常见魔改UPX
几篇大佬的文章:
https://cujo.com/blog/upx-anti-unpacking-techniques-in-iot-malware/
https://www.cnblogs.com/ichunqiu/p/7245329.html
https://bbs.kanxue.com/thread-275753.htm
https://www.52pojie.cn/forum.php?mod=viewthread&tid=326995
Header Structures
p_filesize
- 图一的p_filesize可以全部修改成0(图三也有p_filesize)
- example [susctf mirai]
可以看到p_info中的p_filesize为0
找到第二段p_size位置有值,将0x2878的值放到0x00F4处即可-d解密.
overlay_offset
- overlay_offset位于文件尾部,是p_info的偏移值,当修改overlay_offset时直接-d会报错l_info(逆天,我感觉是p_info来着)
- example [basectf UPX PRO]
直接打开overlay_offset是
找到p_info的位置,为0xF4
将overlay_offset改为0xF4即可直接-d解密.
