KDN Posted June 19, 2017 Posted June 19, 2017 Hi all, I am struggling to unpack a 64 bit DLL file that is packed with UPX 3.93. I have been able to upx -d with no issue. But n order to debug it, I need it to work, so I need to fix the import table and OEP. Does anyone have any steps on how I can do this? Being 64 bit the tutorials do not help me and I can't find anything for a 64-bit dll. If I can find the OEP I can use OllydumperEX but I cannot even find that!
Sirte Posted February 11, 2018 Posted February 11, 2018 (edited) I got a similar problem with a modified version of UPX 3.91, unpacks fine with -d but crashes on start, there's no PUSHAD opcall and manually tracing left me with nothing. In olly I'd use Debugging -> SFX -> "Trace real entry blockwise" but this functionality is not available in x64dbg. Edited February 11, 2018 by Sirte
deepzero Posted February 11, 2018 Posted February 11, 2018 Attach the target or give more info about the crash...
Sirte Posted February 12, 2018 Posted February 12, 2018 (edited) 23 hours ago, deepzero said: Attach the target or give more info about the crash... Crashes at a jump to a non-existing address in init. Seems like some dll (ucrtbas) is screwed. Edited February 12, 2018 by Sirte
mosadegh22 Posted September 11, 2019 Posted September 11, 2019 i have file packed by upx any one can unpack?
Mattiwatti Posted December 9, 2019 Posted December 9, 2019 (edited) A bit late to this thread, but... UPX has a bug where it will strip the relocation info from files, but not set the IMAGE_FILE_RELOCS_STRIPPED flag on the PE file header characteristics when unpacking the original. Furthermore IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE is also not removed from the DllCharacteristics field of the optional header. To be clear, that means there is information loss (the relocation info) when compressing a relocatable PE file with UPX. Because Windows thinks the image is relocatable, it will relocate it without applying relocation fixups (after all, there are none). This will cause the executable to crash. Assuming it is not a problem that the image cannot have ASLR, you can either toggle IMAGE_FILE_RELOCS_STRIPPED on, or toggle IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE off. I would personally go with the former since it more accurately describes what UPX has done. Edited December 9, 2019 by Mattiwatti
newhak Posted December 27, 2019 Posted December 27, 2019 On 9/11/2019 at 6:21 AM, mosadegh22 said: i have file packed by upx any one can unpack? Can you PM your target?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now