Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-02-2022, 17:40
Artic Artic is offline
Friend
 
Join Date: Jul 2014
Location: target folder
Posts: 110
Rept. Given: 48
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 178
Thanks Rcvd at 42 Times in 24 Posts
Artic Reputation: 15
How to repair UPX dump?

I am trying to learn unpacking and repairing.

It looks like i cant repair some of the import after creating a simple UPX unpack me. (thought first this a problem of the other target im looking at, but it looks like its a normal problem.)

Usually i use UPX unpack feature and then repair this with scylla by attaching to the running process.

But then there are imports i cant repair that way, as they remain suspect/invalid and also the dump does not run.

Any ideas what could have been wrong?

Let me see if i can later post a sample with pictures of the problem.
Reply With Quote
  #2  
Old 08-03-2022, 17:05
BlackWhite BlackWhite is offline
Friend
 
Join Date: Apr 2013
Posts: 80
Rept. Given: 4
Rept. Rcvd 14 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 48 Times in 21 Posts
BlackWhite Reputation: 14
UPX does not keep the original import table, it recontructs a non-standard import table on compressing, so you should write a program to rebuild it.
Reply With Quote
The Following User Says Thank You to BlackWhite For This Useful Post:
binarylaw (08-09-2022)
  #3  
Old 08-04-2022, 01:54
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,342
Rept. Given: 947
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,299
Thanks Rcvd at 479 Times in 338 Posts
niculaita Reputation: 89
use CFF Explorer to unpack

maybe is a fake upx that masks a vmprotect
__________________
Decode and Conquer
Reply With Quote
The Following User Says Thank You to niculaita For This Useful Post:
binarylaw (08-09-2022)
  #4  
Old 08-16-2022, 01:32
Artic Artic is offline
Friend
 
Join Date: Jul 2014
Location: target folder
Posts: 110
Rept. Given: 48
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 178
Thanks Rcvd at 42 Times in 24 Posts
Artic Reputation: 15
Looking at this for fun: https://www.bvckup2.com/download

it unpacks fine, but i cant repair the import table.

CFF Explorer, produces an exe, which propmpts windows to show the message that the resulting exe is not for this pc.
Reply With Quote
  #5  
Old 08-16-2022, 07:26
ionioni ionioni is online now
Friend
 
Join Date: Jul 2016
Posts: 80
Rept. Given: 8
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 92
Thanks Rcvd at 154 Times in 49 Posts
ionioni Reputation: 3
"upx -d --strip-relocs=0 bvckup2.exe" or use a devel build, this issue was fixed meanwhile
Reply With Quote
The Following 3 Users Say Thank You to ionioni For This Useful Post:
Artic (08-17-2022), niculaita (08-18-2022), tonyweb (08-24-2022)
  #6  
Old 08-17-2022, 21:17
Artic Artic is offline
Friend
 
Join Date: Jul 2014
Location: target folder
Posts: 110
Rept. Given: 48
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 178
Thanks Rcvd at 42 Times in 24 Posts
Artic Reputation: 15
this worked finally.
wondering if 3.95 had the same problem? one way to find out - downgrading.
Reply With Quote
  #7  
Old 08-22-2022, 20:56
surferxyz surferxyz is offline
Friend
 
Join Date: Jan 2005
Location: Planet Earth
Posts: 73
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 10
Thanks Rcvd at 52 Times in 19 Posts
surferxyz Reputation: 9
Pretty sure the issue will still be in 3.95, you can read about the bug here, related to using upx.exe to decompress ASLR binaries : https://github.com/upx/upx/issues/359

But it sounds like you were trying to manually unpack it, so i'm not really sure...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 16:43.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )