Today, In this post I will be writing about how you can unpack a UPX packed executable file. Well, there are several posts related to it online but I have noticed everyone is following just the same steps without giving many insights into the background working. Since my blog is dedicated to the absolute beginners, I’ll try to go in as much deep as I can in this article so that you don’t feel yourself like a blank cartridge.
So, I’ll try to explain basically by dissecting each and every step of the unpacking process of a UPX packed file.
So, what’s the agenda?
First of all, we will understand what a packer is and will talk about a well known open-source packer – UPX. We will pack the file first and later we will see how we can go ahead and unpack the same file that is packed with UPX packer. Here we will also see both ways to unpack a file – automatic or simple as well as the manual way of unpacking a packed file.
And if I tell you, manually unpacking an executable file is where the actual fun begins.
Packer Structure |
What are Packers
Software packers are a way of compressing an executable and combining the compressed data with the decompression code (unpacking stub) into a single executable. So, when the packed executable is first executed, the unpacking stub unpacks and recreates the original code from the compressed code before executing it.
Malware authors mainly use these type of packers to hide the presence of malware from antivirus scanners and also to make the analysts task difficult of reverse-engineering the packed file
UPX Packer
UPX (Universal Packer for Executables) is one such open-source, free and easy to use software packer available today on the Internet and mostly used by malware authors to compress their malware so that it can bypass detection by antivirus signatures. UPX supports all major operating systems and both x86 and x64 platforms and also supports a variety of file formats. UPX compresses the executable and is designed for performance rather than security.
UPX is not difficult to reverse-engineer and it does not pose much of a challenge for a malware analyst or a reverse-engineer. Most programs packed with UPX can be easily unpacked and requires a simple command-line option “-d” to unpack a UPX-packed file.
Since unpacking with UPX is fairly easy, it is a good packer for learning how to manually unpack a UPX-packed executable which we will be seeing later in this post and is actually the main agenda of writing this article.
Let’s Get Down To The Unpacking Business
Here we will demonstrate the unpacking of a UPX-packed executable file in two ways. First, we will try the easiest way and will see how easy it is to unpack the packed executable, and secondly, we then will see how we can actually decompress the packed file manually.
For demonstration purposes, I will be using a program called “BinText”, one of the Malware Analysis tools for extracting strings from any specimen. I have provided the link of the sample here so that it becomes easier for you to follow along. Before we actually start delving into the world of unpacking we need few tools to have it in our arsenal.
VIDEO Tutorial
And just to save some time from Googling, I have provided the link to all the tools I have used here in this article.
0 تعليقات
Do Not Send SPAM Link !!!!