Log in

View Full Version : Upack

maze
July 28th, 2005, 13:46
Has anyone been able to unpack a file compressed by the Upack compressor?

http://dwing.go.nease.net/
("http://dwing.go.nease.net/
")

I cannot find any scripts capeable of decompressing

Maze
mr haggar
July 28th, 2005, 14:23
Open WinUpackE.exe in Olly:

00401030 > $-E9 42820100 JMP WinUpack.00419277
00401035 . 42 79 44 77 69>ASCII "ByDwing@",0
0040103E 00 DB 00
0040103F 00 DB 00
00401040 . 50 45 00 ASCII "PE",0
00401043 00 DB 00
00401044 4C DB 4C ; CHAR 'L'
00401045 01 DB 01
00401046 02 DB 02
00401047 00 DB 00
00401048 00 DB 00

Press F8 once:

00419277 BE 88014000 MOV ESI,WinUpack.00400188
0041927C AD LODS DWORD PTR DS:[ESI]
0041927D 8BF8 MOV EDI,EAX
0041927F 95 XCHG EAX,EBP
00419280 AD LODS DWORD PTR DS:[ESI]
00419281 91 XCHG EAX,ECX
00419282 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>

Note that all jumps lead to some 41xxxx addresses. But scroll down and you will find one that jumps to our code section

0041941E AD LODS DWORD PTR DS:[ESI]
0041941F 85C0 TEST EAX,EAX
00419421 -0F84 970AFFFF JE WinUpack.00409EBE

That jump jumps to OEP, but it's conditional. Select line with jump and place contitional log breakpoint on it. For condition enter EAX==0, and select to pause program on condition. Press F9 and you'll break on bp. Press then F7, then Ctrl+A and you are on OEP:

00409EBE /. 55 PUSH EBP ; SHELL32.#584
00409EBF |. 8BEC MOV EBP,ESP
00409EC1 |. 6A FF PUSH -1
00409EC3 |. 68 C8CA4000 PUSH WinUpack.0040CAC8
00409EC8 |. 68 C8A04000 PUSH WinUpack.0040A0C8 ; JMP to MSVCRT._except_handler3; SE handler installation
00409ECD |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00409ED3 |. 50 PUSH EAX

Dump and fix IAT if needed.

By.

PS
It's easy to write script for this. Maybe you could trie it
mr haggar
July 28th, 2005, 14:43
Packer is simple and I was bored Here is the script.

//Start of script
//Script for unpacking WinUpack 0.30beta - by haggar
msg "Ignore ALL exceptions! "
sto
findop eip,#0F84???????F#
bpcnd $RESULT,"EAX==0"
run
sto
an eip
cmt eip,"This is OEP! Dump now. Cheers ;-)"
ret
//End of script..
maze
July 29th, 2005, 07:13
Thanks Haggar, works like a charm
Also enjoyed your first post, explaining step by step!

Maze