OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Packer Name	Packer Author	Classification	Analysis By	Last Updated
UPXShit	snaker	UPX Modifier	quig	June 15 2005

Allocation	Anti-Debug	Anti-Disassembly	Section Name	Sample
PE Header (UPX 0)	no	no	3 sects	N/A

Notes
series of decoding blocks xoring original upx body with 7F. then jmp to upx stub

Transfer Command

jmp

Entry Point Signature

004611E1 > B8 CB114600      MOV EAX,PEiD.004611CB
004611E6   B9 15000000      MOV ECX,15
004611EB   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004611EF  ^E2 FA            LOOPD SHORT PEiD.004611EB
004611F1  ^E9 D6FFFFFF      JMP PEiD.004611CC
004611F6   0000             ADD BYTE PTR DS:[EAX],AL
004611F8   0000             ADD BYTE PTR DS:[EAX],AL
004611FA   0000             ADD BYTE PTR DS:[EAX],AL
004611FC   0000             ADD BYTE PTR DS:[EAX],AL

004611CC   B8 B6114600      MOV EAX,PEiD.004611B6
004611D1   B9 15000000      MOV ECX,15
004611D6   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004611DA  ^E2 FA            LOOPD SHORT PEiD.004611D6
004611DC  ^E9 D6FFFFFF      JMP PEiD.004611B7

004611B7   B8 A1114600      MOV EAX,PEiD.004611A1
004611BC   B9 15000000      MOV ECX,15
004611C1   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004611C5  ^E2 FA            LOOPD SHORT PEiD.004611C1
004611C7  ^E9 D6FFFFFF      JMP PEiD.004611A2

004611A2   B8 8C114600      MOV EAX,PEiD.0046118C
004611A7   B9 15000000      MOV ECX,15
004611AC   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004611B0  ^E2 FA            LOOPD SHORT PEiD.004611AC
004611B2  ^E9 D6FFFFFF      JMP PEiD.0046118D

0046118D   B8 77114600      MOV EAX,PEiD.00461177
00461192   B9 15000000      MOV ECX,15
00461197   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
0046119B  ^E2 FA            LOOPD SHORT PEiD.00461197
0046119D  ^E9 D6FFFFFF      JMP PEiD.00461178

00461178   B8 62114600      MOV EAX,PEiD.00461162
0046117D   B9 15000000      MOV ECX,15
00461182   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
00461186  ^E2 FA            LOOPD SHORT PEiD.00461182
00461188  ^E9 D6FFFFFF      JMP PEiD.00461163

00461163   B8 4D114600      MOV EAX,PEiD.0046114D
00461168   B9 15000000      MOV ECX,15
0046116D   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
00461171  ^E2 FA            LOOPD SHORT PEiD.0046116D
00461173  ^E9 D6FFFFFF      JMP PEiD.0046114E

0046114E   B8 38114600      MOV EAX,PEiD.00461138
00461153   B9 15000000      MOV ECX,15
00461158   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
0046115C  ^E2 FA            LOOPD SHORT PEiD.00461158
0046115E  ^E9 D6FFFFFF      JMP PEiD.00461139

00461139   B8 23114600      MOV EAX,PEiD.00461123
0046113E   B9 15000000      MOV ECX,15
00461143   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
00461147  ^E2 FA            LOOPD SHORT PEiD.00461143
00461149  ^E9 D6FFFFFF      JMP PEiD.00461124

00461124   B8 0E114600      MOV EAX,PEiD.0046110E
00461129   B9 15000000      MOV ECX,15
0046112E   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
00461132  ^E2 FA            LOOPD SHORT PEiD.0046112E
00461134  ^E9 D6FFFFFF      JMP PEiD.0046110F

0046110F   B8 F9104600      MOV EAX,PEiD.004610F9
00461114   B9 15000000      MOV ECX,15
00461119   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
0046111D  ^E2 FA            LOOPD SHORT PEiD.00461119
0046111F  ^E9 D6FFFFFF      JMP PEiD.004610FA

004610FA   B8 E4104600      MOV EAX,PEiD.004610E4
004610FF   B9 15000000      MOV ECX,15
00461104   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
00461108  ^E2 FA            LOOPD SHORT PEiD.00461104
0046110A  ^E9 D6FFFFFF      JMP PEiD.004610E5

004610E5   B8 CF104600      MOV EAX,PEiD.004610CF
004610EA   B9 15000000      MOV ECX,15
004610EF   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004610F3  ^E2 FA            LOOPD SHORT PEiD.004610EF
004610F5  ^E9 D6FFFFFF      JMP PEiD.004610D0

004610D0   B8 BA104600      MOV EAX,PEiD.004610BA
004610D5   B9 15000000      MOV ECX,15
004610DA   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004610DE  ^E2 FA            LOOPD SHORT PEiD.004610DA
004610E0  ^E9 D6FFFFFF      JMP PEiD.004610BB

004610BB   B8 A5104600      MOV EAX,PEiD.004610A5
004610C0   B9 15000000      MOV ECX,15
004610C5   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004610C9  ^E2 FA            LOOPD SHORT PEiD.004610C5
004610CB  ^E9 D6FFFFFF      JMP PEiD.004610A6

004610A6   B8 90104600      MOV EAX,PEiD.00461090
004610AB   B9 15000000      MOV ECX,15
004610B0   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004610B4  ^E2 FA            LOOPD SHORT PEiD.004610B0
004610B6  ^E9 D6FFFFFF      JMP PEiD.00461091

00461091   B8 1F0F4600      MOV EAX,PEiD.00460F1F
00461096   B9 71010000      MOV ECX,171
0046109B   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
0046109F  ^E2 FA            LOOPD SHORT PEiD.0046109B
004610A1  ^E9 7AFEFFFF      JMP PEiD.00460F20


00460F20   60               PUSHAD
00460F21   BE 00F04300      MOV ESI,PEiD.0043F000
00460F26   8DBE 0020FCFF    LEA EDI,DWORD PTR DS:[ESI+FFFC2000]
00460F2C   57               PUSH EDI
00460F2D   83CD FF          OR EBP,FFFFFFFF
00460F30   EB 10            JMP SHORT PEiD.00460F42
00460F32   90               NOP
00460F33   90               NOP
00460F34   90               NOP

Known Unpackers

/* 
EOP finder for upxshit 0.6 (snaker) & UPX 
It also works for a "standalone" UPX packed program 

Author : mimas 
*/ 

var x 

loop: 
findop eip, #E9??# // find jump to next loop 
mov x, $RESULT 
sub x, eip 
cmp x, 10 // (@jmp - eip) use to be 10, 
// we can handle different loop size this way 
ja stub 
go $RESULT 
sto 
jmp loop 

stub: 
// the terrific UPX OEP finder 
eob end 
sto 
mov x, esp 
bphws x, "r" 
run 

end: 
bphwc x 
sto 
ret

There are 31,320 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit