Problem
The engine's UPX unpacker (src/unpacker/upx.cpp) fails to unpack PEs packed with UPX 4.x (tested with 4.2.4). The parse_packheader() function assumes the pre-4.x packheader layout (akav_upx_packheader_t), but UPX 4.x added a l_version (loader version) field that shifted the struct layout, causing the header checksum validation to fail.
This was discovered during P11-T1 Scenario B (byte-stream evasion via UPX packing). The packed PE is correctly detected as UPX (akav_upx_detect succeeds) but akav_upx_unpack fails at parse_packheader due to checksum mismatch.
Fix needed
- Update
akav_upx_packheader_t to handle both UPX 3.x and 4.x header layouts
- Detect UPX version from the header and parse accordingly
- Verify NRV2B/2D/2E decompression works with 4.x compressed data
Files
src/unpacker/upx.h — packheader structsrc/unpacker/upx.cpp — parse_packheader(), akav_upx_unpack()
Test
Once fixed, P11-T1 Scenario B.2 should change from [WARN] to [PASS].
Problem
The engine's UPX unpacker (
src/unpacker/upx.cpp) fails to unpack PEs packed with UPX 4.x (tested with 4.2.4). Theparse_packheader()function assumes the pre-4.x packheader layout (akav_upx_packheader_t), but UPX 4.x added al_version(loader version) field that shifted the struct layout, causing the header checksum validation to fail.This was discovered during P11-T1 Scenario B (byte-stream evasion via UPX packing). The packed PE is correctly detected as UPX (
akav_upx_detectsucceeds) butakav_upx_unpackfails atparse_packheaderdue to checksum mismatch.Fix needed
akav_upx_packheader_tto handle both UPX 3.x and 4.x header layoutsFiles
src/unpacker/upx.h— packheader structsrc/unpacker/upx.cpp—parse_packheader(),akav_upx_unpack()Test
Once fixed, P11-T1 Scenario B.2 should change from
[WARN]to[PASS].