Hey. I'm new here, but I have read a lot of material and decided to try and unpack a UPX packed program. I checked through a hex editor to find what UPX version it was packed with, as PEiD shows a lot of versions of UPX, and the version used is 1.20.

I found the OEP by using the find 'POPAD' method, put a breakpoint on the reference below it and found the original entry point for the program, but from there every method of rebuilding and dumping has failed.

The OEP is 00548854, so I put 00148854 into ImpRec, I pressed the get imports button and when I tried to fix the dump i get Cant Match RVA:0050**** and then the dumped exe doesnt work.

I have tried ImpRec and OllyDump, but I guess I'm doing something wrong. CAn anyone help me?

Try to unpack it first with UPX.exe. If it works fine, then try other version ImpRec (may be corrupted?).

If you're using OllyDump, and you intend to fix the dump yourself with Imprec, be sure to uncheck the "Rebuild Import" checkbox when you make the dump. Also, I'm not sure exactly how you're going about finding the OEP. Finding the OEP is all well and good, but you need to be at the OEP when you dump and attach with imprec. Actually, I guess you can dump and attach after the OEP as well, as long as you know what the OEP is. The point is, you need to be past the unpacking phase in both your dump and the running process that you use to rebuild the imports.

I'm not sure how well ImpRec performs with UPX, but I know for most packers it needs to know more than just the OEP. Once you've found your way to the OEP in your debugger, locate the IAT and check it out in the memory dump. If it looks suspect, perhaps you're at the wrong address.
If you're sure you have the correct start of the IAT, work out its length and then put these two values into ImpRec (in addition to the OEP, all corrected for the ImageBase) and ensure the program is paused at the OEP before trying 'Get Imports'.
You shouldn't be looking at the 'Fix Dump' button until ImpRec says you have a valid import table. You should see a load of thunks (one for each DLL you see in OllyDbg's memory dump) all marked 'valid: YES' by ImpRec before you try to fix your dump.

Good Luck
Admiral

Upx isn't a hard packer, u can use only ollydbg to find the oep: alt+o, select sfx and check "trace real bytewise" and at OEP u cna use ollydump to rebuild the IT, or u can download from the official site of upx the file, and in console write "upx.exe -d filename.exe" for unpacking the file

2 TBone: It's not needed to uncheck "Rebuild Import" checkbox. With standard UPX it works fine unchecked & both checked method too.
2 iLLUSiON: I don't think that You are doing something wrong. I recommend You to try pack some simple application with UPX. Try unpack this manually.
If it fails change version of ImportREC.exe. I try to experiment with UPX, but can't simulate Your error.

may be UPX-Ripper helps you?

UPX (modified) can be unpacked with generic unpacker (I think, that PEiD can do it too). But it's good to try it manually.

I've been watching this thread and have not posted another option, because it seemed the spirit of this one was to RE UPX, and I've gotten flamed on a sister board for mentioning "tools" - but if that is not the true objective, then probably the best tool to expedite this would be PE Explorer - it does a great job with UPX.

SiGiNT

Thanks for your help guys, I have it working now. I have taken most of the advice and it has all helped me. Cheers once again.