Log in

View Full Version : Unpacking a dll packed with UPX


the snake
August 13th, 2001, 02:02
Hi all
Nice to be back after a long long time, even if i had to re-register
Nice to see some old familiar names, too.

The target is FlipAlbum (~7MB):
http://www.flipalbum.com/cgi/web_sup/free_dl.php?dlpage=www.flipalbum.com/flipalbumcd/fasuite40_dl.php
It's a 30 day limit trial, with nag.
I've unpacked the main program, found where to patch, but then, i've notice that the days remainin and the nag screen is done in the FACOMMON.dll that is packed as well with UPX.
I've forgot most of things i knew, and some other i didn't know at all
Can someone point me how to unpack this dll ?
i did my best, with procdump and without.. nothing helped..
Thanks
the snake

LaptoniC
August 13th, 2001, 04:54
have you tried to unpack with upx itself ? upx -d filename.dll will do the job.Also if you want to unpack it manually,Put CC on the entrypoint of dll.In softice type i3here.Then trace as usual.Hope it helps

the snake
August 13th, 2001, 06:12
Hi LaptoniC
Thanks for the reply.
I didn't know that UPX lets unpack, this will do for the easy way.

Now, for the interesting way, i need some more words, if you can..

"..Put CC on the entrypoint of dll.."
what is "CC" and how do deal with it?

"..In softice type i3here.."
Just not sure what to type in SI, please be more speciphic..
I feel i become a newbie again
Thanks in advance
the snake

Eternal Bliss
August 13th, 2001, 06:42
Hiya my dear friend,
hope you have been well. I haven't heard from you for a long long time. 8)

"CC" means to put a int 3 at the entrypoint and setting sice to break when it comes to an interrupt 3.

This is exactly like unpacking a normal exe file where you break into it at the entrypoint. For the dll, I suppose the imagebase will not be 400000 but higher.

Unfortunately, I have yet fully setup my computer after the recent repartition and reformatting, thus I am not able to help you specifically.

Good luck.
EB

the snake
August 13th, 2001, 08:36
Hi EB,
How are you ? Happy to hear from ya again.. Are you back home now ? Last time we talked, you had your final exams..
I'm ok, had a very busy year in real life and at work, and I have now a "webmaster" certificate..

"CC" = int3 , damn me, forgot all.
Do i need to set it in the dll with an dexeditor before running, right ?

Sorry, Sounds like i'm getting old, passed the 40's..
Going home to try it now.
Thanks
the snake

qferret
August 13th, 2001, 19:43
wb snake, & congrats on the cert.....
I actually unpacked an ocx packed with UPX awhile back.

EB is right once you get Sice to break on the dll it's business as usual for UPX unpacking/dumping.

The newer versions of UPX support unpacking...the older ones don't, so it depends on what version the author used as to whether or not you can take the easy way out ;-)

Eternal Bliss
August 14th, 2001, 00:01
Hi snake,
yes, I have finished my exams and is now waiting for september when I will start working. Hopefully, I will still have time to hang around here. 8P

Hi qferret,
you mentioned an ocx packed with upx. Was that the ocx that is supposed to be difficult to crack? I was reading the postings then but didn't get to try it myself due to my exams. How was it? Were you able to crack it? I don't recall reading any postings on it after my exams when I started visiting the board again.

Regards
EB