Skip navigation.
Home

unpacker query: Breatle.J

|

I was playing around with unpacking W32/Breatle.J (on this site: MD5 = 95a8947356011aacba49a146f38c854e). The binary seems to be packed with UPX and aspack: objdump shows the sections listed below:

Sections:
Idx Name Size VMA LMA File off Algn
0 UPX0 00000000 004a1000 004a1000 00000600 2**2
CONTENTS, ALLOC, LOAD, DATA
1 UPX1 00001800 004a6000 004a6000 00000600 2**2
CONTENTS, ALLOC, LOAD, DATA
2 UPX2 00000200 004a8000 004a8000 00001e00 2**2
CONTENTS, ALLOC, LOAD, DATA
3 .aspack 00000c00 004a9000 004a9000 00002000 2**2
CONTENTS, ALLOC, LOAD, DATA
4 .adata 00000000 004ab000 004ab000 00002c00 2**2
CONTENTS, ALLOC, LOAD, DATA
5 .aspack 00001200 004ac000 004ac000 00002c00 2**2
CONTENTS, ALLOC, LOAD, DATA
6 .adata 00000000 004ae000 004ae000 00003e00 2**2
CONTENTS, ALLOC, LOAD, DATA

Other sources (PEid, the search function on this site) similarly indicate aspack+UPX.

My impression is that neither UPX nor aspack have very complicated unpackers, so I had expected that there would be two layers of unpacking: one for UPX and one for aspack. But when I went to unpack it, I ran into some four or five layers of unpacking. So either aspack's unpacker is more complex than the available documentation suggests, or else this was packed with additional packers that don't show up in the signature, or else the packer faked the section names to make it look like it was packed using aspack+UPX. Could anyone shed any light on this?

Thanks,
-solar