After unpacking UPX-File RCData still encrypted [Archive]

View Full Version : After unpacking UPX-File RCData still encrypted

Jaffar

January 19th, 2005, 09:58

I want to translate a Program (Freeware, made in delphi I think) form russian into english. The File is packed with UPX 1.24. After unpacking it (i've tried it with several tools and selfmade with ollydbg) the rcdata is still encrypted. So I can't use tools like Resource Hacker to translate it. Has been used some kind of protector or scrambler to crypt it? Has someone an idea how to decrypt the data?

Some Infos:
program: Small CD-Writer 1.33
written in: Borland Delphi 6
packed with(PEID): UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo

thanks

KSA

January 20th, 2005, 04:30

Did you try decompression with UPX it self.

upx -d FilenameToUnpack

KSA

ExE_SyS

January 24th, 2005, 04:39

Hi,
Try use Restorator. It's very useful and universal tool. Search with Google or write to me! I hope I was helpful!

Jaffar

January 25th, 2005, 05:54

Hi,
I can't unpack it with upx -d. I will try it with restorator. Thanks
for your help

Cylox

February 12th, 2005, 08:20

I am having the same type of problem. upx -d doesn't work... it says: "CantUnpackException: cannot upack UPX ;-)" Even with restorator it says it is still compressed, even though i have dumped from the oep and fixed with ImpRec.... what gives??

dirtyoldm

March 10th, 2005, 04:44

test

dirtyoldm

March 10th, 2005, 04:47

From another forum on BartPE at
http://www.911cd.net/forums/?s=18168298096062209e7cabb0de570f e3&showtopic=7564&st=30&#entry48414
("http://www.911cd.net/forums/?s=18168298096062209e7cabb0de570fe3&showtopic=7564&st=30&#entry48414
")

"in hex-editor, go to offset 3E4 (after "UPX!"

, replace FF to 0C, save and unpack with UPX -d filename.exe
But resources are crypted, i see this in PE Explorer as HEX code."

YES this works, I tried it.

Under RC Data the TFORMx items are garbage.
All begin AVF8X ascii.

!! Under PACKAGEINGO are 3 AVTxxxx items including 'AVTCript'.
Maybe the program decrypts each resource as needed.

AVTCript appears in the code at 000E07 EA, preceded by its ID, D210h.

The encrypted TFORMs must include the icons in the menus, can't find them elsewhere.

naceur

March 11th, 2005, 11:38

i have same problem with asprotect

the exe file is unpacked but rcdata it not possible to change it

smarter

March 13th, 2005, 04:25

Here has a tool which can get resource even the .exe is packed.
The following is the address,you can download it :

http://www.pediy.com/tools/Resource/freeRes/freeRes0.94.zip ("http://www.pediy.com/tools/Resource/freeRes/freeRes0.94.zip")

dirtyoldm

March 20th, 2005, 22:36

Getting the RC Data resources is no problem using Resource Hacker
http://www.users.on.net/johnson/resourcehacker/
("http://www.users.on.net/johnson/resourcehacker/
")

Someone needs to
A) decrypt them
B) hack the EXE to remove the decrypting it does
C) Give the writer a smack up side his head for making his excellent work useless to the rest of the world!