UPX Modified Stub -> Farb-rausch Consumer Consulting [Overlay]

How do I unpack it?
Possible do to with or maybe without ollyscript?

the manual unpacking of a modified upx is the same methoid of the normal UPX, any tut of UPX is useful.

If You have NT/2000 or XP for found the OEP you can use the METHOD OF PUSHAD is functional for any UPX.

trace F7 till you pass the first pushad, mark ESP and right click FOLLOW IN DUMP

In the DUMP WINDOW, mark the 4 bytes and right click BREAKPOINT, HARDWARE BREAKPOINT ON ACCESS and RUN

you stop before a POPAD and press f7 and you found the JUMP to the OEP.

when you reach the OEP dump and reconstruct the IAT with IMPORT RECONSTRUCTOR if the OLLYDUMP dumped archivo donīt RUN.

Ricardo Narvaja

I tried what you said and even tested some upx script. But when I tries do dump (ollydump) I get the error "Unable to read memory of debugged process (00400000..004CFFFF)."
And after that error I get "Bad DOS Signature!!"

go to view-memory and change the permission of this section to FULL ACCESS and dump next.

Some programs corrupt the header you can compare with the original header (when the program start) and look for the differences and correct

Ricardo Narvaja