Unpacking UPX 0.89.6 1.02/1.05 - 1.24 -> Markus & Laszlo

Unpacking UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo

Tools Needed
PEiD
OllyDBG
OllyDump Plugin
Imprec
A Brain...

Instructions
Go ahead, scan the application with PEiD, to verify that it is packed by
Code:
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
If it is, then go ahead, open the application with OllyDBG
Do analyze.
Then, CTRL+B to search for a binary.
Code:
61 E9 87 92 FD FF 00 00 00 00
Go to the JMP below that, hit F2 (breakpoint), then F9 (Run).
The application should hit the BP.
Hit F8 (Step-over)
Your now at the OEP. So go ahead right click -> OllyDump -> Make dump.
Take note of the OEP that OllyDump provides. This is needed later.
Edit the OEP to the address you landed on.
Then take down "Start Address" - This is our RVA
Then take down "Size" - This is needed.

Now press Dump, save as dumped.exe

Now, keep OllyDBG open. Go open Imprec, and select the application thats running that we are trying to unpack.
For OEP - Put in the OEP that OllyDump provided.
RVA - The "Start Address" that OllyDump provided.
Size - The "Size" OllyDump provided.

Hit IAT AutoSeach, if done right, "Found address which may be in the Original IAT. try 'Get Import'" should popup.
The RVA and Size will automatically change.
Then hit 'Get Imports'. All the thunks should be valid:YES.
If so, then hit Auto Trace just for precautions.
Then hit 'Fix Dump', and select the dumped.exe

You unpacked UPX!

CREDITS:
-Marneus901/Circadian
http://adf.ly/rt6f5