PE Explorer UPX Unpacker for unpacking EXE and DLL files compressed with UPX, modified mangled UPX section name, UPX scrambler plug-in.


home products solutions news downloads order support about us
	PE Explorer Feature Tour
home products pe explorer feature tour
Feature Tour PE Explorer PE Header Viewer Data Directories Viewer Section Header Editor File Repair DLL Export Viewer EXE Import Viewer Delay-Load Import Viewer Syntax Lookup Mangled Names Unmangling Digital Signature Viewer Resource Editor Resource Types Supported XP Manifest Wizard Win32 Disassembler Dependency Scanner UPX Unpacker Upack Unpacker Remove Debug Information View and Strip Relocations TimeDate Stamp Adjuster Back Resource Tuner Resource Tuner Console FlexHex Awicons PRO Icon Sets Related Links: Tech Support Buy Online Trial Downloads Product FAQ	prev \| next UPX UNPACKER PLUG-IN Deutsch Automatic UPX Unpacking Both PE Explorer and Resource Tuner ship with the UPX Unpacker plug-in, a start-up processing plug-in for unpacking files compressed with UPX. All versions of UPX are supported, from the obsolete early versions (prior to 0.80) up to the latest version 3.01. Files packed with UPX 3.0x with the option " -brute" may be now opened. The UPX Unpacker also supports unpacking files packed using various UPX scramblers which make UPX-ed files not unpackable: Advanced UPX Scrambler, UPoLyX, UPX Lock, UPX Mutanter, UPX Scrambler, UPX SHIT, and several others. See also: Upack Unpacker, What are packers? When you open a file with PE Explorer or Resource Tuner, the UPX Unpacker plug-in detects whether this file is packed with UPX, and then unpacks it automatically, without long workarounds. The resulted file will also be saved unpacked. PE Explorer does not re-pack the previously packed files back to the exact original size. Unpacking Malicious Software The UPX Unpacker plug-in works on packed malware (short for malicious software that includes viruses, worms, Trojan horses, spyware, adware, rootkits, and keyloggers) and can handle a file even if it has been packed with UPX and modified manually so that the standard UPX uncompressing method cannot be used directly to unpack the file. To make unpacking and reverse engineering harder, malware authors often manually modify internal structures of the executable files. For example, they change the UPX strings denoting the binary sections from "UPX" to "XYZ" or even leave them blank; or they change the version numbers of the UPX format (e.g. from 1.23 to 3.21). The UPX Unpacker plug-in detects these crafty modifications and unpacks the obfuscated files on the fly: cleared UPX headers are of no consequence. Restoring the Original UPX Header Previously, you had to run the executable and dump the packed segments right after the executable had been completely unpacked in memory. Now you can open these obfuscated files in PE Explorer even without knowing that: your file will be unpacked automatically! The UPX Unpacker displays lines of messages in the bottom log window as follows: Now you can rapidly analyze the procedures and libraries a malware executable uses without ever activating the executable itself - a great advantage over debuggers where malicious code needs to be run to be analyzed. The UPX Unpacker attempts to recover a file, even when an original PE file header entry is no longer available after unpacking. Previously, losing the PE file header rendered the executable completely inoperable and unrepairable. Now you have good chances to analyze packed malware executables and extract hidden data. Plug-in Manager Selecting "Plug-in Manager" from the Tools menu will display the Plug-in Manager dialog. The Plug-in Manager lists all the plug-ins that PE Explorer has. When this is open, you can set priority for a selected plug-in. Larger values have greater priority, zero disables the plug-in and marks it red. Please note that the Plug-in Manager currently does not support for plug-in chains (i.e. plug-in processing stops after 1 successfull pass, and other plug-ins are not called). PE Explorer loads the next plug-in only if the previous plug-in returns FALSE after execution. Write Your Own Custom Plug-ins The UPX Unpacker plug-in unpacks only files compressed with UPX. However, the open API allows custom plug-ins to be integrated. Consult the PE Explorer help for the plug-in API: you can write your own custom start-up processing plug-in for crypted files handling and unpacking the packed files. Within the PE Explorer directory there is a subdirectory named PLUGINS. All plug-ins (DLLs) should be placed in this folder. The plug-in API will be extended, therefore when writing custom plug-ins, it is important to pay special attention to the remarks made in the description of Functions and Types (see the product help file), and abide by them. Following these guidelines will keep your coding compatible with future versions of PE Explorer and Resource Tuner. The plug-in API can be found within the PE Explorer or Resource Tuner packages. Feature Tour prev \| next Take a look at PE Explorer Screenshots Personal License ... US$129.00 Business License ... US$229.95 Download a 30 day trial version of PE Explorer How to Order

Home • Site Map • Purchase • Downloads • Support • F.A.Q. • Forum • About
Copyright © 2000-2008 Heaventools Software. All rights reserved. Privacy Policy \| Terms of Use \| Contact us