In this post I will run through how to dump the unpacked program from memory and reconstruct a working ELF, admittedly with quite a bit of winging it involved.

Picking up right where the previous part left off, we have our program unpacked in radare in debug mode and are braked at the OEP.

Run dm to inspect the memory maps of the process:

:> dm
0x0000000000400000 - 0x0000000000401000 - usr 4K s r-- unk0 unk0
0x0000000000401000 - 0x0000000000495000 * usr 592K s r-x unk1 unk1
0x0000000000495000 - 0x00000000004bc000 - usr 156K s r…


“Kitten in a cardboard box”, by Revital Salomon, licensed under CC BY-SA 4.0

I recently attempted a binary challenge involving a packed executable however as the binary was packed with UPX the challenge becomes a bit trivial once you know you can unpack by running UPX -d.

I decided to look into the process of manually unpacking UPX, almost all the tutorials I found still use OllyDbg on windows.
In this post I will run through one possible method for manually unpacking a binary packed with a modern version of UPX using radare2 on Linux.

First lets compile and pack a simple hello world:

#include <stdio.h>
int main() {
printf("Hello, World!"); …

dlnhxyz

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store