Upack Unpacker Plug-In
Automatic Upack (WinUpack) Unpacking
PE Explorer ships with the Upack Unpacker plug-in, a start-up processing plug-in for unpacking files compressed with Upack or WinUpack. All versions of Upack are supported.
Upack is a packer similar to UPX, but it uses LZMA compression and is designed with a focus on anti-unpacking.
The Upack Unpacker re-creates an executable file in its original form, before it was packed. This allows you to perform static analysis on the now unpacked data.
When you open a file with PE Explorer, the Upack Unpacker plug-in detects whether the file is packed with Upack, and then your file will be unpacked automatically. The resulted file will also be saved unpacked.
PE Explorer does not re-pack the previously packed files. That is why the original file size may be increased after you open and save the executable WITHOUT making ANY changes to it in PE Explorer.
Reversing Worms and Trojans Packed with Upack
Many authors of malicious software use Upack to further reduce size of the exploit so it is more flexible and can fit in smaller places. Before malware analysis, you need to be sure if the packer is present. The Upack Unpacker displays lines of messages in the bottom log pane as follows:
Now, once it's opened and unpacked, you can continue with import analysis in EXE Import Viewer, then check out all referenced text strings and function calls in Disassembler. You can rapidly analyze the procedures and libraries a malware executable uses without ever activating the executable itself - a great advantage over debuggers where malicious code needs to be run to be analyzed.
Write Your Own Custom Plug-ins
The Upack Unpacker plug-in unpacks only files compressed with Upack. Consult the PE Explorer help for the plug-in API: you can write your own custom start-up processing plug-in for crypted files handling or unpacking the packed files. Using the Plug-in Manager, you can set priority of executing plug-ins: Menu Tools | Plug-in Manager.
Within the PE Explorer directory there must be a subdirectory named PLUGINS. All plug-ins (DLLs) should be placed in this folder.
The plug-in API will be extended, therefore when writing custom plug-ins, it is important to pay special attention to the remarks made in the description of Functions and Types (see the PE Explorer Help file), and abide by them. Following these guidelines will keep your coding compatible with future versions of PE Explorer.
The plug-in API can be found in the Help within the PE Explorer package.