Flag: Tornado! Hurricane!


Packer Name Packer Author Classification Analysis By Last Updated
UPXShit snaker UPX Modifier quig June 15 2005
Allocation Anti-Debug Anti-Disassembly Section Name Sample
PE Header (UPX 0) no no 3 sects N/A
Notes
series of decoding blocks xoring original upx body with 7F. then jmp to upx stub

Transfer Command
jmp
Entry Point Signature
004611E1 > B8 CB114600      MOV EAX,PEiD.004611CB
004611E6   B9 15000000      MOV ECX,15
004611EB   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004611EF  ^E2 FA            LOOPD SHORT PEiD.004611EB
004611F1  ^E9 D6FFFFFF      JMP PEiD.004611CC
004611F6   0000             ADD BYTE PTR DS:[EAX],AL
004611F8   0000             ADD BYTE PTR DS:[EAX],AL
004611FA   0000             ADD BYTE PTR DS:[EAX],AL
004611FC   0000             ADD BYTE PTR DS:[EAX],AL

004611CC   B8 B6114600      MOV EAX,PEiD.004611B6
004611D1   B9 15000000      MOV ECX,15
004611D6   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004611DA  ^E2 FA            LOOPD SHORT PEiD.004611D6
004611DC  ^E9 D6FFFFFF      JMP PEiD.004611B7

004611B7   B8 A1114600      MOV EAX,PEiD.004611A1
004611BC   B9 15000000      MOV ECX,15
004611C1   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004611C5  ^E2 FA            LOOPD SHORT PEiD.004611C1
004611C7  ^E9 D6FFFFFF      JMP PEiD.004611A2

004611A2   B8 8C114600      MOV EAX,PEiD.0046118C
004611A7   B9 15000000      MOV ECX,15
004611AC   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004611B0  ^E2 FA            LOOPD SHORT PEiD.004611AC
004611B2  ^E9 D6FFFFFF      JMP PEiD.0046118D

0046118D   B8 77114600      MOV EAX,PEiD.00461177
00461192   B9 15000000      MOV ECX,15
00461197   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
0046119B  ^E2 FA            LOOPD SHORT PEiD.00461197
0046119D  ^E9 D6FFFFFF      JMP PEiD.00461178

00461178   B8 62114600      MOV EAX,PEiD.00461162
0046117D   B9 15000000      MOV ECX,15
00461182   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
00461186  ^E2 FA            LOOPD SHORT PEiD.00461182
00461188  ^E9 D6FFFFFF      JMP PEiD.00461163

00461163   B8 4D114600      MOV EAX,PEiD.0046114D
00461168   B9 15000000      MOV ECX,15
0046116D   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
00461171  ^E2 FA            LOOPD SHORT PEiD.0046116D
00461173  ^E9 D6FFFFFF      JMP PEiD.0046114E

0046114E   B8 38114600      MOV EAX,PEiD.00461138
00461153   B9 15000000      MOV ECX,15
00461158   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
0046115C  ^E2 FA            LOOPD SHORT PEiD.00461158
0046115E  ^E9 D6FFFFFF      JMP PEiD.00461139

00461139   B8 23114600      MOV EAX,PEiD.00461123
0046113E   B9 15000000      MOV ECX,15
00461143   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
00461147  ^E2 FA            LOOPD SHORT PEiD.00461143
00461149  ^E9 D6FFFFFF      JMP PEiD.00461124

00461124   B8 0E114600      MOV EAX,PEiD.0046110E
00461129   B9 15000000      MOV ECX,15
0046112E   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
00461132  ^E2 FA            LOOPD SHORT PEiD.0046112E
00461134  ^E9 D6FFFFFF      JMP PEiD.0046110F

0046110F   B8 F9104600      MOV EAX,PEiD.004610F9
00461114   B9 15000000      MOV ECX,15
00461119   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
0046111D  ^E2 FA            LOOPD SHORT PEiD.00461119
0046111F  ^E9 D6FFFFFF      JMP PEiD.004610FA

004610FA   B8 E4104600      MOV EAX,PEiD.004610E4
004610FF   B9 15000000      MOV ECX,15
00461104   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
00461108  ^E2 FA            LOOPD SHORT PEiD.00461104
0046110A  ^E9 D6FFFFFF      JMP PEiD.004610E5

004610E5   B8 CF104600      MOV EAX,PEiD.004610CF
004610EA   B9 15000000      MOV ECX,15
004610EF   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004610F3  ^E2 FA            LOOPD SHORT PEiD.004610EF
004610F5  ^E9 D6FFFFFF      JMP PEiD.004610D0

004610D0   B8 BA104600      MOV EAX,PEiD.004610BA
004610D5   B9 15000000      MOV ECX,15
004610DA   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004610DE  ^E2 FA            LOOPD SHORT PEiD.004610DA
004610E0  ^E9 D6FFFFFF      JMP PEiD.004610BB

004610BB   B8 A5104600      MOV EAX,PEiD.004610A5
004610C0   B9 15000000      MOV ECX,15
004610C5   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004610C9  ^E2 FA            LOOPD SHORT PEiD.004610C5
004610CB  ^E9 D6FFFFFF      JMP PEiD.004610A6

004610A6   B8 90104600      MOV EAX,PEiD.00461090
004610AB   B9 15000000      MOV ECX,15
004610B0   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
004610B4  ^E2 FA            LOOPD SHORT PEiD.004610B0
004610B6  ^E9 D6FFFFFF      JMP PEiD.00461091

00461091   B8 1F0F4600      MOV EAX,PEiD.00460F1F
00461096   B9 71010000      MOV ECX,171
0046109B   803408 7F        XOR BYTE PTR DS:[EAX+ECX],7F
0046109F  ^E2 FA            LOOPD SHORT PEiD.0046109B
004610A1  ^E9 7AFEFFFF      JMP PEiD.00460F20


00460F20   60               PUSHAD
00460F21   BE 00F04300      MOV ESI,PEiD.0043F000
00460F26   8DBE 0020FCFF    LEA EDI,DWORD PTR DS:[ESI+FFFC2000]
00460F2C   57               PUSH EDI
00460F2D   83CD FF          OR EBP,FFFFFFFF
00460F30   EB 10            JMP SHORT PEiD.00460F42
00460F32   90               NOP
00460F33   90               NOP
00460F34   90               NOP


Known Unpackers
/* 
EOP finder for upxshit 0.6 (snaker) & UPX 
It also works for a "standalone" UPX packed program 

Author : mimas 
*/ 

var x 

loop: 
findop eip, #E9??# // find jump to next loop 
mov x, $RESULT 
sub x, eip 
cmp x, 10 // (@jmp - eip) use to be 10, 
// we can handle different loop size this way 
ja stub 
go $RESULT 
sto 
jmp loop 

stub: 
// the terrific UPX OEP finder 
eob end 
sto 
mov x, esp 
bphws x, "r" 
run 

end: 
bphwc x 
sto 
ret

There are 30,781 total registered users.


Recently Created Topics
How can I write olly...
Oct/05
Career: Malware Reve...
Sep/30
How to produce separ...
Sep/20
How to decompile a f...
Sep/16
How to trap mouse cl...
Sep/03
Intel pin in loaded ...
Jun/27
Going to do today wi...
Jun/27
how to create delphi...
Jun/27
enabling menu in a s...
Jun/18
How to get the Image...
Jun/17


Recent Forum Posts
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin


Recent Blog Entries
hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

oleavr
Apr/17
frida.re 1.2.0 is out, with...

gareebnavas
Jan/21
Android Malware Analysis

More ...


Recent Blog Comments
pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

newlulu on:
Jun/10
Advanced debugging techniques

newlulu on:
Jun/10
2 anti-trace mechanisms spe...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit