TransWikia.com

Unpacking UPX packed (possibly scrambled) executable

Reverse Engineering Asked by see ya on December 19, 2020

I’ve decided to reverse this crackme. Obviously it’s packed. I was told by PeID that there is only UPX inside. Ok, but upx -d simple crashed that’s why I’ve concluded that this UPX may be scrambled somehow.

IDA warning

Binary didn’t run properly in debugger(windbg) for unpacking it so I’ve dumped exe from working process and tried to fix imports. Maybe I should have tried Olly with plugins? However IDA still warns me that some imports might be destroyed(see picture). My question is: did I unpacked it correctly? If no what else should I do to unpack it?

Unpacked

2 Answers

Here you can find bunch of tools for unpacking upx. One of them(Upx Unpacker 0.2) solved my issue. Every unpacker should be used in specific case and this list may be incomplete.

Correct answer by see ya on December 19, 2020

You should try to unpack it manually and reconstruct the IAT. With UPX, it should be pretty straightforward. Here is a tutorial in case you don't know how to start : https://web.archive.org/web/20080529124107/http://writequit.org/blog/?p=165

Answered by Dillinur on December 19, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP