How to prevent "upx -d" on an UPX packed executable?

Question

I recently read a tweet from Ange about a technique to fool UPX when the option -d (decompress) is called.

I would like to know how this is working and, what are the technique to prevent an UPX packed executable to be decompressed through upx -d (if possible for, both, Linux and Windows).

Of course @blabb's answer prevents upx -d but you should be aware that Generic Unpackers such as RL Depacker can still unpack such files. — 0xec, Feb 08 '14 at 07:45
If you want to, protect your UPX output with Denuvo/VMProtect/enigma protector/anything of this nature and no-one can decompress it. — Jessie Lesbian, Aug 04 '20 at 08:11
@JessieLesbian not to be picky but "no-one can decompress it" is (simply) not really true. It's like saying "No one can break into this system, it's 100% secure." same thing here, "No one can decompress this malware, it's 100% secure." — William Martens, Jul 08 '23 at 17:05

score 15 · Accepted Answer · answered Dec 30 '13 at 11:10

15

UPX doesn't check the unpacking stub's integrity, and just blindly restores the data from the stored information, not from the actual execution.

Since UPX is open-source and documented (commented IDB), it's easy to modify its and actually do something extra (anti-debug, patch, decryption, jump to real entrypoint...) that will be lost when 'upx -d' is used.

Such UPX hack is not uncommon in malware.

answered Dec 30 '13 at 11:10

Ange

6,694
3
28
62

1

If I get it right, it only requires to modify the checksum of the packed executable... Or did I misunderstood something ? – perror Dec 30 '13 at 13:47
1

@perror did you figure this out? – Tiago Sep 27 '16 at 12:08
1

I appeared to be true (at the time I tested it). So, modifying the checksum of the executable won't prevent to execute it, but will render the decompression a bit more difficult (because you need to bypass this checksum verification before applying the decompression). – perror Sep 27 '16 at 13:22

score 13 · Answer 2 · edited Jun 29 '23 at 09:42

Fooling upx -d can be as simple as one byte patch here is a small sample.

Pack the MS-Windows standard calc.exe, hexedit one byte and result is an undepackable executable with upx -d (this is not corrupting the exe, the exe will run and can be unpacked manually). Only unpacking with the -d switch wont work.

create a new folder foolupx:
```
 foolupx:\>md foolupx
```

copy calc.exe to the newly created folder:

 foolupx:\>copy c:\WINDOWS\system32\calc.exe foolupx\upxedcalc.exe
     1 file(s) copied.

pack the renamed calc.exe:

 foolupx:\>upx .\foolupx\upxedcalc.exe
 Ultimate Packer for eXecutables
 Copyright (C) 1996 - 2011
 UPX 3.08w       Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011
 File size         Ratio      Format      Name
--------------------   ------   -----------   -----------
  114688 -&gt;     56832   49.55%    win32/pe     upxedcalc.exe


Packed 1 file.

Create a duplicate of the packed calc.exe for hexediting and compare the files. The difference is one byte in the PE header section named UPX0 changed to BPX0:

 foolupx:\>copy .\foolupx\upxedcalc.exe .\foolupx\modupxedcalc.exe
     1 file(s) copied.
foolupx:&gt;fc .\foolupx\upxedcalc.exe .\foolupx\modupxedcalc.exe
 Comparing files .\FOOLUPX\upxedcalc.exe and .\FOOLUPX\MODUPXEDCALC.EXE
 000001E8: 55 42

Uncompress both files with the -d switch. One will be unpacked, the other will not be unpacked:

 foolupx:\>upx -d .\foolupx\modupxedcalc.exe
 Ultimate Packer for eXecutables
 Copyright (C) 1996 - 2011
 UPX 3.08w       Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011
 File size         Ratio      Format      Name
--------------------   ------   -----------   -----------
 upx: .\foolupx\modupxedcalc.exe: CantUnpackException: file is modified/hacked/protected; take care!!!


Unpacked 0 files.
foolupx:&gt;upx -d .\foolupx\upxedcalc.exe
 Ultimate Packer for eXecutables
 Copyright (C) 1996 - 2011
 UPX 3.08w       Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011
   File size         Ratio      Format      Name


114688 <-     56832   49.55%    win32/pe     upxedcalc.exe
Unpacked 1 file.
foolupx:&gt;

first of all - great answer! - Just have to ask; is the one-byte-patch arbitrary chosen in this answer or can it be more? e.g I thought of changing UPX's "signature" (the text "UPX" which is very common in UPX-packed exe's), to something like, DTK (randomly made up) or would that corrupt it ? (as in running it and changing it back, and then upx -d) — William Martens, Jul 08 '23 at 17:16
adding another comment just to point: if I can improve my comment just point it out! :) Wishes from Sweden! — William Martens, Jul 08 '23 at 17:16

How to prevent "upx -d" on an UPX packed executable?

2 Answers2

Linked