Manual Unpacking of UPX
Here are the standard steps involved in any Unpacking operation
Debug the EXE to find the real OEP (Original Entry Point)
At OEP, Dump the fully Unpacked Program to Disk
Fix the Import Table
Based on type and complexity of Packer, unpacking operation may vary in terms of time and difficulty.
UPX is the basic Packer and serves as great example for anyone who wants to learn Unpacking.
Here we will use OllyDbg to debug & unpack the UPX packed EXE file. Although you can use any debugger, OllyDbg is one of the best ring 3 debugger for Reverse Engineering with its useful plugins.
Lets start the unpacking operation
Load the UPX packed EXE file into the OllyDbg
Start tracing the EXE, until you encounter a PUSHAD instruction. Usually this is the first instruction or it will be present after first few instructions based on the UPX version.
When you reach PUSHAD instruction, put the Hardware Breakpoint (type 'hr esp-4' at command bar) so as to stop at POPAD instruction. This will help us to stop the execution when the POPAD instruction is executed later on.
Other way is to manually search for POPAD (Opcode 61) instruction and then set Breakpoint on it.
Once you set up the breakpoint, continue the execution (press F9).
Shortly, it will break on the instruction which is immediately after POPAD or on POPAD instruction based on the method you have chosen.
Now start step by step tracing with F7 and soon you will encounter a JMP instruction which will take us to actual OEP in the original program.
When you reach OEP, dump the whole program using OllyDmp plugin (use default settings). It will automatically fix all the Import table as well.
That is it, you have just unpacked UPX !!!