The problem for us is twofold. We need to first find out what the target program is compressed with before we can search for an unpacker to unpack it. For this, we'll need a program called PEiD. Download it from here. Unzip it somewhere familiar, make a shortcut to the PEiD executable, and put that shortcut in your SendTo directory. This way, you can just right-click on any file and the option of opening with PEiD will be there via the Send To menu. I prefer this method. Alternatively you can select "Register Shell Extensions" from Options to add a "Scan with PEiD" entry to the context menu for PE files.

Now all we need is a target file to work with. For this tutorial our target file will be byblos.dll. If you are not familiar with Byblos, it allows you to add an image to the explorer context menu. More information can be found at Virtual Plastic. Remember, the version on this site has been compressed so you will need to unpack it before you can view or change the bitmap resource with Resource Hacker. Download it here.

Unzip and open it with PEiD. You should now see something like this:

The line we are most interested in is this:

This tells us it has been compressed with UPX, followed by the version numbers. Markus F.X.J. Oberhumer & László Molnár developed the UPX compression. Fire up your browser and do a Google search for UPX. You'll see that its a fairly popular packer. Its also one of few packers that can also unpack. It is also free, yay! Most packers are commercial products and to cover them all here is beyond the scope of this tutorial. It's worth noting that most unpackers are not licensed products, and may require deeper searching to obtain. Take care whilst searching the net for unpackers. exetools is a good place to start. Run a virus scan before running anything you download from there, and if in doubt, from anywhere else. I cannot be held responsible for any loss or damage as a result of this tutorial. Also worth noting, alot of unpackers do not have a GUI front-end and need to be ran from the command line, so if you see a dosbox pop up and disappear, do not assume it is a malicious program.

Now, back to unpacking that byblos.dll file. We need to download the UPX packer from their sourceforge site. Get the Win32 console version. Several people have written GUI front-ends for UPX. I use a very simple one made by Smarmotte. Unfortunately the link on the UPX forum is dead. You can get it here.

Put the UPXshell.exe into the UPX directory, run it and open the byblos.dll file with it. You should be looking at something like this:

This GUI is pretty self-explanatory. Clicking the unpack button should unpack the file. The unpacked byblos.dll file is now ready to mod. As with PEiD, you can also make a link to the UPXshell and put that in the SendTo menu, or add it to the context menu via the "Shell extensions..." button.

~Serenity