Log in

View Full Version : UPX Trouble


boba303
February 25th, 2004, 11:24
Hope some1 out there can help me:
My problem is that im dealing with a UPX packed exe which wasnt any problem unpacking. The OEP (498038) is found and the imports are fixed.

However, when launching the target nothing happends. The last thing thats happends is that it goes through ExitProcess. Im 100% sure that it is some kind of protection, but I dont know if its CRC or just a flag check on the targets OEP.

I found a similar problem in a crackme on this forum and did some backtracing with no use. My target got the same scheme but it never doesnt do any check like it did in the crackme, so I was hoping for some help or just ideas on how to proceed.
All of the other threads I read was more on how to unpack it but that step was already done. However finding this kind of help was a bit trickier, hope Im not creating a thread with similar topic that already exists.

the target Im dealing with can be found on
hxxp://www.macecraft.com/downloads/RegSupreme_setup.exe

Feels like I missed some information but just let me know and I will try filling ya in..

Shoob
February 25th, 2004, 11:34
the problem is in the target itself.

boba303
February 25th, 2004, 13:37
Ok, thats not very helpful. Im sure that the problem is in the program itself.
But since Im stuck I was hoping for a hint that could point me into the right direction.

This isnt either the first time I have come across a UPX target that behaves like this one so therefore I kinda hope someone else had some experience?

evaluator
February 25th, 2004, 16:00
GOOD hint is only: sit & debug.
imagine, how program can know(e.g. detect) if it is unpacked..

D-Jester
February 25th, 2004, 23:48
Try looking for checks on Filesize, IAT Location, Checksum, or see if he computes CRC or MD5, SHA-1.

All the prog's from macecraft are written in Delphi, so you might try DeDe.
I ran into the same prob with a different prog from macecraft.
He uses his own protection and licensing systems.

So if you have the time there is a lot to learn from it.
Unfortunately I didn't have the time to sit & debug it.

Wish I could be more help.

I will tell you that if you trial expires look in you widows/system or winnt/system32 directories for an *.ini file (mine was SndDrv32*.ini)which contains the second half of the trial info. The first half is in the programs subfolders, I believe it's "license.dat' deleting both will reset your trial.

nikolatesla20
February 26th, 2004, 02:29
If it's Delphi, you HAVE to get DeDe.

Look first for functions which check the filesize. If you find one, just change any decision instruction after the filesize check (like a JZ or a JNZ) to its opposite, or even try NOPing too, and see if it runs then.

-nt20

boba303
February 26th, 2004, 07:43
This is exactly what I was looking for. I will take your advice D-Jester, you wont learn from targets that easy to handle, thats why this target can actually learn you something.

But my guess is, (since im no guru in IAT and CRC), that there is no specific pattern to find them, right?
Like the filesize is fairly easy to find (GetFileSize etc) but the IAT and CRC can be anywhere without any need for a importcall?
Just wanted to make sure I got it right...

Thanks for the help so far

naides
February 26th, 2004, 08:36
Quote:
[Originally Posted by boba303]This is exactly what I was looking for. I will take your advice D-Jester, you wont learn from targets that easy to handle, thats why this target can actually learn you something.

But my guess is, (since im no guru in IAT and CRC), that there is no specific pattern to find them, right?
Like the filesize is fairly easy to find (GetFileSize etc) but the IAT and CRC can be anywhere without any need for a importcall?
Just wanted to make sure I got it right...

Thanks for the help so far



You may have done this already, but this is a suggestion for strategy, anyway.

In the unpacked version, you have two well defined instruction points in the code:
The OEP and the ExitProcess Call.

In the packed version, which you should have, you can put a BPX on the OEP, then find another instruction later in the code that definitely executes when the program is active and running, like some Display_Splash_screen call, or MesageBox saying Welcome etc

Using the Log feature of SoftIce symbol loader trace the packed, save the log, trace the unpacked, save the log, and compare.

By a stepwise approach, you can isolate the area where the code flow between the packed and unpacked where they take a different route.

xoder
February 26th, 2004, 09:32
naides this is a good approach, i didnt know something like this is possible in SI. im gonna try it just for fun, really sounds interesting and helpful!


regards

xoder

hobgoblin
February 26th, 2004, 10:50
I agree with evaluator. Sit down and start debugging. If you haven't done this so some extend before, it will be very helpful and you will learn a lot by simply tracing through code and instructions. Just to help you off with this one:
Load the program in Olly or Softice. Check out the fourth call from the OEP. That call checks a lot of interesting stuff like whether you have Softice or Ollydbg loaded, and it also checks the size of the version of RegSupreme you're running. If the check routine don't like what it finds, it kicks you to the bottom of the call, and then you run into exitprocess in the next call.
The call seems to check out several other things too, I just don't have the time to see what it is.
Good luck.
regards,
hobgoblin

boba303
February 26th, 2004, 13:01
Thanks Hobgoblin, and I actually think I was in that area from the start but kinda rushed on without finding anything.

This help will surely help me...thanks alot guys