Another tutorial by seifer666

Author	seifer666
Target	Ultimate Packer eXecutable 1.01
Public Release	15/08/2000
Author Contact	seifer666@caramail.com
Dedication	N/A
Difficulty Level (1..7)	3 (INTERMEDIATE)
Tools Required	Soft Ice 3x, ProcDump32, exe to pack, upx 1.01

Disclaimer: Please note, the information herein is copyright to Hellforge. No portion of this text may be duplicated. Furthermore, damage or problems arising after reading this text is left to the users disposal. Neither Hellforge, nor its members can be held responsible for any direct or indirect result of following this text. The full liability of following this text is on the reader (YOU). The information is provided for educational purposes, misuse of this information is strictly prohibited. If you do not agree with this agreement, then please hit the "back" button on your browser, and go to hell. - Mercution.

Introduction

I just remembered that i downloaded this version of UPX some times ago, i dunno if a new one has been released yet. I'm not very experienced in unpacking, but i tried to remove this piece of crap by myself, without asking anybody. I don't regret my choice... This tut will show you how to retrieve the String Data Refs and the Exported Functions of a packed file (no import table here).

Tutorial

I made a copy of a little executable in the UPX directory (the program is Lazarus' String to Ascii Converter) and packed it. Do the same with the exe you want, it isn't very important. Then, edit the PE of the two files (the clean and the packed one) with ProcDump. My results are :



#########################
Clean exe : Header Infos#
#########################

Entry Point : 1000
Size of Image : 4A000
Image Base : 400000


###########################
Clean exe : Sections Infos#
###########################

=======================================================================================
Name   	Virt Size	Virt Offset	Raw Size	Raw Offset	Characteristics
=======================================================================================
.text	00033000	00001000	00032200	00000600	60000020
=======================================================================================
.data	00009000	00034000	00004200	00032800	C0000040
=======================================================================================
.tls	00001000	0003D000	00000200	00036A00	C0000040
=======================================================================================
.rdata	00001000	0003E000	00000200	00036C00	50000040
=======================================================================================
.idata	00002000	0003F000	00001C00	00036E00	40000040
=======================================================================================
.edata	00001000	00041000	00000200	00038A00	40000040
=======================================================================================
.rsrc	00003000	00042000	00002C00	00038C00	40000040
=======================================================================================
.reloc	0000416C	00043000	00003C00	0003B800	C0000040
=======================================================================================


##########################
Packed exe : Header Infos#
##########################

Entry Point : 4C400
Size of Image : 4E000
Image Base : 400000


############################
Packed exe : Sections Infos#
############################

=======================================================================================
Name	Virt Size	Virt Offset	Raw Size	Raw Offset	Characteristics
=======================================================================================
UPX0	0002E000	00001000	00000000	00000400	E0000080						
=======================================================================================
UPX1	0001E000	0002F000	0001D800	00000400	E0000040
=======================================================================================
.rsrc	00001000	0004D000	00000C00	0001DC00	C0000040
=======================================================================================

Ok, we notice that this UPX reorganizes the whole structure of the exe... The Entry Point is moved (because of the loader included in the new exe, which will decrypt the proggie when it is launched and then redirect it to the real OEP...) All the data sections and the text section are packed in two new sections, UPX1 (this one contains the unpacking informations which will be used each time you run the exe), and UPX0. The rsrc section is always here, but its characteristics change too.

Pop up Soft Ice Loader, and open your packed exe with it. Try to load it, Soft ice does not break... If we want to break, we have to change the characteristics of the section UPX0 to E0000020, so that Soft Ice is allowed to read the datas it contains. So edit the PE of the packed file with ProcDump, click on Sections, right click on UPX0 and choose edit section. Now change the E0000040 to E0000020, click on OK and exit ProcDump. Retry to load the file with the Symbol Loader, hehe this time it works and you should see something like :



XXX:XXXXXXXX	60		PUSHAD			;pushes all registers on the stack
XXX:XXXXXXXX	BE2EFD4200	MOV ESI, XXXXXXXX	;the next instructions are for the file unpacking
XXX:XXXXXXXX	8DBED21FFDFF	LEA EDI, [ESI+XXXXXXXX]

.......
.......		<---- trace with F10 ;-P

XXX:XXXXXXXX	FF96A8C90400	CALL [ESI+XXXXXXXX]
XXX:XXXXXXXX	61		POPAD			;restores all the pushed registers values
XXX:XXXXXXXX	E9A44AFBFF	JMP 00401000		;jumps to real prog OEP, file is unpacked

Well, when i say 'Trace with F10', it is very long, so it's faster if u scroll the sice window to see the POPAD adress, then put a bpx on it, press F5 and clear the breakpoint (bc 0), so that you just arrive before the jump.

When u arrive at the adress of the jump, type : (be sure that no breakpoint is enabled, because we will dump the process).



a		< press enter >
jmp eip		< press enter >
		< press escape >

Then, press F5. The process is now in an infinite loop because of the jump eip. Launch ProcDump again, and in the loaded tasks window (top left), right click on the file you wanna unpack. Choose Dump (full), and name it Dump.exe for example. Then choose Kill Task, because the process won't end (infinite loop).

But our work isn't ended. If you launch the dumped file, it will totally crash, because the entry point is the one of the packed file. Did you remember the line of the last jump ?

XXX:XXXXXXXX E9A44AFBFF JMP 00401000 <---- this is the OEP of the unpacked exe

To obtain the good entry point of our dumped file just substract the Image Base to this adress :

EP adress = 401000 - 400000 = 1000

Edit the PE of the dumped file with ProcDump, and change the Entry Point into the result of the substraction (1000 in my case). Ok, exit ProcDump, beg our Lord, and launch the dumped file. If you did all correctly, it shouldn't crash this time, and if you dasm it with W32Dasm for example, you should be able to see the String Data References and the Exported Functions, but not the imported ones, because we didn't rebuild the import table of the exe.

What we did is sufficient because it enables us to patch the exe again. If the protection is name/serial or something like that, try the usual APIs it should work ;-).

Final Thoughts

This was my first tutorial on manual unpacking, I hope you could understand it, and it was useful for you. If you have any problem with the method i showed you, just contact me !

Greetings to...

I greet my knowledge sharing group : HellForge and my friends (no specific order) : ACiD BuRN, BoomBox, BlndAngl, Lucifer48, Volatility, Tscube, Visionz, amante4, alpine, FatBoyJoe, Warez Pup, Eternal_bliss, r!sc, [mega], Sushi, MagicRaphoun, TaMaMbolo, Kahel, V-Rom, Ep-180, morrinth, Tres`ni, Dawai, DXF, CiniMod, xor, Air2k, grAnix, LordOfLa, karlitoXZ, [ManKind], Falcon^, Dazzler, Lazarus, AbsoluteB, JB007, C_DKnight, Miscreant, Crudd, kanabis, Cell-, BMonkey, Armour, Vylent, Skamer, Fenorez, sinn0r, Dark Wolf, Bishop, Mercution, AC_178.... and all I've forgotten ;-)
You can join me at seifer666@caramail.com or #ICQ : 61545376

The end.

Any mistakes, corrections, or comments may be mailed to the members individually, or to the group : hellforge@hellforge.org.