-
Restore Section Header Names
- The section header names had been erased.
- Rename the relevant sections to
UPX0andUPX1to match the original UPX convention.
-
Restore the
UPX!Magic- The
UPX!magic signature was zeroed out. - It is normally located 32 bytes before the start of the actual
UPX1section data. - Use a hex editor to write
UPX!at this location.
- The
-
Unpack Using UPX
- With section names and magic restored, you can now unpack the executable using UPX:
upx -d <filename>
- With section names and magic restored, you can now unpack the executable using UPX:
-
Reconstruct Missing Original First Thunks (OFTs)
- The Original First Thunks in the Import Directory were missing: https://learn.microsoft.com/en-us/archive/msdn-magazine/2002/march/inside-windows-an-in-depth-look-into-the-win32-portable-executable-file-format-part-2#the-imports-section
- To fix this:
- Create a new section in the PE file.
- Copy the First Thunk (FT) data from the
.rdatasection into this new section. - Set the OFT RVAs in the Import Directory to point to the new section.
Last active
July 21, 2025 13:53
-
-
Save Trass3r/0815ecdf0ee4a5592b67aaeb97e576b0 to your computer and use it in GitHub Desktop.
unpacking dgvoodoo
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment