How do I uncompress a upack-ed exe
Siddhartha Jain
I have a sample of the mytob.s virus. Unzipping the text.zip gave me
text.exe which seems to be a upack compressed file. How do I get the
viral code from the upack-ed exe?
Thanks,
Siddhartha
Matt Mahoney
If it is a UPX file, you can use the UPX program to decompress it
without executing the virus. Don't know about UPACK. There are a lot
of others. Google for "exe packer compression" or "exe compression".
Of course it's possible the virus writer might have written their own
custom unpacker using a modified UPX or other .exe packer to make your
job harder. In that case you'll have to disassemble the self extracter
in the header to figure it out.
-- Matt Mahoney
Siddhartha Jain
> If it is a UPX file, you can use the UPX program to decompress it
> without executing the virus. Don't know about UPACK. There are a lot
> of others. Google for "exe packer compression" or "exe compression".
>
> Of course it's possible the virus writer might have written their own
> custom unpacker using a modified UPX or other .exe packer to make your
> job harder. In that case you'll have to disassemble the self extracter
> in the header to figure it out.
Its packed using the Upack tool.
http://dwing.go.nease.net/
Seems like the only way to uncompress is to disassemble the code and
then step through it :(
- Siddhartha
Jim Leonard
> Its packed using the Upack tool.
> http://dwing.go.nease.net/
>
> Seems like the only way to uncompress is to disassemble the code and
> then step through it :(
Or, ask the author for his source code. The compression used in
(Win)upack is LZMA, so his code + LZMA SDK from the 7-zip site will do
it for you.