Log in

View Full Version : strange behavior of unpacked exe (upx)


koyaan
May 25th, 2004, 09:33
okay... im trying to unpack the all seeing eye atm...
upx is pretty straight-forward... i was able to find the oeip, i do a EB FE to
get it in an endless loop, dump it with lordpe then fix the entry point...

i start my dumped exe and... it runs!
now i close it and try to start it again...it crashes

i loaded it in olly and it seems the first call to an api causes the problem...
by comparing the iat of the dumped exe with the original i found that every adress there was off by the same offset... pasted the original into the dumped, but it didnt quite work out, but im quite a newbie when it comes to unpacking / rebuildin...

what really bugs me is that my dumped exe runs once (or even twice) and suddenly refuses cooperation....

ps: i did search for upx on the board ty

cheers koyaan

tenketsu
May 25th, 2004, 10:34
Unpacking UPX is very easy.

Check the tutorial: "49-REVISION DE PACKERS AL DIA DESEMPACANDO UPX 1,24" in the ftp of Ricardo Narvaja

If you can't do it, use "Generic Unpacker For UPX" by Bratalarm.

There are no trick's with the IAT, UPX is a compresor not a protector

esther
May 25th, 2004, 12:01
Don't toggle the space bar and assemble it.Use binary edit
to change the EBFE
There are some crc check I think[

update:
when using assemble you must type jmp short blah.Its a short jump

zyzygy
June 17th, 2004, 23:00
Hi I dunno if this helps or not but ,here is an esay way to unpack upx.Disassemble the packed target and scroll down "hard" till you reach till you see the 00000000 bytes ,then scroll up a bit and you will find an unconditional jump,this is the jump to the oep and note the address down .Then load it in the loader and set a breakpoint there and do an ebfe there.Dump it and viola it is unpacked .You have to change the ep using procdump.

And upx doesnt modify the iat,if it does it is an upx scrambler.Then you have to rebuild the iat.

Hope this helps
bye

esther
June 17th, 2004, 23:08
The reason is simple,you have run the program once,its still in the the memory stack.This program is certainly weird

zyzygy
June 18th, 2004, 02:26
Hi,
coulnt get ya,has the program been unpacked??sorry for this q,but i get confused easily

esther
June 18th, 2004, 09:19
Its the same old upx,nothing new,just fixed the imports will do

cRk
June 18th, 2004, 11:27
Pe Explorer + its UPX plugin makes a perfect unpacked exe for the All seen eye .. it also reconstruct all section names to its original delphi or VC ++ state

also you can inline patch it .... i don't see anything special in this case..

esther
June 18th, 2004, 11:59
I'll emphasize more on it .It actually runs after unpacked without fixing the imports(it reads the original stack of imports).If you reboot your system,the unpacked file will not run.You have to fixed the import tables.

This is the first strange file I have ever seen

Regards

Fatty[NegX]
October 5th, 2004, 19:41
did I miss something?
upx -d -o output.exe allseeingeye.exe
UPX Being the upx exe, -d meing decompress, -o output.exe meaning output file
and all seeingeye.exe being the input.
that outputs the unpacked exe yes? I've used it before... sorry if this is some newb comment that doesn't apply but... it seems rather trivial

I also have had a problem with a decompressed exe, it opens fine, works fine, but when open it in SmartCheck, it crashes SC with a memory error. (this is a VB app, which is the reason for SC) if I open the original packed exe sc works fine =-D