Heaventools

   English English  Deutsch Deutsch

home  products  pe explorer  feature tour

Upack Unpacker Plug-In

Automatic Upack (WinUpack) Unpacking

PE Explorer ships with the Upack Unpacker plug-in, a start-up processing plug-in for unpacking files compressed with Upack or WinUpack. All versions of Upack are supported.

Upack is a packer similar to UPX, but it uses LZMA compression and is designed with a focus on anti-unpacking.

The Upack Unpacker re-creates an executable file in its original form, before it was packed. This allows you to perform static analysis on the now unpacked data.

When you open a file with PE Explorer, the integrated Upack Unpacker plug-in detects whether the file is packed with Upack. If the file is packed, PE Explorer proceeds to unpack it automatically.

The resulted file will also be saved unpacked. PE Explorer does not re-pack the previously packed files. That is why the original file size may be increased after you open and save the executable WITHOUT making ANY changes to it in PE Explorer.

See also: UPX Unpacker    What are packers?

Reversing Worms and Trojans Packed with Upack

Many authors of malicious software use Upack to further reduce size of the exploit so it is more flexible and can fit in smaller places. Before malware analysis, you need to be sure if the packer is present. The Upack Unpacker displays lines of messages in the bottom log pane as follows:

Upack Unpacker

Now, once it's opened and unpacked, you can continue with import analysis in EXE Import Viewer, then check out all referenced text strings and function calls in Disassembler. You can rapidly analyze the procedures and libraries a malware executable uses without ever activating the executable itself — a great advantage over debuggers where malicious code needs to be run to be analyzed.

Write Your Own Custom Plug-ins

The Upack Unpacker plug-in specializes in unpacking files compressed with Upack only. Consult the PE Explorer help for the plug-in API: you can write your own custom start-up processing plug-in for crypted files handling or unpacking the packed files. Using the Plug-in Manager, you can set priority of executing plug-ins: Menu Tools | Plug-in Manager.

Within the PE Explorer directory there is a subdirectory named PLUGINS. Users should place all plug-ins (DLLs) in this designated folder. At present, the location of the plug-ins cannot be customized and should reside in the "PLUGINS" subdirectory.

The plug-in API will be extended, therefore when writing custom plug-ins, it is important to pay special attention to the remarks made in the description of Functions and Types (see the PE Explorer Help file), and abide by them. Following these guidelines will keep your coding compatible with future versions of PE Explorer.

The plug-in API can be found in the Help within the PE Explorer package.

 

Feature Tour  
 prev | next 

 

 

PE Explorer
View Screenshots

Download a 30 day trial version of PE Explorer Buy the Full Version