Skip navigation.

unpacking bagle.z

hmmm ... anyone tried unpacking bagle.z ?
i believe its packed with upx (atleast so it looks
from the UPX1 string in it ...) but it seems the file
is "corrupted" ... symantec says it adds some random
on the end of it, so the crc is not valid.

i wonder if there is a way to know from what point on
there is that random data, and if there is a way of
coding a program that would load up PE file, and check
if it has shit in it.

one way would be to substract byte by byte from the end
and compare each time to the crc written in header ...
but i wonder if you know of any better ways to do this


i havent

tried, but if i get a chince ill look into it. What makes you say its corrupted? Can IDA or Ollydbg open it? can you run it (on a vm of course)

The random data might be prety obvious just by looking at it in ida.


by corrupted i mean that upx

by corrupted i mean that upx cant unpack it (probably
coz crc doesnt match) so by removing that random data
it should be fixed.


So there are upx scramblers that are often used. Probably your best bet is to run the malware in olldbg and try to figure out where OEP is, then dump it and rebuild the IAT to get an unpacked version.

good luck,