Exetools - How to repair UPX dump?

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - How to repair UPX dump? (https://forum.exetools.com/showthread.php?t=20215)

Artic

08-02-2022 17:40

How to repair UPX dump?

I am trying to learn unpacking and repairing.

It looks like i cant repair some of the import after creating a simple UPX unpack me. (thought first this a problem of the other target im looking at, but it looks like its a normal problem.)

Usually i use UPX unpack feature and then repair this with scylla by attaching to the running process.

But then there are imports i cant repair that way, as they remain suspect/invalid and also the dump does not run.

Any ideas what could have been wrong?

Let me see if i can later post a sample with pictures of the problem.

BlackWhite

08-03-2022 17:05

UPX does not keep the original import table, it recontructs a non-standard import table on compressing, so you should write a program to rebuild it.

niculaita

08-04-2022 01:54

use CFF Explorer to unpack

maybe is a fake upx that masks a vmprotect

Artic

08-16-2022 01:32

Looking at this for fun: https://www.bvckup2.com/download

it unpacks fine, but i cant repair the import table.

CFF Explorer, produces an exe, which propmpts windows to show the message that the resulting exe is not for this pc.

ionioni

08-16-2022 07:26

"upx -d --strip-relocs=0 bvckup2.exe" or use a devel build, this issue was fixed meanwhile

Artic

08-17-2022 21:17

this worked finally.
wondering if 3.95 had the same problem? one way to find out - downgrading.

surferxyz

08-22-2022 20:56

Pretty sure the issue will still be in 3.95, you can read about the bug here, related to using upx.exe to decompress ASLR binaries : https://github.com/upx/upx/issues/359

But it sounds like you were trying to manually unpack it, so i'm not really sure...

All times are GMT +8. The time now is 03:54.