Unpacking
At this stage, using x86dbg
, we are going to unpack a packed executable. In this debugging session, we will be unpacking a UPX packed file. Our target will be to reach the original host's entry point. Besides this UPX packed file, we have provided packed samples in our GitHub page that can be used for practice.
The UPX tool
The Ultimate Packer for eXecutables
, also known as UPX, can be downloaded from https://upx.github.io/. The tool itself can pack Windows executables. It is also able to restore or unpack UPX packed files. To see it in action, we used the tool on the file original.exe
. This is shown in the following example:
Notice that the original file size reduced after being packed.
Debugging though the packer
Major modifications in the file, especially in the PE file header, have been made by the packer. To better understand how packers work, let us compare the host and the packed version of the executable file. Using the CFF tool, let us inspect the header differences.
The...