salsa
September 24th, 2002, 23:08
Killing the unpacked one softly.
Well, I am a newbie and working hard to sharpen my unpacking abilities over a variety of packers/protectors available on the net. To my chance, I've messed with all UPX ones lately (I mean, only the ones which you fail on the -d command). One of them was a real hard nut. I applied the usual manual unpacking routines and failed. Then, tried the off the shelf unpackers, UPX fixers, etc., etc. All got fooled. The problem was the OEiP. All got it wrong. The program was starting, calling the usual APIs and then silently exiting thru ExitThread. Well, the author must have had a good knowledge of TOT since he played with the PUSHAD thingy. Anyway, I did some careful and timely debugging and found the correct OEiP, dumped, fixed, etc,...
The question is, why did the authors put too much effort on UPX? Maybe because it packs better or did they loose faith in the MYTHs lately, seeing each new version's fall in no time after their birth.
Comments?
salsa
Well, I am a newbie and working hard to sharpen my unpacking abilities over a variety of packers/protectors available on the net. To my chance, I've messed with all UPX ones lately (I mean, only the ones which you fail on the -d command). One of them was a real hard nut. I applied the usual manual unpacking routines and failed. Then, tried the off the shelf unpackers, UPX fixers, etc., etc. All got fooled. The problem was the OEiP. All got it wrong. The program was starting, calling the usual APIs and then silently exiting thru ExitThread. Well, the author must have had a good knowledge of TOT since he played with the PUSHAD thingy. Anyway, I did some careful and timely debugging and found the correct OEiP, dumped, fixed, etc,...
The question is, why did the authors put too much effort on UPX? Maybe because it packs better or did they loose faith in the MYTHs lately, seeing each new version's fall in no time after their birth.
Comments?
salsa