents and Settings\User\Desktop\dumped.exe. After doing that, DO NOT CLOSE THE OLLYDBG.
Figure 3
5. If you are try to run the dumped.exe file it might be come up with an error message. This because your program does not point the right IAT address. To fix that, open up
Import REConstructor tools. On top, you'll see '
Attach to an open process' section. Open the combo box and choose the path of gms.exe to be attached.
After that, at the '
IAT Infos Needed' section click on
AutoSearch button. You probably come out with error message says '
Could not found anything good at this OEP:-('. This mean you are currently not at the right entrypoint to start the application properly that might cause error while executing it. To fix that, change the default OEP value to
0xF5B68. And try hit AutoSearch button again. If you are doing right you should get this message:
How do I know the OEP address?
OEP = RVA Address - Image Base
Image Base =
00400000 <--
PE Header image addressHow do I get Image Base address?
Just simply press ALT-M on OllyDbg and find 'PE header' text on 'Contains' column. You'll find the Offset address over there.
RVA Address =
004F5B68 <--
where the last disassemble analysis end up.How do I get RVA address? Lets take a look with IDA Pro. If you load gms.exe on IDA you will see the program flow and at the end of flow it will end up with unexpected stack pointer.
If you see at JMP (same on OllyDbg), it is clearly jump to the address where the value is RVA address before it end with unexpected end point. All UPX packed file flow should be look like that.
Original Entry Point =
0xF5B68 <--
where the OEP is the address to the decompression routine done.How do I get the OEP?
To get OEP, RVA address minus Image base address then you will get the value for UPX packed OEP. Use formula as given above.
6. Once you get this message, click
Get Imports button to extract all Import table information. Make sure all listed import function should be marked as
valid=YES at the end of every list line. If there is a thunks marked as
valid=NO, you need to remove it all by right click on the thunk and choose Delete thunk(s).
7. After doing that, you can click on
Fix dump button and choose where your dumped.exe is located. ImportREC will fix the dumped.exe automatically. Then you can try to execute the program and it should be running correctly and you can continue for further analysis.
That's all. If you got any question about this tutorial feel free to leave a comment.