常见魔改UPX

几篇大佬的文章:
https://cujo.com/blog/upx-anti-unpacking-techniques-in-iot-malware/
https://www.cnblogs.com/ichunqiu/p/7245329.html
https://bbs.kanxue.com/thread-275753.htm
https://www.52pojie.cn/forum.php?mod=viewthread&tid=326995

Header Structures

p_filesize

1. 图一的p_filesize可以全部修改成0(图三也有p_filesize)
2. example [susctf mirai]
   可以看到p_info中的p_filesize为0
   
   找到第二段p_size位置有值,将0x2878的值放到0x00F4处即可-d解密.
   

overlay_offset

1. overlay_offset位于文件尾部,是p_info的偏移值,当修改overlay_offset时直接-d会报错l_info(逆天,我感觉是p_info来着)
2. example [basectf UPX PRO]
   直接打开overlay_offset是
   
   找到p_info的位置,为0xF4
   
   将overlay_offset改为0xF4即可直接-d解密.