The Reverse Code Engineering Community

[nick_name]

guys, i've been searching over for a while but couldnt get any good reading materials on unpacking UPOLYX

form the source.code it seems like it uses some sort of random code generation

any suggestion from anyone unpacking UPOLYX files ??

** some web info said : KASPERSKY can successfully unpack UPOLYX files

thank u

guys, i've successfully unpacked my files with the following method, hope it just might be useful to somebody, the steps follow in the next post

TOOLS USED :

NOTEPAD.EXE.xp.sp2
ollydbg 1.10 final
lord PE
ImpREC

[nick_name]

guys, UPOLYX now can be unpacked.
it's actually quite easy

just follow the steps :

1. take xp.sp2.NOTEPAD.EXE
2. compress it with upx -f NOTEPAD.EXE

output :
-----------------------------------------------------------------------------------------------
C:\>upx -f notepad.exe
Ultimate Packer for eXecutables
Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24w Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002

File size Ratio Format Name
-------------------- ------ ----------- -----------
69120 -> 48128 69.63% win32/pe notepad.exe

Packed 1 file.

C:\>
-----------------------------------------------------------------------------------------------

3. now apply UPOLYX notepad.exe

output :
-----------------------------------------------------------------------------------------------
C:\>upolyx notepad.exe

*UPolyX v0.3*
written by Delikon/www.delikon.de
Additions by Neil The Hippie Killer
ENTRYPOINT: 15360
FILEENTRYPOINT: 4760
[+] Checking for UPX
[+] Yes this is packed with UPX!
[+] Replace the section name UPX with qxdF
[+] the second UPX section starts at 0x400
[+] the second UPX section is 0x4600 big
[+] Found a 0x128 big space for the decryptor
[+] using the xor/xor 4 byte decryptor
[+] Using for Register1 EDX
[+] Using for Register2 EDI
[+] use 0x6259 as manipulationBytes
[+] encrypt 180 bytes from address 0x1015360 till address 0x1015414
[+] Generated 0x1f byte decryptor
[+] Generated 0xe8 bytes of trash before
[+] Generated 0x13 bytes of trash after
OK

C:\>
-----------------------------------------------------------------------------------------------

4. now open the notepad.exe with olly
5. olly will warn about compresses/encrypted executable section, say YES
6. start pressing F8
7. soon after u'll face a LOOPD section like the following, this is actually the decoder

-----------------------------------------------------------------------------------------------
010155CF > /8132 59620000 XOR DWORD PTR DS:[EDX],6259
010155D5 . |83C2 04 ADD EDX,4
010155D8 . |83E9 03 SUB ECX,3
010155DB .^\E2 F2 LOOPD SHORT notepad.010155CF
010155DD .^ FFE7 JMP EDI ; notepad.01015360
-----------------------------------------------------------------------------------------------

8. set a breakpoint on 010155DD
9. press F9, it'll break on 010155DD ... just another way to quickly crossover that loop
10. now u can remove that breakpoint from 010155DD pressing F2
11. next, press F8 to take that JMP EDI
12. it will bring u into something like the following

-----------------------------------------------------------------------------------------------
01015360 60 DB 60 ; CHAR '`'
01015361 BE DB BE
01015362 00 DB 00
01015363 10 DB 10
01015364 01 DB 01
01015365 01 DB 01
01015366 8D DB 8D
01015367 BE DB BE
01015368 00 DB 00
01015369 00 DB 00
0101536A FF DB FF
0101536B FF DB FF
0101536C 57 DB 57 ; CHAR 'W'
-----------------------------------------------------------------------------------------------

13. dont worry, this is CODE, just right.click > analysis > remove analysis from module, the meaning full codes will be visible now
14. u'll now face a PUSHAD
15. execute that PUSHAD by pressing F8
16. now on the right.hand side mark ur ESP ( it should turn red ) on my case it was ESP = 0007FFA0
17. right click on it > follow address in dump (0007FFA0)
18. in dump window below, right click on the first byte > BREAKPOINT > HARDWARE, ON ACCESS > WORD
19. now press F9 ( for the next POPAD or anyother action)
20. u should land in somewhere like this

-----------------------------------------------------------------------------------------------
010154AE 61 POPAD
010154AF - E9 E91EFFFF JMP notepad.0100739D
010154B4 0000 ADD BYTE PTR DS:[EAX],AL
010154B6 0000 ADD BYTE PTR DS:[EAX],AL
010154B8 0000 ADD BYTE PTR DS:[EAX],AL
010154BA 0000 ADD BYTE PTR DS:[EAX],AL
010154BC 0000 ADD BYTE PTR DS:[EAX],AL
010154BE 0000 ADD BYTE PTR DS:[EAX],AL
-----------------------------------------------------------------------------------------------

21. the JMP notepad.0100739D will take u to the entrypoint
22. press F8 and take that jump, u'll come to somewhere like :

-----------------------------------------------------------------------------------------------
0100739D 6A 70 PUSH 70
0100739F 68 98180001 PUSH notepad.01001898
010073A4 E8 BF010000 CALL notepad.01007568
010073A9 33DB XOR EBX,EBX
010073AB 53 PUSH EBX
010073AC 8B3D CC100001 MOV EDI,DWORD PTR DS:[10010CC] ; kernel32.GetModuleHandleA
010073B2 FFD7 CALL EDI ; notepad.01015360
-----------------------------------------------------------------------------------------------

with this the work with OLLY ends BUT DONT CLOSE UR OLLY, KEEP IT LIKE THIS

23. fire.up LORD-PE, from the proces list pickup notepad.exe ( it should appear right after ollydbg.exe )
24. right.click > dump full ... > save as > dumped.exe
25. now open ImpREC ( i used 1.6 FINAL ) ... choose the process notepad.exe, in the LOG window in ImpREC manythings should scrolldown, let it be
26. now in "IAT infos needed" window put : 739D
OEP = (RVA from olly) - (original OEP)
= 0100739D - 01000000
= 739D
27. now press IAT autosearch, it should come up with a window "FOUND SOMETHING", press OK
28. now press GET IMPORTS, manythings should comeup in "Imported Functions Found" window
29. now press FIX DUMP , choose ur previously DUMPED.EXE by lordPE, the log window should say C:\DUMPED_.EXE save successfully and voila u r DONE

thanks all, and pls lemme know if u encounter any errors

[Cyberpunk]

Hey dude i tryd to repeat what u did... i can't find the

LOOPD
JMP

i get LOOPD and Call or whatever... i packed with UPX ... then with UPolyX (0.5) and went to olly... from there it doesn't match with your guide nomore...

Check the screenshot

[stingduk]

I dont understand why you all want all things on platter and spoonfed
that code you just screen shotted will take a maximum of 200 cycles
that is all you could have f77ned it (single stepped through it 200 times with out any problems and would have learnt a lot yourself in the time that it took you to
screenshot it attach it write a question and post it and wait for answer

anyway here is an analysis
mov ebx some address
mov esi ebx
mov ecx, 0c6 <<----- counter initialised so all it will take is this much amount of single step only == 196 times
xor byte ptr [ebx] ,1f decrypts the crap at the address in ebx
it is pushing ecx == 0c6 at the moment into stack
sub ecx,ecx <<------- so ecx is now 0 inner loop conter initialisation
mov ecx ,2 so inner loop is executed max two times
add ebx,1 <---- next byte to be decrypted
loopd << ------ go get aoa or intel manual or search in google what the hell it does
if you had done that you would have known by now that it
returns to the address pointed as long as ecx is not equal to 0
and decreases ecx everytime it returns to the address pointed
so all this inner loop does is increase the ebx by two bytes
pop ecx it restores ecx to old value == 0c6
sub ebx 1 <<-- it just negated the junk that was done in inner loop do you understand ?????
so basiacally you can nop out all the bullshit and code a plain little
inc ebx
cmp ebx,0c6
redo xor

so after all of it is xorred it just jumps to esi

which is decrypted crap code

so there are are lot of options that you could have followed
1) like single stepping through all the code
2) used conditional break points like stop when ecx == 0 or 1 or 2 whatever y
3) directly set a break point on jmp esi and jmp when it decrypted all

whatever