Hi All
I'm trying to fully unpack an UPXed program.I using one of Shub-Nigurrath tutorials
for unpacking UPX using OllyDbg and ImpRec.I have done some simple steps for this:
1-Going to OEP and dump the program.
2-Using ImpRec on running process of program,I rebuild IT.
The problem is that the program is not unpacked completely(Or at least I think it
is not unpack completely).Because the unpacked program show its main body,
but it makes an runtime error and hangs after that runtime error,In addition the
trial nag is not shown and when I try to disassemble it using IDAPro,it says that
it can't translate some virtual address.
How it is possible?Is it possible that some parts of program is compressed in other way?

sincerely yours

First of all, find out with which version the program was packed. For newer versions, UPX.exe can unpack the compressed exe if it wasn't modified. For older versions, have a look at the (short) unpacker code, most of the vital tables are created on the fly. After some experiments, I ended up with inline-patching my compressed file. The jump to OEP is pretty clearly visible, just change it to jump to your code, etc.
Please add more details, maybe you will find some help then...

Hi laola
Thanks for quick reply.
My UPX version is defined by PEid as following:

In addition,runtime error that I said is shown as a message box and is the same
error message that shown when I try to debug program(for example pressing F9 in
ollydbg).
This error message will happen with every anti detection ways:Repair 0.2,Hide Debugger,Olly Invisible 0.9

sincerely yours

Uh, that PEiD result covers almost all UPX versions *sigh*
Can you please open up your target in a hex editor and have a look at the header? You can find something like "1.25 UPX!" around the end of the header in newer versions:

.100003D0: 00 00 00 00-00 00 00 00-00 00 00 31-2E 32 35 00 1.25
.100003E0: 55 50 58 21-0C 09 05 07-8B 8E 7F 39-8C 16 A4 C2 UPX!♀○♣•ïÄ⌂9î▬ñ┬

(just compressed some file I could get my hands on to demonstrate it)

If you want the exact version it is UPX 1.25

sincerely yours

In this case, just download upx from upx.sourceforge.net and try to unpack it directly. (upx.exe -d target.exe)
Does that work?

Hi
When I unpacked it,I get the same runtime error as I dumped program.
The unpacked program behaviour is the same of my dumped program.

sincerely yours

I'm gritting my teeth while I suggest this, but have you tried PE Explorer, I've had excellent success dumping UPX with it, I believe it comes with a 30 day trial. (ahem cough cough).

SiGiNT