Im not sure were to post this as its a question reguarding Sice symbol loader and manual un-packing.

heres my problem, I am trying to manually un-pack a upx packed exe but when i try to load the module into Sice symbol loader i get a message saying problem translating module,load module anyway. So i load the module and Sice doesnt break. I have edited the PE characteristics section from upx0 E000080 to E000020 as it says in all the tuts that i have read,but the symbol loader still wont load the exe.

So my question is, is it a fault with my symbol loader or am i doing something wrong,i have followed every tut i can find on the subject but still no joy, also could any one tell me useful break points to use in Sice to find the OEP in UPX packed exes Thanx in advance

I am using Softice driver suite v2.7 on Win xp Home edition sp1
thanx again

upx -d yourfile.exe

either that, or, if the header is mangled, use Ollydbg (freeware) and search for the jump. Shouldn't take more than 5 minutes to unpack and have it working. No need to use Softice on something as simple as UPX.

Better use Break & Enter of LordPe to break at entrypoint


Gaia

Enter Here:

hxxp://zor.org/krobar/ <---- remember change http


U were finding many tutoriales on upx ( In Unpacking Section)


Best Regards!

Assuming that it really is packed with UPX.

An alternate methods is to use break & enter in lordpe for loading the target.

Kilby...

But on a more technical level (i.e., not just "use this and that and it will work", what can cause an exe-file not to break on the first instruction in Softice, except the well known section characteristics trick (bug?)? It seems like such an elemenary thing to break on the first instruction in the program, so I simply cannot understand why Softice could have even the slightest problem doing this? Someone mentioned a "mangled header", could anyone elaborate on that?

Anyone?

Tyhe only reason I have come across for an .exe not to break is the section charisterics.

Though after multiple runs you may find that it will not break on loading, if this happens then disable all break points and try again (I think this is a bug in the loader).

Of course the thing is to be sure that's it's really UPX that has been used to pack the .exe.

As for the UPX scramblers, it just changed the .exe ehough to stop upx from unpacking the file.

Regards,

Kilby...

Its very easy with olly, set an bp on the oeip, jump with F9 to it and then dump the whole process. Change OEP to the new one. What i forgot in the past was to change the Base of Code and Base of Data in the Optional Header. Else Olly will tell you by dissambling, that Entry Point is outside the range. This fact is also not reported by any UPX tut.

Usefull BP is GetProcAdress. Dunno if anyone is interest in an little upx tut defeading with olly..

Hi,
Maybe it's not specific to your UPXed file !
There is a pb with DS 2.7 under XP SP1, if you're interested pm me your email !

I never changed the BOC or BOD in a UPX packed file as the entry point should be an RVA from image base anyway. So why does Ollydbg complain ? The resulting exe's work fine under both XP and 98, so I'm a little puzzled.

It is definetly packed with upx,as i have un-packed it with an un-packer. I just want to learn un-packing and as far as im aware upx is one of the easiest to start with. as i am a newbie to un-packing i thought id start with an easy one

Yes squidge you don't have to change the BOC and BOD the file will run without any errors. But i got the error "entry point is outside the code (as specified in the pe header)" under olly if i don't change the BOC to the Virtual Offset of UPX0 (.Code) and the BOD to the VO of UPX1(.Data).

I have probs at imprec, it fucked up the API imports so the fixed dump run, but the imported API's couldn't be resolved by win32dasm and olly. Any suggestions?. every api looks like kernel32.#307 etc.. With Revirgin all works fine.

If this is till UPX, why are you bothering? No need for either imprec or Revirgin as the IAT is as virgin as they come

sorry i was to lazy to open an new thread. I know by upx packed files no need for rebuilding but for example Asprot, neolite its nessesary.

imprec is even a very good program but with this confusing iat rebuilding i cannot deal with it.

Imprec can't handle the crap entries in Asprot'd progs though, so you either need to remove them before using imprec, or use Revirgin.

HI

My first post here

Anyways I'm also having problems breaking on the OEP of a UPX-packed file...I actually wrote my own "crackme" and then packed it with UPX 1.24w...I did actually manage to breakpoint on the OEP but only after much grief, (and I'm not exactly sure what I did differently when I was able to do finally do it). Most of the time it wouldn't break, but one or two times it did break (also I had no problems breaking on API's) on the OEP and I have no idea what I did different. Also somebody on this thread said that you don't need to rebuild the IAT after you dump the file, (if it was packed with UPX) but if that's true how come when I disassembled my crackme with w32dasm after I had dumped it, there were no import modules?

Anyways if anyone has any answere to these questions, I would MUCH appreciate it as this is very frustrating.

maybe just right click on your exe to see if it's a read only file?