OK, here is the fastest method I found out to unpack any with UPX packed program:
1)Load the program with olly.
2)Scroll down a little bit until you find a long jump which refers outside the given code. (like JMP 472341) set a breakpoint there. The address points to the OEP.
3)Dump the program with LordPE, and change the EntryPoint to the value: found value-ImageBase.
4)Open ImpRec, and select the process, edit the EP there, and let the IAT find. for any case, set the size of the IAT to something bigger.
5)Remove any invalid thunks, and fix the dump.
6)Voila! you are done and unpacked UPX in 30 secs...
If you have a faster method, please write it there. Except upx -d option, of course.
Full Version: Upx Unpacking
Dunno y but i like the "upx -d " opt. its simple and quite fast lol 
well that is certainly easier
the first post about seeing the raw code itself could be fast but you must be familiar with the programs and how to use it or in the end ull end up with nothing but a corrupt proggie
the first post about seeing the raw code itself could be fast but you must be familiar with the programs and how to use it or in the end ull end up with nothing but a corrupt proggie
i dont get why i should waste my time with olly if i can just use upx to unpack. is there an advantage you want to tell to me?
Even though 'upx -d' is the obvious answer for speed it shows no appreciation to understand how the file is packed. Taking Belgther's approach will show that you have a willingness to learn about unpacking and gain experience with new tools. Even though unpacking UPX manually is extremely simple but will take longer than the 'upx -d' approach it will teach you some basic concepts behind packing and unpacking aswell as learning how to use some advanced tools. Obviously if your not interested in learning how its all done (which is fair enough) then 'upx -d' is the option for you. Your decision will primarily be based upon how much enthusiasm you have for this topic.
QUOTE
i dont get why i should waste my time with olly if i can just use upx to unpack. is there an advantage you want to tell to me?
Well its quite easy after you packed your file with upx to hex it and make it so that the upx -d wont work anymore, the way to clear it then is described here perfectly.....
Good job I would say
Greetz Joepi
This is a great tutorial for beginners, new to unpacking, and can help if a file is packed with upx with the headers scrambled, such as UPX$hit or UPX Scrambler.
It was also the reason why I wrote such a tutorial, because I was receiving some PMs about this subject. I don't mean that these PMs disturb me, and I know that you can find lots of UPX unpacking tutorials whan you search in google. But why following the hard way if there is an easier and faster one?
Would there be anyone of like altering the file packed with UPX, so it wouldn't unpack the way it normally would? So as to evade Anti-Virus?
Like a simple method, using some sort of software similar to ollydbg?
Well I guess I am really asking, is there anyway YOU know of doing it, that is quite simple, I mean obviously its possible.
Like a simple method, using some sort of software similar to ollydbg?
Well I guess I am really asking, is there anyway YOU know of doing it, that is quite simple, I mean obviously its possible.
Why not?
But the main aim is not to make it undetectable because good AV programs like Kaspersky or Dr.Web can already detect the malware packed with UPX, it would be useless.
They prevent the unpacking of their programs by scriptkiddies with doing it, because like you mentioned, upx -d won't work anymore.
But the main aim is not to make it undetectable because good AV programs like Kaspersky or Dr.Web can already detect the malware packed with UPX, it would be useless.
They prevent the unpacking of their programs by scriptkiddies with doing it, because like you mentioned, upx -d won't work anymore.
QUOTE
Would there be anyone of like altering the file packed with UPX, so it wouldn't unpack the way it normally would? So as to evade Anti-Virus?
Like a simple method, using some sort of software similar to ollydbg?
Well I guess I am really asking, is there anyway YOU know of doing it, that is quite simple, I mean obviously its possible.
Like a simple method, using some sort of software similar to ollydbg?
Well I guess I am really asking, is there anyway YOU know of doing it, that is quite simple, I mean obviously its possible.
You could write your own packer, there are heaps of tutorials out there which will describe you what to look for and how to write it.
Greetz Joepi
QUOTE(aelphaeis_mangarae @ Apr 7 2006, 07:09 AM) 
Would there be anyone of like altering the file packed with UPX, so it wouldn't unpack the way it normally would? So as to evade Anti-Virus?
Like a simple method, using some sort of software similar to ollydbg?
Well I guess I am really asking, is there anyway YOU know of doing it, that is quite simple, I mean obviously its possible.
Like a simple method, using some sort of software similar to ollydbg?
Well I guess I am really asking, is there anyway YOU know of doing it, that is quite simple, I mean obviously its possible.
UPX is open source (hxxp://upx.sf.net), just alter the source, and it doesnt unpack the way it normally does, but I doubt you should do that to evade antivirus detection, I suggest writing your own packer, as upx is a very simple packer, meant for compression.
I for one have always used UPX-Scramble on my UPX'd exes.
But will this work even on a UPX Compressed exe that has been further (filtered) with?
But will this work even on a UPX Compressed exe that has been further (filtered) with?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.