UPX unpack error

Discussion in 'ESET Smart Security' started by stackz, Mar 20, 2010.

Thread Status:
Not open for further replies.
  1. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    634
    Location:
    Sydney Australia
    I've noticed in my scan logs:

    *\RegScanner.exe » UPX v13_m2 - unpack error
    *\CCommand.exe » UPX v12_m2 - unpack error
    + more of the same

    I'm sure there was a time when ESS/EAV didn't report any unpack error for UPX packed files.
     
  2. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,033
    Location:
    California
    Hello,

    Would you mind forwarding copies of the files in question to ESET's virus lab per ESET Knowledgebase Article #141, "How to submit virus or potential false positive samples to ESET's labs?"

    Use a descriptive Subject: such as "UPX files which cannot be unpacked by Archive Support Module xxxx" (where "xxxx" is the build in your copy of ESET Smart Security) and be sure to include a link to this message thread in the body of the message.

    Regards,

    Aryeh Goretsky
     
    Last edited: Mar 21, 2010
  3. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    634
    Location:
    Sydney Australia
    Hi agoretsky,

    No problem at all, I'll forward the files first thing tomorrow. :)

    edit: Sent
     
    Last edited: Mar 21, 2010
  4. no_idea

    no_idea Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    83
    Sorry about jumping in: I found, the new EAV/ESS 4.2.x versions to interfere with manual upx decompression as well.

    upx reports an unpack error, unless I specify a different name for the extracted file via the upx -o{file} option. This was not necessary with the 4.0.x versions.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,415
    I'm not getting any error with v. 4.2 when scanning the two files above nor when compressing an exe file via upx -o {file}. Please post somebody the information about installed modules (Help -> About) here.
     
  6. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    634
    Location:
    Sydney Australia
    Marcos,

    I'm not sure whether you want my details or no_idea's, as our problems don't appear to be related.
    Code:
    xpsp3 x86 - Win 7 x64
    ESS 4.2.35.0
    
    Virus signature database: 4966 (20100322)
    Update module: 1031 (20091029)
    Antivirus and antispyware scanner module: 1266 (20100312)
    Advanced heuristics module: 1101 (20100309)
    Archive support module: 1109 (20100316)
    Cleaner module: 1048 (20091123)
    Anti-Stealth support module: 1017 (20100204)
    Personal firewall module: 1056 (20100202)
    Antispam module: 1014 (20100212)
    SysInspector module: 1214 (20100127)
    Self-defense support module : 1012 (20100208)
    
     
  7. no_idea

    no_idea Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    83
    sorry for taking some time in answering - had to find the file in question.

    so, here's a recreation scenario:

    1. download ImgBurn 2.5.1.0 from this location: http://download.imgburn.com/SetupImgBurn_2.5.1.0.exe
    2. unpack SetupImgBurn_2.5.1.0.exe with 7zip
    3. note, that downloading and unpacking take an inordinate amount of time
    4. change to the unpacked files folder and uncompress ImgBurn.exe with upx 3.04w
    Code:
    C:\_incoming\SetupImgBurn_2.5.1.0>upx -d ImgBurn.exe
                           Ultimate Packer for eXecutables
                              Copyright (C) 1996 - 2009
    UPX 3.04w       Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 27th 2009
    
            File size         Ratio      Format      Name
       --------------------   ------   -----------   -----------
      10063360 <-   2347520   23.33%    win32/pe     ImgBurn.exe
    upx: ImgBurn.exe: IOException: rename error: Permission denied
    
    Unpacked 1 file: 0 ok, 1 error.
    
    C:\_incoming\SetupImgBurn_2.5.1.0>
    Please note, that the file ImgBurn.exe gets destroyed in this process!
    And - no, it's neither infected nor quarantined.

    now, unpack ImgBurn.exe again using 7zip and unpack to a different file:
    Code:
    C:\_incoming\SetupImgBurn_2.5.1.0>upx -d -oImgBurnUnpacked.exe ImgBurn.exe
                           Ultimate Packer for eXecutables
                              Copyright (C) 1996 - 2009
    UPX 3.04w       Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 27th 2009
    
            File size         Ratio      Format      Name
       --------------------   ------   -----------   -----------
      10063360 <-   2347520   23.33%    win32/pe     ImgBurnUnpacked.exe
    
    Unpacked 1 file.
    
    C:\_incoming\SetupImgBurn_2.5.1.0>
    My system is XP SP3 fully patched, and I stand corrected as the error occurs even with 4.0.x . This system still runs ESS 4.0.474 with these details:
    Code:
    Virus signature database: 4972 (20100324)
    Update module: 1031 (20091029)
    Antivirus and antispyware scanner module: 1267 (20100324)
    Advanced heuristics module: 1101 (20100309)
    Archive support module: 1109 (20100316)
    Cleaner module: 1048 (20091123)
    Anti-Stealth support module: 1012 (20090526)
    Personal firewall module: 1056 (20100202)
    Antispam module: 1014 (20100212)
    SysInspector module: 1214 (20100127)
    Self-defense support module : 1009 (20090917)
    I think it is a conflict of upx wanting to rename a file while ESS is still examining it. I can pack / unpack other files - even a lot larger ones - without problems.
     
  8. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  9. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    634
    Location:
    Sydney Australia
    I've traced the unpack error to Hardware based DEP. Disabling XD in the BIOS resolves the problem, but this work around is totally unacceptable.

    note: If the file is packed with UPX using LZMA, then there is no unpack error.

    System Manufacturer INTEL_
    System Model DG33FB__
    System Type x64-based PC
    Processor Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz, 2331 Mhz, 2 Core(s), 2 Logical Processor(s)
    BIOS Version/Date Intel Corp. DPP3510J.86A.0517.2009.0107.2203, 7/01/2009

    @no_idea - I can reproduce your UPX packing problem on my PC, DEP kicks in and the file disappears in a cloud of ESET/DEP smoke.
     
    Last edited: Mar 25, 2010
  10. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    634
    Location:
    Sydney Australia
    Thanks ESET for archive support module 1110, it seems to have rectified the errors. :)
     
  11. no_idea

    no_idea Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    83
    Thank you for your work. Of course I have DEP enabled as well, but it never occurred to me to look in that corner.

    I simply did the upx decompression error away as an odd glitch until I saw your posting :)
    Haven't tried to unpack ImgBurn with the new archive module though - I didn't like ImgBurn that much in the first place (to much AdWare)

    ---------
    Addendum: yes it works! Archive support module 1110 ftw :)

    Code:
    C:\_incoming\SetupImgBurn_2.5.1.0>upx -d imgburn.exe
                           Ultimate Packer for eXecutables
                              Copyright (C) 1996 - 2009
    UPX 3.04w       Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 27th 2009
    
            File size         Ratio      Format      Name
       --------------------   ------   -----------   -----------
      10063360 <-   2347520   23.33%    win32/pe     imgburn.exe
    
    Unpacked 1 file.
    
    C:\_incoming\SetupImgBurn_2.5.1.0>
     
    Last edited: Mar 26, 2010
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.