File packed with UPX crash and does not start

[Mrgaton]

I tried to convert files packed with upx to reduce shellcode size but doesn't just not work but increases shell code size than normal file to shell code link to upx : https://github.com/upx/upx

[Mrgaton]

By the way, very good work, @hasherezade , you saved my life with this project.

[hasherezade]

hi @Mrgaton ! thanks for reporting, I will check it soon

[hasherezade]

@Mrgaton - I checked it but I wasn't able to reproduce the crash. Can you please send me the file that was crashing to my e-mail: hasherezade-at-protonmail.com?

The increased shellcode size may come from the fact that during the shellcodification PE is converted to the virtual format, so that it can be loaded in-place, without allocating additional memory. It is also allow the shellcodes to be injected in the processes with DCP (dynamic code prohibited) enabled. More details described in this thread: https://github.com/hasherezade/pe_to_shellcode/issues/19 . Files that are packed, are normally smaller on disk, but they expand significantly in memory. And during the conversion, the size for all expanded content is reserved. In the future, I will add it as an option for the user to choose what type of result do they want to achieve - smaller size of the shellcode, or loading in-place, without additional allocations.

One issue that I observed with UPX, is that, sometimes during the compression UPX removes relocation table. And the pe2shc is set not to proceed if the file has no relocations. So you may see a message like this:

But in cases where UPX leaves relocation table, I had no problems converting and then running the converted versions. Those are my testcases. It is LoadOrd from Sysinternals, in 32 and 64 bit version, packed with the UPX v4.0.2:

The generated shellcodes: LoadOrd_upx.shc.zip

So, in order to be able help your case, I would need to see your file and investigate deeper what exactly went wrong.

[Mrgaton]

i was using the option --best on upx options and on a dll but ill try again

[hasherezade]

@Mrgaton - I tried with the option --best too, and still could not reproduce the crash. All my converted samples worked.

[Mrgaton]

Maibye was upx fault or my program fault sorry ill do some more test

[hasherezade]

ok, please double-check and let me know

[Mrgaton]

Yes, I tried the test again and worked perfectly, it just increased the size of the shell code file sorry to waste your time was probably or my fault dell or I don't know.

[hasherezade]

no probs, I am glad that it got solved