Packing & Cryptersbeginner
UPX Packing
Compressing an executable with UPX so its real code and strings are only revealed after a self-unpacking stub runs at load time, defeating naive static analysis.
UPX compresses each section of a binary and prepends a small decompression stub. At runtime the stub inflates the original code into memory and jumps to the real entry point, so a static scan of the file on disk sees only packed bytes and a handful of imports.
Tell-tale signs
- Section names
UPX0,UPX1,UPX2. - A tiny import table (often just
LoadLibraryA/GetProcAddress). - High entropy (~7.9 bits/byte) across the packed sections.
Unpacking
- Trivial case:
upx -d sample.exerestores the original (only works for unmodified UPX headers — malware often corrupts them). - Generic case: run to the OEP (original entry point) by setting a
breakpoint after the stub's tail jump (
jmpto a far, lower address), then dump with Scylla / pe-sieve and rebuild the IAT. - Look for the
popad; jmptail that classic UPX stubs end with.
Votes