Jump to content


Photo

Modified UPX Unpacker


  • Please log in to reply
8 replies to this topic

#1 delphifocus

delphifocus

    Junior

  • Members
  • Pip
  • 25 posts
  • Team:4l0n3

Posted 27 February 2019 - 04:36 AM

Hello master,

Is there a tool can automatically unpack modified UPX?

I found QuickUnpack v4.35 can't do this job well.

Please help how to use QuickUnpack correctly or there is another tool.

Thank you

 


  • 0

#2 Kurapica

Kurapica

    Experience Member

  • B@S Team
  • PipPipPipPipPipPip
  • 2,609 posts
  • Gender:Male
  • Location:Archives
  • Team:Black Storm

Posted 27 February 2019 - 08:50 AM

you can find many tutorials on Tuts4you on unpacking UPX and its modified versions, did you try to search there ?


  • 1

#3 CodeExplorer

CodeExplorer

    .NET/JAVA reverser

  • B@S Team
  • PipPipPipPipPip
  • 915 posts
  • Gender:Male
  • Location:Romania
  • Interests:girls, RE/coding
  • Team:BlackStorm

Posted 27 February 2019 - 02:42 PM

PE Explorer, Resource Tuner have a UPX unpacker:
http://www.heaventools.com/
http://www.restuner.com/

 

IF not works standard Pushad/Popad - breaking on read to dword [ESP] after Pushad instruction
will do the trick.
 


  • 1

#4 delphifocus

delphifocus

    Junior

  • Members
  • Pip
  • 25 posts
  • Team:4l0n3

Posted 28 February 2019 - 07:40 AM

you can find many tutorials on Tuts4you on unpacking UPX and its modified versions, did you try to search there ?

I'm not a member there, i will registered later, can you point me the link?


  • 0

#5 delphifocus

delphifocus

    Junior

  • Members
  • Pip
  • 25 posts
  • Team:4l0n3

Posted 01 March 2019 - 03:22 AM

PE Explorer, Resource Tuner have a UPX unpacker:
http://www.heaventools.com/
http://www.restuner.com/

 

IF not works standard Pushad/Popad - breaking on read to dword [ESP] after Pushad instruction
will do the trick.
 

Both of them can't automatically unpack (because it didn't detect of it) the modified UPX that i wanna unpack.


  • 0

#6 kao

kao

    Reverser

  • VIP
  • PipPipPipPipPipPip
  • 1,165 posts
  • Gender:Male
  • Team:Freelancer

Posted 01 March 2019 - 07:05 AM

1) Why do you think it's a modified UPX?

2) Did you try CodeCracker's suggestion about standard pushad/popad method?


  • 0

#7 delphifocus

delphifocus

    Junior

  • Members
  • Pip
  • 25 posts
  • Team:4l0n3

Posted 02 March 2019 - 04:15 AM

1) Why do you think it's a modified UPX?

2) Did you try CodeCracker's suggestion about standard pushad/popad method?

1. I simply analyze it with EXEinfo PE tool

2. I don't know how to do this manual job, thats why i ask if there an automatic tool that can do this job.

 

Btw, would you mind tell me how to do this manually with x64dbg may be.


  • 0

#8 Kurapica

Kurapica

    Experience Member

  • B@S Team
  • PipPipPipPipPipPip
  • 2,609 posts
  • Gender:Male
  • Location:Archives
  • Team:Black Storm

Posted 02 March 2019 - 08:49 AM

Automatic tools will not teach you anything, try to understand the basic concepts and you will never need those automatic tools.


  • 1

#9 delphifocus

delphifocus

    Junior

  • Members
  • Pip
  • 25 posts
  • Team:4l0n3

Posted 03 March 2019 - 02:38 AM

Automatic tools will not teach you anything, try to understand the basic concepts and you will never need those automatic tools.

Thanks a lot for your suggestion.


Edited by delphifocus, 03 March 2019 - 02:38 AM.

  • 0




3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users