9

I am trying to learn to manually unpack an upx packed elf file. The examples I have found are for Windows, mostly with Ollydbg, and as I see the first step is to look for pushad and popad instructions. I have a 64 bit executable, so I assume I have to look for a push and pop of all registers.

What I acieved until now is that I can get the entry point with readelf -h, and set a breakpoint in gdb at this address. With layout asm I can follow the disassembled instructions too. As I understand at the popad instruction the unpacking is done, and I can get the original entry point. However, because on 64bit there is no popad, I am not sure where the original entry point will be. All registers will be popped or only a few?

I also do not know how to fix imports.

robert
  • 887
  • 2
  • 12
  • 28
  • 2
    I can't help with reconstructing ELF imports, but as for finding the original entry point (OEP), the easiest way to find UPX's transition to the OEP is to start at the packed file's entry point and continue disassembling down (in OllyDbg, this would effectively mean just scrolling down) until you see a JMP followed by a long trail of null (00) bytes. The destination of the JMP is the OEP. Illustrated here: http://deamonftp.free.fr/deamoncrack/Tuts/Kef/UPX/Cours%20upx_fichiers/image002.jpg (Obviously, you won't be using OllyDbg, but the same approach can be used on Linux.) – Jason Geffner Dec 09 '15 at 14:04

1 Answers1

-1

Use a hex editor to open the file and locate the UPX header. The UPX header typically starts with the bytes 0x50 0x5A and is followed by a version number and other metadata.

Once you have located the UPX header, you will need to locate the offset of the compressed data and the original entry point of the file. This information can be found in the UPX header.

Next, use the UPX command-line tool to decompress the file. The -d option is used to decompress the file, and the -o option specifies the output file.

upx -d -o output.elf input.elf

Once the file has been decompressed, use a disassembler or a debugger to analyze the file and understand its functionality.

Hope this helps.

Parth
  • 1
  • 1
  • Hi and welcome to RE.SE. This looks and sounds very much like an AI-generated answer (flagging as such). Is it? – 0xC0000022L Jan 19 '23 at 14:21