Mailing List Archive

UPX unpacking seems bogus even for simple exe
Hello all,
I am developing extensions for Clamav (at least that's my objective!) and was doing some preliminary tests with UPX.
This is my test procedure:
1) compile a simple exe on windows + mingw with one main call function and no stdout: clean.exe
2) upx clean.exe -o clean.upx.exe
3) run clamav and retrieve the unpacked file:

LibClamAV debug: EntryPoint offset: 0x14d0 (5328)
LibClamAV debug: Bytecode executing hook id 259 (1 hooks)
LibClamAV debug: Bytecode: no logical signature matched, no bytecode executed
LibClamAV debug: UPX/FSG/MEW: empty section found - assuming compression
LibClamAV debug: UPX: Looks like a NRV2B decompression routine
LibClamAV debug: UPX: UPX1 seems skewed by 21 bytes
LibClamAV debug: UPX: PE structure rebuilt from compressed file
LibClamAV debug: UPX: Successfully decompressed
LibClamAV debug: UPX/FSG: Decompressed data saved in /var/tmp/clam/clamav-6707cc60ae0369dcc51b58d58af8bbdf

4) attempt to run the unpacked file getting a massive page fault (tested both on wine and windows non virtual machine) see output on email bottom.

My question: is this a normal behavior? I was kind of expecting a clean dumped file, because I have to do some static analysis on the dumped output.
I have put the test files on this share folder in case somebody wants to replicate my output:

Clam version (installed from apt-get)
ClamAV 0.97.8/17955/Fri Oct 11 03:44:05 2013

Stack trace unpacked follows:

wine clean.unpacked.exe
wine: Unhandled page fault on read access to 0x00006250 at address 0x6250 (thread 0009), starting debugger...
Unhandled exception: page fault on read access to 0x00006250 in 32-bit code (0x00006250).
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
EIP:00006250 ESP:0060fe54 EBP:0060fe88 EFLAGS:00010212( R- -- I -A- - )
EAX:00000000 EBX:7b894ff4 ECX:0060fef0 EDX:0060fef0
ESI:7ffdf000 EDI:00401280
Stack dump:
0x0060fe54: 00401290 00000001 f7693a2e 00000000
0x0060fe64: 00000000 00000000 00000000 00000000
0x0060fe74: 7b859ddc 7ffdf000 7bc4bd4a 7b894ff4
0x0060fe84: 7ffdf000 0060fec8 7b85b04f 7ffdf000
0x0060fe94: 00401280 00000000 00000000 00000000
0x0060fea4: 00000000 00000000 00000000 00000000
000c: sel=0067 base=00000000 limit=00000000 16-bit r-x
=>0 0x00006250 (0x0060fe88)
1 0x7b85b04f in kernel32 (+0x4b04e) (0x0060fec8)
2 0x7bc71d90 call_thread_func_wrapper+0xb() in ntdll (0x0060fed8)
3 0x7bc7486d call_thread_func+0x7c() in ntdll (0x0060ffa8)
4 0x7bc71d6e RtlRaiseException+0x21() in ntdll (0x0060ffc8)
5 0x7bc49f4e call_dll_entry_point+0x61d() in ntdll (0x0060ffe8)
0x00006250: -- no code accessible --
Module Address Debug info Name (19 modules)
PE 400000- 40d000 Deferred clean.unpacked
ELF 7b800000-7ba29000 Dwarf kernel32<elf>
\-PE 7b810000-7ba29000 \ kernel32
ELF 7bc00000-7bcc3000 Dwarf ntdll<elf>
\-PE 7bc10000-7bcc3000 \ ntdll
ELF 7bf00000-7bf04000 Deferred <wine-loader>
ELF 7ed47000-7ed66000 Deferred
ELF 7ed66000-7ed88000 Deferred
ELF 7efa1000-7efbb000 Deferred
ELF 7efbb000-7efe7000 Deferred
ELF 7efe7000-7eff4000 Deferred
ELF 7eff4000-7f000000 Deferred
ELF f74a2000-f74ab000 Deferred
ELF f74ac000-f74b1000 Deferred
ELF f74b1000-f765a000 Deferred
ELF f765b000-f7676000 Deferred
ELF f768f000-f77d1000 Dwarf
ELF f77d3000-f77f5000 Deferred
ELF f77f5000-f77f6000 Deferred [vdso].so
process tid prio (all id:s are in hex)
00000008 (D) Z:\home\epokh\Documents\Cyclomatic\clean.unpacked.exe
00000009 0 <==
0000000e services.exe
0000001f 0
0000001e 0
00000018 0
00000017 0
00000015 0
00000010 0
0000000f 0
00000012 winedevice.exe
0000001c 0
00000019 0
00000014 0
00000013 0
0000001a plugplay.exe
00000020 0
0000001d 0
0000001b 0
00000021 explorer.exe
00000022 0

Please submit your patches to our Bugzilla: