I'm trying to figure out how to detect whether a binary has been compressed with UPX. I am using a simple CRC to detect whether my app was in any way changed and if the CRC failed on the size due to a packer I would like to detect that as OK.
Right now I am starting with UPX.
So, is there any marker on the binary? are there any specific JMP or other instructions that I should search?
This will mainly be tested in Windows, but in the future I might add it to Linux as well.
Any help (and code) is appreciated.
ADDED:
I found that in the 10 binaries I checked the
AddressOfEntryPoint
Import Directory RVA
Resouce Directory RVA
either point to UPX or have an offset that is set by UPX. Any information on this?
Thanks
Download upx source code from UPX Homepage and open src/p_w32pe.cpp file; the function you are looking for is;
int PackW32Pe::canUnpack()
This function checks if the file is compressed with win32 upx.
You might try checking the section names of the executable. UPX changes them to UPX0, UPX1, UPX2, I believe.
Related
I'm beginner in IAR workbench and any part of embedded s/w.
I suddenly had to compile hex code for controller product.
so that reason, I succeeded in uploading an existing hex file (no error at all.) to the product using the flash loader and i check all the functions working well.
But when i uploaded the hex file that i changed some values for testing in the original file
(cuz, i have to change some values for customer's demanding later),
I can upload but it doesn't work at all.. I think debugging or other value was missing.
In this situation, is there a way to get debugging values or other linker values set in the existing hexa file?
Because the predecessor didn't left any information about setting value, so it's hard to ask original setting value.
I use ewarm, IAR 8.5ver
(no license ver. so i just can use this program for 30days because I failed so many times past IAR versions)
If you have any suggestions or set debugging / linker value please let me know
(I changed configuration file, output in linker)
Thanks for reading this!
I have a Zortrax m200 3d printer which you may/ may not be familiar with. It is closed source, and uses its own proprietary software to produce Z-code files which should in principal be almost identical to G-code.
My curiosity has kicked in and I'm wondering whether there is a way to decrypt a Z-code file or convert a g-code file to z-code. How would one go about investigating this?
Here is a z-code file:
[https://drive.google.com/file/d/0ByYqoSxe29qtS05UZlpDclBZNWs/view?usp=sharing][1]
Yes, possible to do it. You can find a good tool (with source code) here: https://github.com/bonafid3/zcode2gcode
to convert ZCode to GCode.
This may be compiler specific, in which case I am using the IAR EWARM 5.50 compiler (firmware development for the STM32 chip).
Our project consists of a bunch of C-code libraries that we compile first, and then the main application which compiles its C-code and then links in those libraries (pretty standard stuff).
However, if I use a hex editor and open up any of the library object files produced or the final application binary, I find a whole bunch of plain text references inside the output binary to the file paths of the C files that were compiled. (eg. I see "C:\Development\trunk\Common\Encryption\SHA_1.c")
Two issues with this:
we don't really want the file paths being easily readable as that indicates our design some what
the size of the binary grows if you have your C-files located in a long subdirectory (the binary contains the full path, not just the name)...this is especially important when we're dealing with firmware that has a limited amount of code space (256KB).
Any thoughts on this? I've tried all the switches in the compiler I can think of to "remove debug information", etc., but those paths are still in there.
"The command-line option --no_path_in_file_macros has been added. It removes the path leaving only the filename for the symbols FILE and BASE_FILE."
It is defined in the release notes if IAR.
http://supp.iar.com/FilesPublic/UPDINFO/005832/arm/doc/infocenter/iccarm_history.ENU.html
Or you can look for FILE and BASE_FILE macros and remove it you do not want to use the flag.
I have zero knowledge of how the ELF format works or how to access its headers and data via code, however I need to check whether an ELF binary has been compressed (packed?) with UPX for Linux.
Checking the binary with strings I saw the string UPX! so I guess I can use that. Hexediting the binary shows the string and for the position in the binary I can assume it's part of one of ELF's headers (please correct me if I am wrong). This is a dump of that:
00000000 .ELF........................4...
00000020 ........4. ...(.................
00000040 ........................#...#...
00000060 #.....................[.UPX!....
00000080 ............T............?d..ELF
I don't know if this looks good, sorry.
Does anyone know how to detect UPX on Linux? If not, how to access the headers and get that UPX! string (name of the header?)?
I did look into the UPX source code but everything is C++, I am looking to code this in C, and it's really hard to follow.
Thank, any help is welcomed.
EDIT: About the bounty. They answer must give a solid example that works since I've tried different approaches and they not always work, like the sample below.
Thank you
These are the tests to detect an UPX compressed file:
>>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed
>>>>(0x3c.l+0xf8) search/0x140 UPX2
>>>(&0x7c.l+0x26) string UPX \b, UPX compressed
>>>&0x26 string UPX \b, UPX compressed
>>85 string UPX \b, UPX compressed
use
man 5 magic
to see how the offsets inside the file are specified.
For example in you program you should:
open the file under test for reading
skip to one of these offsets
check if the expected string is there
repeat until no more offsets
Interestingly enough, in my ubuntu 64bit, UPX compressed files are not detected because this test is missing from /usr/share/misc/magic:
>>180 string UPX! UPX compressed (64-bit)
In the source code to UPX, there's a function int PackW32Pe::canUnpack() which is first ran as a test right when you do a upx -d <file> (unpack executable). It shows which offsets are to be tested to detect if a file was packed with UPX. I found the code clear and easy to follow. I recommend an editor with syntax highlighting.
You can download the source code for UPX on the project site.
Is there any .obj to .cpp converter?
Is it possible to do it?
MICROSOFT VISUAL STUDIO auto-magically deleted my code files when pressed the F5 key.
Please help me.
I have the .obj files (VS forgot to delete them.ha ha ha).
Unfortunately it is impossible to decompile an .obj file back to source. More info here.
shut down your computer, boot from removable media, some sort of the UNIX, and run strings utility on your hard drive. It may be able to recover text off your source code.
As everyone has pointed out, this is impossible.
I would suggest that before you rebuild all those files, you take the time to look into SVN or another version control system.
Version Control allows you to save copies of your files to a safe place. If the compiler eats your homework, you can update with the last copy you saved to the repository.
You should try Recuva
You are out of luck. There is no safe way to reverse an obj file back to its cpp source.
I do not think that is actually possible. You'd be reversing the compilation process, which from my knowledge is not possible.
NO, it's not possible. obj files contain object code, not source code. The compilation process is typically not reversible.
PS: Visual Studio did surely not delete your code files when you pressed F5. They are somewhere, or you've deleted them accidentially.
It is impossible to do that...as all the code's comments and variables are translated into a machine code, you cannot deterministically reproduce a variable name by gleaning in on assembler byte code, Consider this as an example of a mock dump of a binary image:
0x55 0x90 0x33 0xf0 ....
Now, how can you tell that's variable foobar that is of type int....
Hope this helps,
Best regards,
Tom.
As said earlier, it is impossible to get the C source code from on obj. As an alternative, you can try a file recovery utility and scan your disk for lost files. I have previously used testdisk with partial success.
Also, you really need to use some form of SCM!
.obj files are text files for a 3d model I was actually looking for something to bring them into C++ to display using OpenGL. there are programs out there to load them into C++ I was looking for one to download when I came across this.
en.wikipedia.org/wiki/Obj