search

avast / retdec

RetDec is a retargetable machine-code decompiler based on LLVM.
https://retdec.com/
MIT License
8.04k stars 951 forks source link

Retdec unpacker: overlay breaks UPX unpacking #971

Open TheDuchy opened 3 years ago

TheDuchy commented 3 years ago

Sample c787e57a8077f0df838ae416cbf6dd38ecc670e532c3369bff2ef571cd94d36e contains its configuration in the last 128 bytes that are placed after the trailing UPX header. This will fool both upx -d and retdec-unpacker, that will exit with:

[UPX] Detected NRV2B unpacking stub based on signature & metadata.
[UPX] Started unpacking of file 'c787e57a8077f0df838ae416cbf6dd38ecc670e532c3369bff2ef571cd94d36e'.
[UPX] Unfiltering filter 0x0 with parameter 0.
[UPX] Unpacking block at file offset 0x198.
[UPX] Unfiltering filter 0x49 with parameter 5.
[UPX] Unpacking block at file offset 0x5b58.
[UPX] Unfiltering filter 0x0 with parameter 0.
[UPX] Unpacking block at file offset 0x82fa.
[UPX] Unfiltering filter 0x0 with parameter 0.
[UPX] Unpacking block at file offset 0xc5bf.
[ERROR] [UPX] Invalid block found.
[UPX] Exiting with cached exit code 2
TheDuchy commented 3 years ago

Also forgot to mention that the sample runs fine and works as intended.