7

I've decided to reverse this crackme. Obviously it's packed. I was told by PeID that there is only UPX inside. Ok, but upx -d simple crashed that's why I've concluded that this UPX may be scrambled somehow.

IDA warning

Binary didn't run properly in debugger(windbg) for unpacking it so I've dumped exe from working process and tried to fix imports. Maybe I should have tried Olly with plugins? However IDA still warns me that some imports might be destroyed(see picture). My question is: did I unpacked it correctly? If no what else should I do to unpack it?

Unpacked

Improve this question

2 Answers 2

Reset to default
11

Here you can find bunch of tools for unpacking upx. One of them(Upx Unpacker 0.2) solved my issue. Every unpacker should be used in specific case and this list may be incomplete.

Improve this answer
2
  • 2
    Thanks for sharing. upx ("UPX 3.08w") is the one that worked for me.
    – user966939
    Commented Jan 15, 2017 at 9:45
  • 4
    There is a massive number of positive detections in those archives. Be extremely warey if you download! virustotal.com/en/file/…
    – rollsch
    Commented Jul 5, 2017 at 5:16
4

You should try to unpack it manually and reconstruct the IAT. With UPX, it should be pretty straightforward. Here is a tutorial in case you don't know how to start : https://web.archive.org/web/20080529124107/http://writequit.org/blog/?p=165

Improve this answer
2
  • 1
    I did not succeeded with unpacking my file according instructions in this tutorial, however, I've collected bunch of tools that will unpack almost any upx packed executable.
    – see ya
    Commented Feb 23, 2015 at 11:52
  • 2
    You should really try to unpack UPX manually at least once to understand what's going on before using tools. Otherwise you'll be stuck when you hit a slightly custom packer or if there is a bug in your tool.
    – user2823000
    Commented Feb 23, 2015 at 13:15

Not the answer you're looking for? Browse other questions tagged or ask your own question.