egg
August 26th, 2002, 12:53
Ive just written my first decrypter (for LameCrypt
), and am now trying to write my first unpacker - UPX seems a good one to start with (im using 1.20) as it has no protections, small decompressor etc. (Yes i know upx.exe has a built in decompress option, but im doing this for learning so that doesnt matter). Ive ripped the decompressor out ok so I can call it and it compiles fine, but im having troubles setting it up at the start -- what should the registers be?
For example, it starts out like this:
pushad ;save registers
mov esi, 0100D000 ;which is the very first address in the disassembly
lea edi, dword ptr [esi+FFFF4000] ;what does this do, and why?
push edi
or ebp, FFFFFFFF ;why?
jmp 01011672
nop (x 6)
:01011672
mov ebx, dword ptr [esi]
sub esi, FFFFFFFC
adc ebx, ebx
.... down to ...
popad
jmp 01006420 ;jump to the (now decompressed) original program
All I want to do (and i'll do it even if it kills me!) is decompress the compressed section and save it to a file. I don't want to rebuild the exe or anything like that, all i want to do is decompress and save the decompressed bit. Can anybody help me on what I should be doing before calling the UPX decompress algorithm?
Any help would be very much appreciated, I really want to learn how to do this but it's going to take about ten years longer without help from you guys!
Cheers,
Egg

For example, it starts out like this:
pushad ;save registers
mov esi, 0100D000 ;which is the very first address in the disassembly
lea edi, dword ptr [esi+FFFF4000] ;what does this do, and why?
push edi
or ebp, FFFFFFFF ;why?
jmp 01011672
nop (x 6)
:01011672
mov ebx, dword ptr [esi]
sub esi, FFFFFFFC
adc ebx, ebx
.... down to ...
popad
jmp 01006420 ;jump to the (now decompressed) original program
All I want to do (and i'll do it even if it kills me!) is decompress the compressed section and save it to a file. I don't want to rebuild the exe or anything like that, all i want to do is decompress and save the decompressed bit. Can anybody help me on what I should be doing before calling the UPX decompress algorithm?
Any help would be very much appreciated, I really want to learn how to do this but it's going to take about ten years longer without help from you guys!

Cheers,
Egg