PMA 131: Custom UPX (25 pts extra)

What you need

A machine running Ubuntu 18 server, such as a Google Cloud server.

Purpose

To compile the UPX packer locally, so you can dynamically analyze it by modifying it.

Use Ubuntu 18.04 Server

Don't use Debian!

Install Dependencies

In your Ubuntu 18.04 server machine, in a Terminal and execute these commands, one at a time. You will often need to answer a question. Watch carefully for error messages.

sudo apt update sudo dpkg --add-architecture i386 sudo apt update sudo apt install gcc gcc-multilib make zlib1g zlib1g-dev zlib1g:i386 sudo apt install python build-essential unzip export "CC=gcc -std=gnu89" sudo ln -s /usr/lib/x86_64-linux-gnu/libmpfr.so.6 /usr/lib/x86_64-linux-gnu/libmpfr.so.4

Downloading and Extracting UPX

Execute these commands:

cd wget https://github.com/upx/upx/archive/master.zip unzip master.zip

Downloading, Extracting, and Building UCL

Execute these commands:

cd wget http://www.oberhumer.com/opensource/ucl/download/ucl-1.03.tar.gz mkdir -p local/src cd local/src tar xzfv ../../ucl-1.03.tar.gz cd ucl-1.03 ./configure "CC=gcc -std=gnu89" make all cd nano .bashrc

Add this line to the end of the file, as shown below.

export UPX_UCLDIR=$HOME/local/src/ucl-1.03

Press Ctrl+X, Y, Enter to save the file.

In the Terminal, execute these commands:

source .bashrc

Downloading and Extracting LZMA SDK

Execute these commands:

cd mkdir lzma cd lzma wget https://github.com/upx/upx-lzma-sdk/archive/master.zip unzip master.zip cd cd upx-master/src mv ../../lzma/upx-lzma-sdk-master/* lzma-sdk/

Downloading and Extracting Stub Sources

Execute these commands:

cd wget https://github.com/upx/upx-stubtools/releases/download/v20160918/bin-upx-20160918.tar.xz cd local mkdir bin cd bin tar xvf ../../bin-upx-20160918.tar.xz mv bin-upx-20160918 bin-upx cd cd upx-master cd src/stub/src nano i386-win32.pe.S

Add these two lines in the PEDOJUMP section, as shown below.

Indent the lines with spaces, not Tab characters!

mov ah,0x4c int 21

Press Ctrl+X, Y, Enter to save the file.

In the Terminal, execute these commands:

cd .. make all

Build the UPX Executable

Execute these commands:

cd ../.. make all src/upx.out

You see the UPX help message, as shown below.

PMA 131.1: Option 1 (10 pts)
Find the word covered by a green box in the image below.
That's the flag.

Modifying UPX

Execute these commands to get putty, a Windows file to test UPX with, and verify its hash:

cd cd upx-master wget https://samsclass.info/127/proj/putty.exe shasum -a 256 putty.exe

The hash value should match the image below:

Execute this command to compress putty:

src/upx.out -o puttycomp.exe putty.exe

Execute this command to edit a source file:

nano src/help.cpp

Add a line to the file, as shown below.

Press Ctrl+X, Y, Enter to save the file.

In the Terminal, execute these commands:

make all src/upx.out

The help message has changed, as shown below.

Creating a Modified Packed File

One common method used by malware to prevent UPX unpacking a file is to modify the UPX! magic header.

In the Terminal, execute these commands:

sudo apt install hexedit -y cp puttycomp.exe puttycmod.exe hexedit puttycmod.exe

Find UPX! and move the cursor to the hex code for X, as shown below.

Add one to that number, so the X changes to Y, as shown below.

Press Ctrl+X, Y to save the file.

In the Terminal, execute these commands, to test the files:

src/upx.out -t puttycomp.exe src/upx.out -t puttycmod.exe

As shown below, the original compressed file is fine, but the modified one cannot be unpacked by UPX.

Modifying UPX for UPZ!

In the Terminal, execute this command, to find lines of source code that contain UPX!

grep UPX\! -r src

As shown below, there are four source code files containing that string, and several binary files we don't care about.

From the file names, it seems like the last three are only used for non-Windows software, so we can probably get away with modifying only the first one.

In the Terminal, execute this command:

nano src/conf.h

Change the 58 to 59, as shown below.

Press Ctrl+X, Y, Enter to save the file.

In the Terminal, execute these commands to compile the modified file and test it:

make all src/upx.out -t puttycmod.exe src/upx.out -t puttycomp.exe

As shown below, now UPX can unpack the modified file, but it now fails on an unmodified compressed file.

PMA 131.2: Flag (15 pts)
Execute this command to download a compressed file:
wget https://samsclass.info/126/proj/upxflag3cmod.exe
Verify the hash, as shown below.
Unpack that file and find the flag inside it.
Hints

First examine it with a hex editor to find the new magic word
Then make a custom UPX unpacker with that word
Then use "strings" to find the strings inside

Sources

ON THE FEASIBILITY OF MALWARE UNPACKING WITH HARDWARE PERFORMANCE COUNTERS by JAY MAYANK PATEL (Appendix A)

Posted 9-17-2020