suddenly, I felt the need of automatic upx OEP finder. it’ easy to do with my hands, but I wanted to analyze files in batch mode, so I open the folder with large collection of Olly Scripts. tried one. nothing. ok, the second. nothing. well, third. nobody wants to work. upx 3.01. um…

it took about a minute to write my own script. it’s work. tested on upx 0.76, 1.20, 1.24, 3.01, the code is follow. maybe somebody will find it useful.

var s

mov s, [eip]
and s, FF
cmp s, 60
jne not_upx

eob Break_1
mov s, esp
sub s, 04
bphws s, “r”
run

Break_1:
BPHWC s
eob Break_2
mov s, eip
sub s, 1
findop s, #E9#
cmp eip, $RESULT
JAE last_jmp

bphws $RESULT, “x”
run

Break_2:
BPHWC $RESULT
last_jmp:
sti
ret

not_upx:
MSG “not upx?!”
ret

http://nezumi-lab.org/blog/?p=93