Jump to content
Tuts 4 You

UPX 3.93


KDN

Recommended Posts

Hi all,

 

I am struggling to unpack a 64 bit DLL file that is packed with UPX 3.93. I have been able to upx -d with no issue. But n order to debug it, I need it to work, so I need to fix the import table and OEP. Does anyone have any steps on how I can do this? Being 64 bit the tutorials do not help me and I can't find anything for a 64-bit dll. If I can find the OEP I can use OllydumperEX but I cannot even find that!

 

 

Link to comment
  • 7 months later...

I got a similar problem with a modified version of UPX 3.91, unpacks fine with -d but crashes on start, there's no PUSHAD opcall and manually tracing left me with nothing.

In olly I'd use Debugging -> SFX -> "Trace real entry blockwise" but this functionality is not available in x64dbg.

Edited by Sirte
Link to comment
23 hours ago, deepzero said:

Attach the target or give more info about the crash...

Crashes at a jump to a non-existing address in init. Seems like some dll (ucrtbas) is screwed.

image.png.1aaba73b1bd04fed7ec5f1004349a201.png

 

 

Edited by Sirte
Link to comment
  • 1 year later...
  • 2 months later...

A bit late to this thread, but...

UPX has a bug where it will strip the relocation info from files, but not set the IMAGE_FILE_RELOCS_STRIPPED flag on the PE file header characteristics when unpacking the original. Furthermore IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE is also not removed from the DllCharacteristics field of the optional header. To be clear, that means there is information loss (the relocation info) when compressing a relocatable PE file with UPX. Because Windows thinks the image is relocatable, it will relocate it without applying relocation fixups (after all, there are none). This will cause the executable to crash.

Assuming it is not a problem that the image cannot have ASLR, you can either toggle IMAGE_FILE_RELOCS_STRIPPED on, or toggle IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE off. I would personally go with the former since it more accurately describes what UPX has done.

Edited by Mattiwatti
Link to comment
  • 3 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...