Log in

View Full Version : Error when unpacking .exe-file ( UPX )

spuTniK
August 8th, 2002, 10:50
Holà, I got a problem when I tried to unpack a crackme which has been packed with UPX ( told me Language ).
I`ve tried to unpack it with UPX and ProcDump but there is always coming up SoftIce when I started the unpacked file
and tells me : "... Unhandled Exception NTSTATUS_VIOLATION ".

Thx for any help,
spuTniK
Cyber
August 8th, 2002, 12:39
it sounds to me like it isnt a upx packed program
upx is one of the easiest to unpack but there are packers like telock which PRETEND to be other packers like upx
spuTniK
August 8th, 2002, 12:51
[QUOTE]Originally posted by Cyber
>it sounds to me like it isnt a upx packed program
I don`t think so - I`ve had a look with hiew in it and founded:
"... This file is packed with the UPX executable packer http://upx.tsx.org...." and it is a very easy crackme ( Level 1 )
so I don`t expect hard traps.
Is it possible the files ProcDump and UPX creates are not made for WinNT/2000 ?
I`m working with the Procdump Verison offered by protools
( ProcDump by G-RoM, Lorian and Stone. 18.I.2000. ).
"News:
- Updated Task/Mod init code to run correctly under NT2K.
- Fixed up an obvious bug that avoided to snapshot modules
correctly ! Thanx to Elicz for spotting this.
- Added Aspack 2000 support.
- Updated ProcDump user manual, Unpack.txt, history.txt.
... "
I`m not shure what the first point means.
Can you tell me the name of an Unpacker which is working seriously with NT ?

Thx for answering so fast,
spuTniK
Cyber
August 8th, 2002, 13:03
To make sure 100% that its a UPX packed app just search for bytes 61 E9 in the file
the last instance should be 61 E9 xx xx xx followed by a load of 00's
if you have these then it is a UPX packed app
im not sure what works with NT but just about everything will unpack UPX
i use guw but im running Windows ME
you can unpack it manually if you stop on the jump to entry point
which is the bytes i have listed above if you are familiar with manually dumping
foxthree
August 8th, 2002, 13:06
UPX unpaxing is damn trivial. Search for tuts on Krobar's site. As the author's put it UPX is only a compressor and not a protector. So, don't worry. It is very, very straightforward. Again, look for some tuts on Krobar's site.

Signed,
-- FoxThree

PS: You can also try PeID (hi Snaker ) or OepFinder, if the packer UPX version is one of the latest releases....
spuTniK
August 8th, 2002, 19:33
>
Quote:
Originally posted by Cyber
>To make sure 100% that its a UPX packed app just search for >bytes 61 E9 in the file
>the last instance should be 61 E9 xx xx xx followed by a load of >00's
I got U right ? :
The last lines of the disassembled code are :
61 E9 .... and serveral lines 0s ?
coz my last line code is :
:0042357F E97CDAFDFF jmp 00401000 n
followed by ~ 20 lines :
:00423584 00000000000000000000 BYTE 10 DUP(0)


you can unpack it manually if you stop on the jump to entry point
which is the bytes i have listed above if you are familiar with manually dumping

Certly not

Thx for your help,
spuTniK
nofurs
August 8th, 2002, 19:46
Hiya,
>>:0042357F E97CDAFDFF jmp 00401000
bpx on this above address
type without quotes
'a eip'
<---enter
'jmp eip'
<---enter
<---enter
the program will suspend in the memory now you can dump it with
peeditor or Lord pe
padspcb
August 9th, 2002, 02:45
Trouble is that some upx compacted on win9x will not go on win nt/2k/xp
So if you have one of these, there are some fixes on the links provided by the board
Other solution is run proc dump on a win9x, if you got such a machine aviable.
best
Pads