Unpacking MPress/UPX C / C++ Assembly using IDAFree & Scylla

Like the previous post where I showed how to unpack .NET assembly with DNSpy , now is time to show how to unpack assemblies writted in unmanaged code like C or C++.

To this we need IDAFree Dissassembler and Scylla (https://github.com/NtQuery/Scylla) for DUMP and IAT reconstruction.

In CFFExplorer we can see that our assembly is packed with MPress.

Now we can open the assembly in IDAFree and locate the end of the MPress section. We can see that IDA can't decode any instruction. We can put a Breakpoint on the jump and then do debug until the breakpoint hit. Then we have to reanalyze the program with IDA.

When the debug is still running open Scylla , in this case the x86 version, and attach the active process.

Now click on IAT Autosearch and GetImports and after click on Dump button.

After that save the assembly on disk , click the Fix Dump button and choose the previous assembly that we saved before with Scylla , to fix the Raw Size.

Now we can open the saved assembly in IDAFree and analyze it in the unpacked version.

In this case the assembly was a PE Loader writed in C that use VirtualAlloc to inject a Metasploit shellcode.