I've just started manual unpacking some files,
I started with nice tutorial from AmoN about
UPX v1.07...

I tried to do the same with file packed with UPX 1.24,
but after dumping and changing EP it will not run...

(translated) error wrong initialisation 0xc0000005

Is there more to do then just dumping and fixing the EP ?
(I know you have to rebuild IAT for many crypters... but
UPX is not a crypter at all ???)

btw

-> PEiD gives same EP
-> I used packed notepad.exe

Thanks
MiniMind

I suppose you're running Windows XP or NT. Whatever, Win98 doesn't seem to be so strict, but under XP you certainly have to do some more things: Change the SectionOffsets(rawsize,virtualsize,rawoffset,virtualoffset),change the SizeOfImageSize, and fix the IAT.
Rebuilding or fixing the IAT has nothing to do with cryptors.If something is packed, crypted or not, you'll have to rebuild the IAT. However,that's just my humble opinion and maybe i'm dead wrong :P

biaaatch

Thank for responding (Running Win XP latest), but should I know how UPX work to find SectionOffsets and IAT ??? (If I have to use some tools : what are the best ???)

(I saw that Import Address Table has RVA 00000000 and size 00000000 in directories, doesn't seem me right ???)

greetings
MiniMind

I'll just quote Bratalarm here,cause he already told me once what to do and i think i can't top that

Unpack UPX

1. Dump
2. Set new Entry Point
3. For each Section change RawSize in VirtualSize and RawOffset in VirtualOffset, so that this is for valid for each section:
RawSize = VirtualSize und RawOffset = VirtualOffset
4. Set the Size of "SizeOfImage" to the size of the whole memorymapp (watch the alignements!)
5. Repair the Imports

You can repair the imports either manually (and there are some tuts out there,just google for them) or you can use Revirgin and/or ImpRec (ImpRect?).
For unpacking it's of course not the worst to know how packers work in general.There's a great tut out there (don't remember who wrote it ) on "how to write your own packer". Should supply you with some hints!

Go out and learn now ;P
biaaatch

Thanks that all I want to know, I'm gonna work on it, if I have some time.
And looking for some more tuts.

Happy Newyear
MiniMind

Don't forget to use that search button for more information on this Forum. There are also interesting threads over at the exetools forum on upx unpacking you might find interesting to review.

Regards,

found nice tuts at hxxp://new2cracking.cjb.net,
exetools forum wasn't much fun (couldn't search
for UPX ,cause it has 3 chars )...

I manually couldn't find much help about UPX on exetools forum...
... this forum looks much better arranged !!!

Thanks
MiniMind

And people wonder why I keep harping on learning how to search.

You should not be detered by the three letter limit. Just use "UPX*" and then you have four letters and at exetools you would have found this:

http://www.exetools.com/forum/search.php?s=&action=showresults&searchid=196166&sortby=lastpost&sortorder=descending

Regards,

exactly and when I open your link, it says "Sorry - no matches. Please try some different terms."

I think it's, cause I'm not a member ???

So thanks for your learning proposals, but I already had search with 'UPX*' and (I can read) it's pretty clear on that searching page



What I tried to say: Not very smart that three-letter-limit function...

Happy NewYear

MiniMind:

As you suspected, the issue is not the three letter limit, it is that you are not a registered user on exetools. If you attempt to use the search function on ANY vBulletin Board which has not enabled searching for guests in the AdminCP, you simply will not be able to use the search function, no matter how now many letters you use. So the solution to your problem is that you need to register on that board and you can then use the search function I gave you and you will find 27 threads which reference "upx."

Many vBulletin forums do not permit non-registered "guests" to post replies and many do not even permit non-registered "guests" to even view the threads. Perhaps the real issue is vBulleting's response, which should, more properly, informed the viewer that searching is disabled for non-registered and non-logged-in users. If you had tried searching with any word longer than three letters, you still would have gotten the "Sorry no matches" response, which should have prompted you to assume, as you did, that registration might be the issue. However, it appears you did not follow through and actually register and try it again.

Since there are no restriction on registering, other than a valid email address, also a requirement here, the real issue then is not a "Not very smart ... three-letter-limit function," but perhaps just a "not very observant, or at least a not very experimental user."

Happy New Year.
Regards,

I registered on exetools, so no negative sounds, lot of info out there...



MiniMind

I agree that the vBulletin statement could be more informative. For us to change it, we would have to edit the vBulletin templates and risk some changes coming with future releases. Even the default listings in "Why I should register" provided by the vBulletin FAQ does not spell out that one can not seach unless registered.

Regards,