Here is a short tutorial on unpacking the UPX packed binary file. UPX is a free, portable, executable packer for several different executable formats. It achieves an excellent compression ratio and offers very fast decompression.

To follow this tutorial you need to download latest UPX packer from UPX website and then pack any of the PE (windows executable) file with it.

Before we begin with unpacking exercise, lets try to understand the working of UPX. When you pack any executable with UPX, all existing sections of that file are compressed and appended with new UPX code which decompresses entire packed sections during run time. During the execution of UPX packed binary file, following steps take place...

• First the current register status is saved through PUSHAD instruction
• Next all packed sections are unpacked.
• Resolve the import table of original executable file.
• Once the job is done, restore the register status via POPAD instruction
• Finally jump to Original Entry point (OEP)

• Finding OEP of the program.
• Dumping the memory image of the binary when the program reaches OEP.
• Fixing the import table

I am using the generic approach so that you will be able to unpack the executable which is packed with any version of UPX. Here I am using the OllyDbg to unpack the PE file. Although you can use any debugger, OllyDbg is one of the best ring 3 debugger for reverse engineering.

That is all you needed to know before the start. Lets get into some action. Load the UPX packed binary file into the OllyDbg and start tracing the binary, until you encounter a PUSHAD instruction. Usually this is the first instruction or it will be present in the first few instructions based on the UPX version that you have used to pack the PE file. Now put the breakpoint on POPAD instruction. So when we reach POPAD instruction, all the sections will be unpacked and all imports will be resolved. After POPAD instruction, it will jump to OEP.

There are many ways to set the breakpoint at the PUSHAD instruction. When you are at this instruction, you can put the hardware read breakpoint at ESP-4 address. If you have command bar plugin installed then you can just type 'hr esp-4' to set this breakpoint. Other way is to find the POPAD (opcode 61) instruction in the code and set the breakpoint for yourself. You can just scroll down in OllyDbg from the current instruction till you find all zeroes, then just few instructions above the start of zeroes you will find the POPAD instruction. Now you can directly set breakpoint on POPAD instruction.

Once you have set the breakpoint, press F9 and you will break on the instruction which is immediately after POPAD or on POPAD instruction based on which method you have used. Now start tracing with F7 and soon you will encounter a instruction which will jump to OEP that is somewhere in the unpacked code section.

Now you have found the OEP. Note down this address somewhere. Next task is to dump the entire binary image from memory. This can be done using OllyDmp plugin which comes with OllyDbg. Now launch this plugin and dump the entire binary file to the disk using default options. It will automatically fix the import table for you so there is no need to explicitly fix it. That's it and you are done with unpacking the UPX packed file.  

For most of the advanced packers, OllyDmp will not be able to fix the import table. In such a case, following method will be helpful. Here, we will be using the ImpREC tool which is more advanced tool for fixing import table.

When you are at the OEP of the program, just dump the memory image of binary file using Ollydmp without asking it to fix the import table. Next launch the ImpREC tool and select the process that you are currently debugging. Then in the ImpREC, enter the OEP (enter only RVA, not a complete address) and click on 'IAT Autosearch' button to automatically search for import table. Then click on 'Get Imports' to retrieve all the imported functions. You will see all the import functions listed under their respective DLL names. If you find any import function which is invalid (marked as valid : No) then remove it by right clicking on it and then from the popup menu, press on 'Delete Thunks'. Now once the import functions are identified, click on Fix Dump button in ImpREC and then select the previously dumped file.

Once you have dumped the image from memory and fixed the import table, you can verify it by executing that application.

That's all, you have successfully unpacked the UPX packed executable file. Its great job though its the simplest packer without any anti debugging features.

As you move on, you will see more and more challenging protectors. Hope you have enjoyed your first unpacking lesson as I did years back..!