Hi all,

I am trying to manually unpack the Official CFF crackme 3.0 with the help of one tutorial. the apps. is packed with UPX.

In his tutorial (that I have attached with this post), he said to find the pattern 61E964B5FEFF and replace E9 with CC. Now what i am not understanding is why to search that specific pattern? How to find out that pattern in another apps. packed with other packers? I am eager to learn more about this. Can u help me with this stuff?

Also when i replace E9 with CC and run that program it crashes after i get out from Sice.

Crackme can be downloaded from: h__p://www.snet.com.np/dipesh/crack.zip

dipeshrestha
Still Beginner

I believe that string is the place where it jumps to the OEP as E9 is a long jump. He recommends you change it to CC so it will break in the debugger at the int3 and you will be able to step and get to the OEP. However you must replace while you are in the debugger the CC back to the E9 and set the IP to the E9 instruction otherwise it will start executing the address of the jump as assembly instructions and that is never good... I am no unpacking wiz so if I am wrong here somebody tell me but this one seems fairly straight forward.

Snatch

You are right Snatch!

>Now what i am not understanding is why to search that specific pattern?
Upx places the code to unpack the file between pushad and popad instructions. A classical scheme of the upx loader is the next:

pushad
<--- LOADER USED TO UNPACK THE FILE --->
popad
jmp OriginalEntryPoint ; this jump will bring you to the beginning of the unpacked file

In the specific case, you have:
So, CoDe_InSiDe said to find the specific pattern because in this way you don't need to step the entire loader. You can use this method for every program packed with upx (the pattern will not be the same ;-))

regards,
ZaiRoN

ps. why don't you use 'upx -d filename.exe' !?!