Ok I got few nice toots on UPX but mainly they cover *.exe files and how to remove nag and tag, tht sort of stuff...and thnx for that...I got it covered

But does some1 know any tuts how to restore dumped files which are not *.exe but *.dll...

I mean complete tute how to restore dumped file so its functionable again when loaded...(excuse my n00b vocabulary )

I'm not sure, but krobar's tut section is very good, there is a link 2 it further down on this site. It's worth a try, but prepare for downloading tons of tuts, couse u simple cant stop finding stuff u want.

Hi RedStorm ,
Search the forum there are some discussion on this
And again....
Rad the faq first search it before you post anything here and don't cross post too much.........................................................

Hi

May i take the liberty of asking if u r fully aware of all command line entries for UPX ....including -d to decompress the target automatically ???


Spl/\j

ain't there a "goldversion" or something that can't be Decompressed by the compressor?

I actually dont know it, but i think i red it somewhere....

Sorry for the word goldversion, i couldnt find a proper one...

BTW, why don't we just inline it.... :-)

Theres several manglers to mess with the file and prevent the -d command from working, UHARCX 0.4 is an example of a file packed in theis fashion.

You could always dumped .exe by hand, as with the aid of icedump it took about 2 minutes to get a working version of an uncompressed uharcx.

Considering that I had never dumped a upx shows that it's an easy task.

Look for the (as I remember) jmp eax for the oep.

Theres no excuse even for a very new newbie not to try a manual unpack on upx.

Kilby...

Hmm me not trying to sound cocky but I don't think I would ask that Q here if I haven't tried that, I ask Q when I have to, and since I am new I need pointers. If you kind enough to help I will appreciate that, and I'm not that hold my hand while I am done guy...

Nuge me in the right direction and I will find solution...after all if you always get the solutions on the plate how you gona learn anything



Am I right or I am right

Hi RedStorm

As UPX is a compressor and NOT designed to be a protector per se I just offered the option of -d !
However if you are interested in unpacking manually thats great :

Do you still want some help ? R U running Win98/ME with icedump ? ......if so it will take seconds to show you

As Kilby mentioned there are some UPX fuxors around , does ur target dll have any trick UPX ?

Spl/\j

the trick is to get the dll to load at 10000000

I've only cracked one.. websnatcher IE protected with ASProtect 1.3.

Basically, it's the same as removing ASPR from and EXE file.

What I did was use a "clean" bootup so that nothing else was taking up the memory space where I wanted the dll to load (10000000). So that it wouldn't relocate upon loading.

Dumped memory at OEP as usual.. ran RV, fixed unresolved, pasted new IAT. Same process as an EXE (assuming your DLL loaded at 10000000)

There was an indirected call that had to be patched. Changed it to a direct call, but also had to alter the relocation table. It was easy to figure out with LordPe and a good PE document. Had to do this because the indirect call needed to be offset if the dll relocated. But with a direct call, no relocaion is needed.

in summary, if you unpack it the same as you would an EXE, assuming load addr = 1000000, it should work fine. Additional work might need to be done if you have to patch an area of the file there relocations are calculated.

break at 10000000 image base etc etc :-

To break into ANY exe/dll at the entry point for easy tracing just
examine the header with LordPE.

Eg mydll.dll = imagebase 10000000 entry point A910 so 1000A910 == packed eip.

now in SI (Win98SE) type 'BPX ORD_0056+94 if eax==1000A910'
and when you run your target exe whenever it loads the dll SI will pop and you have full control of your dll.

If you just type BPX ORD_0056+94 you will pop at EVERY exe/dll load point....

Spl/\j