hi! i have 2 problems with unpacking upx-compressed apps.

the 1st problem concerns programs compiled with C++Builder. the test .exe i used was builded with C++Builder 6.0 and packed using UPX 1.25 with '--best' option. after that i loaded the app into Olly, stopped at OEP and dumped it with 'Rebuild import - Method 1' option. at last, i got 'dumped.exe' with empty import table! really strange! i've only succeeded in getting a working dump using LordPE and ImpREC. but i want to note that this problem disappears when applications are coded in VC or ASM.

the 2nd problem concerns programs compiled with Delphi 5.0. and again, UPX . i made the same actions as i mentioned before. this time i failed to get a working dump since it terminates after launch. even LordPE and ImpREC didn't help me.

to make the situation clear, i made the video which shows my actions.
click here to download .RAR archive ("http://md-soft.webhost.ru/video_unp.rar") (size: 2.68mb)
i'd appreciate if somebody downloads it and tells me what is the matter?

this link don't work

Ricardo Narvaja

hi Ricardo!

the link isn't broken. i've checked it. maybe server was temporarily unavailable...

P.S. Ricardo, can you tell me your e-mail? i'll send you the file personally.
P.P.S. i posted this topic as Anonymous accidentally

ricnar22@yahoo.com.ar

upps sorry

ricnar456@yahoo.com.ar

soory

Ricardo Narvaja

hehe, cool I never seen somone make a video for a question before.. kinda like seeing cracking in a hollywood movie

I think the import problem is the way that borland do imports..
It's backwards to the normal way and has to be checked.

Did you try unpacking the upx file from PEiD using generic unpacker or the UnUpx plugins ?

~Neil/BobSoft~

@MARcoDEN
I unpacked many UPX packed files, so here r some useful tools :
1-UP X Generic Unpacker .It's only for unpacking UPX apps .
2-File Scanner .Generic Unpacker for many Protectors/Packers .I prefer it .

Regards .

hehe 2.7 mb of video
i downloaded it thinking ill look into the upxxed exe and look into whats the problem with dumping it but all i get is a cool movie that runs a little bit too fast

What program did you use to make that video? Like the previous poster said it runs a bit too fast to be able to make out what's happening so it's not as helpful as it could be. Also, most of the displayed text is in Russian which will make it harder for most people here to understand.

But we're only talking about UPX here, it doesn't even have any anti-debug code, so come on boys!

1) Does upx -d not work?

2) Can't you just breakpoint on the "popad/jmp" and dump and rebuild?

3) If it's protect by a "UPX patch" type of program, most are very simple. One simply adds a NOP in front of the code and decrements the Entrypoint by 1 to point to the NOP. Another simply adds a jump which then does other stuff before jumping back to the normal UPX code. Either way they're easy to dump also.

Sorry I know i'm not being very useful, I've just never encountered a UPX-packed program before that has been hard to unpack so I don't quite understand your problem, that's all!

@1bitshort
You'r right, UPX has no anti staff, we shouldn't even call it PROTECTOR !! but as some one who unpacked too many UPX packed files, I would tell U that some programs use the UPX project to create their own packers, so some proggys like Packers/Protectors detectors would tell U that such files are packed by UPX & when using (upx -d Packed.exe) this command would fail .
I prefer using FileScanner (fs.exe) .It does all that damed hard work for U, cuz I don't think any one of us would spend time unpacking UPX Packed file using OllyDbg .

@MARcoDEN
Use FileScanner (fs.exe) and leave the work to it .
I use :
fs -u Packed.exe
fs -spl -rn Packed.exe
fs -c Packed.exe

well unpacking a upx packed executable which used the latest beta version (1.92 iirc)with the stable 1.25 release version will also fail if you use upx -d but it will unpack without problems if you use the exact beta version to unpack it (ah yes the beta has some image base relocation craps that i dont understand but yes i can unpack it without problems using ollydump)
and as far as i know no upx packed with whatever crap patching
ever failed me with ollydump yes if a vb exe is packed with upx there will be a glitch in finding the first thunk and image wont run at first try but loading it into a pe editor and editing the first thunk value (normally 3d8 to 1000) will make it work like a charm
dunno why upx should ever pose problem
btw i think you can get the source of upx its gnu public iirc
so there should be no problem whatso ever
and its same me the anonymous that posted above

Got a URL for Filescanner (fs.exe) ?

@1bitshort
How did U find it ?
NOTE : U need to get the latest version to unpack many Protectors/Packers .If U don't have it, then send me e-mail to give U the link .
If I could post the link here, so TBD please say that .

.... you can post a link

I dont have it, that's why I'm asking for a link
Sounds like an interesting program

Really, all it takes for unpacking Upx program..

Load into OllyDbg
Scroll to end of code (untill you see zeroes)
move back until you see popad (or pushad if it's upx protector-ed)
bp on jmp
F9 (now you're at bp)
F7 (now you're on OEP)

I dunno about wasting time, but it takes me like 30 seconds to get to the program when upx'ed.

~Neil/BobSoft~

@1bitshort
When U said (got a url) I thought U got one, but it seems that I can't post a link here .If U want the link from me, so mail me .

@Bob
The (Wasting Time) happens when doing same jop for a lot of time .

Fc is a dodgy Dos program, use PEiD it's far better and has UnUpx plugin and a generic unpacker plugin .. The generic unpacker will unpack Upx, scrambled or not.

Google for PEiD plugins, theres a few

Yahia,
TBD already said you can post a link to it. Everyone is still waiting!

Bob,
I dont think Filescanner and Fc are the same program ...

@1bitshort
It seems like I need eye glasses ! I'm very sorry but I was in a hurry so I didn't read carefully .I recieved the last version from my friend, so I did put the packaged files in my site .I'll leave it for a week so many members would be able to download it .Here is a direct link : http://www.yahia-rod.net/fs.zip ("http://www.yahia-rod.net/fs.zip") .
Hope I did something useful to U .

@Bob
FS is a DOS program but it's generic unpacker and will do what ProcDump can't with some programs packed with many packers .

Thanks for the nice app guy.

Ok thanks again from me also.

It performs well.

Manually unpacking UPX
OS: Win Xp

Load target into Ollydbg

type this into CommandBar: bc GetProcAddress . Press F9 .

Now press "ALT+F9" (Return till user code) and you are 3 step before OEP.