onekey-sec/unblob

Additional format request, UPX detection and extraction support

abclution opened this issue · 3 comments

I searched for any issues (open/closed) with upx in them and zero came up which surprised me.

Summary

Would be good to support UPX.
https://github.com/upx/upx

Very commonly found on embedded linux devices like ip cameras used to compress executables. Packages are available in most distros.

Someone previously asked the emba team to include it, but they mentioned it would be a good feature add for unblob and I agee. The initial poster never followed up here and I figured I would.

Original emba issue: e-m-b-a/emba#1067

Dependency is available with apt install upx or through https://github.com/upx/upx.

Documentation: https://upx.github.io

Motivation

Well, in my case I use this for disassembling and analyzing ipcamera firmware using emba.
Emba is in essence not finding what I need due the the files being analyzed while still compressed by UPX.

Another person months ago was supposed to inform unblob but upon a search I found nothing..
e-m-b-a/emba#1067

@abclution can you share the firmware where those UPX files are found ?

We can implement a check in the ELF handler, similar to the one we do for kernels in ElfChunk.

We can look for the UPX! magic within the header and parse the l_info struct (see https://github.com/upx/upx/blob/d7ba31cab8ce8d95d2c10e88d2ec787ac52005ef/src/stub/src/include/linux.h#L730).

If the l_info is valid (good checksum, good version, good format), then we can call upx -d instead of the usual carving.

Sure thing, here is one, most bins are upx compressed.

UPXcompressionfirmwaredump.zip