[TUT] How To Unpackable UPX

**BadBlood** · 10-08-2010

This Program You Can Download It From UPX Site

What does this program do?
For the people that have (not) seen my post about manually protecting your UPX executable.
This program makes sure your UPX protected executable can not be unpacked with the “upx -d” parameter. This is easy to bypass, but it’s packed with UPX what would you expect?

Can this be bypassed?
Of course this can be bypassed, anyone with a bit of reversing knowledge can reverse the program by hand. Or probably modify the UPX executable (or re-compile a new binary from the source) and bypass the check so it continues with the actual unpacking.

Brief overview of what UPX is and what it can do (if you haven’t seen my other topic about doing it manually).

Code:

[php]UPX achieves an excellent compression ratio and offers very fast decompression. Your executables suffer no memory overhead or other drawbacks for most of the formats supported, because of in-place decompression. UPX strengths in a nutshell:
* excellent compression ratio: typically compresses better than WinZip/zip/gzip, use UPX to decrease the size of your distribution!
* very fast decompression: ~10 MB/sec on an ancient Pentium 133, ~200 MB/sec on an Athlon XP 2000+.
* no memory overhead for your compressed executables because of in-place decompression.
* safe: you can list, test and unpack your executables. Also, a checksum of both the compressed and uncompressed file is maintained internally.
* universal: UPX can pack a number of executable formats.
* portable: UPX is written in portable endian-neutral C++.
* extendable: because of the class layout it's very easy to add new executable formats or new compression algorithms.
* free: UPX is distributed with full source code under the GNU General Public License[/php]

1. Protect your executable with UPX.

2. Drag and drop your program on the ‘Unpackable UPX’ executable.

3. Your program can’t be unpacked with the “upx -d” parameter.

And there we go, it’s as simple as that. If you would like to ‘patch’ all strings that contain ‘UPX’ in the executable you could do the following.

Code:

[php]if((cBuffer[i] == 0x55) && (cBuffer[i + 1] == 0x50) && (cBuffer[i + 2] == 0x58)){
cBuffer[i] = 0x41; // Change U (0x55) to A (0x41).
cBuffer[i + 1] = 0x41; // Change U (0x55) to A (0x41).
cBuffer[i + 2] = 0x41; // Change U (0x55) to A (0x41).
}[/php]

It’s best to check if the string contains (UPX0, UPX1, UPX!) and then also rename the (0, 1 or ! as well)
This can be done by a simple modification, but ill let you figure that out on your own!

Source:
Code:

[php]#include <windows.h>
#include <stdio.h>

int main(int argc, char *argv[]){
if(argc < 2){
printf("Usage: <Win32UnpackableUPX.exe> <file>\n");
}else{
FILE *fFile = fopen(argv[1], "rb");
if(fFile != NULL){
printf("File (modified): %s\n", argv[1]);

fseek(fFile, 0, SEEK_END);
long lSize = ftell(fFile);
rewind(fFile);

char *cBuffer = (char *)malloc(lSize*sizeof(char *));
if(cBuffer != NULL){
fread(cBuffer, 1, lSize, fFile);
fclose(fFile);

BOOL bUPX = FALSE;

for(int i=0; i < lSize; i++){
if((cBuffer[i] == 0x55) && (cBuffer[i + 1] == 0x50) && (cBuffer[i + 2] == 0x58) && cBuffer[i + 3] == 0x30){
printf("Found byte pattern at offset: %i\n", i);
// This is the only value we need to change (UPX0), not (UPX1) or (UPX!)
cBuffer[i] = 0x41; // Change U (0x55) to A (0x41).

bUPX = TRUE;
}
}

if(bUPX == TRUE){
fFile = fopen(argv[1], "wb");
if(fFile != NULL){
fwrite(cBuffer, 1, lSize, fFile);
free(cBuffer);
fclose(fFile);

printf("File %s should be successfully patched!", argv[1]);
}else{
printf("Unable to open file (write binary).\n");
return 0;
}
}else{
printf("File is not packed by UPX.\n");
free(cBuffer);

return 0;
}
}else{
printf("Error at: malloc()\n");
return 0;
}
}else{
printf("Unable to open file (read binary).\n");
return 0;
}
}

getchar();
}
[/php]

Binary Or Download: Attached

VirusTotal - Free Online Virus, Malware and URL Scanner

Win32Unpackable UPX.exe MD5:207ac9d4e56386bceea301f521d7e557 - VirSCAN.org Scanners did not find malware!