UPX unpacking
UPX is considered to be the easiest packer to unpack. It very popular, open source and widely used.
Before trying to unpack UPX manually, you might want to visit the official UPX site to grab their command line tool.
Try to unpack the binary by running “upx -d <file>”. If the tool cannot unpack the file, then use the following steps to do it manually.
Load the file into OllyDbg, and break at entrypoint. Then take a look at the first opcodes; If it starts with PUSHA, PUSHF or PUSHAD you can go straight to section 2.
Section 1:
So I reckon you are looking at entrypoint that looks something like this:
This means you’ve just stumbled onto an older, obsolete version of UPX. Most people that use this to pack malwares propably think this is harder to unpack since the command line tool just won’t bite. I’ll let you be the judge of that.
Scroll down in the OllyDbg main window until you hit this:
Place a hardware breakpoint at the RETN instruction. (in the above at address 004843DE). Press F9 to let OllyDbg run until it hits the breakpoint. Now single-step the RETN-command, and proceed to Section 2.
 Section 2:
Rest of the packerstub is common with both the new versions of UPX and the obsolete ones. You OllyDbg should be now resting here:
Now scroll down until you see a POPAD instruction:
Set a hardware break on the next jmp opcode after the POPAD. It might not be the immediate next from the popad, there might be few other opcodes in between. Once you’ve set the breakpoint, press F9 again to run to target.
After OllyDbg break, all you need to do is press F7 once to single-step and presto!, the original entrypoint is at your feet.
 Again OllyDump is able to dump properly, without the need to fix imports.
July 23rd, 2007 at 8:01 pm
Red…
Cool! Its really cool….