For my master thesis, I need to unpack packed files manually and visualize them in Ghidra, yet I've had some issues with the working of Ghidra so I temporarily switched to IDA. I made a program in CPP, compiled it to an ELF, and then used UPX packer on it. When I analyze it with EXEInfoPE I get the information it's not an executable anymore but a shared object. When analyzing it with IDA, it also says it's a dynamically linked library instead of an executable. Photo of EXEinfo IDA message
As you can see it also points out that there is no UPX0 or UPX1 section which makes no sense because when the program is running it should be unpacked in the reserved UPX0 section.
Could anyone point out where my mistake lies? The UPX command I used is upx final and I also tried upx final --best
I don't believe static analysis is the best approach for dealing with UPX-packed files. :)
Disclaimer: Most of my experience lies in web or Windows reversing. I'm not as familiar with Linux, but I do remember the basics of UPX packing.
Here's a tip: Look for the Original Entry Point (OEP). Search for these instructions:
Set a breakpoint in your debugger, and when you hit the OEP, make a dump.