Flag: Tornado! Hurricane!

OpenRCE Packer Database >> UPXScramb v2.1

Packer Name Packer Author Classification Analysis By Last Updated
UPXScramb v2.1 Vjacheslav Patkov UPX Modifier saphex January 27 2008
Allocation Anti-Debug Anti-Disassembly Section Name Sample
PE Header no no [configurable, default = pe section names] N/A
Notes
The upx version used to perform the analysis on this modifier, was upx v3.01.
This scrambler has options that may change the analysis. I choose to use the following options:
- Clear signature and section names
- Clear 5 bytes before signature

The option, crypt jump to original entry point, wasn't used because it screws up the import address table. The source code for this scrambler is freely available at Vjacheslav Patkov home page.

Transfer Command
00000000 61                popad
00000001 8D 44 24 ??       lea     eax, [esp+value]
00000004 6A 00             push    0
00000006 39 C4             cmp     esp, eax
00000005 75 FA             jnz     short 00000004
00000007 83 EC 80          sub     esp, 0FFFFFF80h
0000000A E9 ?? ?? ?? ??    jmp     value
Entry Point Signature
00000000 60                 pushad
00000001 BE ?? ?? ?? ??     mov     esi, offset value
00000005 8D BE ?? ?? ?? ??  lea     edi, [esi-value]
0000000B 57                 push    edi
0000000C EB ??              jmp     short value
0000000E 90                 nop
0000000F 8A 06              mov     al, [esi]
00000011 46                 inc     esi
00000012 88 07              mov     [edi], al
00000014 47                 inc     edi
Known Unpackers
A easy way to uncompress using OllyDbg.

At entry point, add a breakpoint in the pushad instruction and
run the application. After it breaks, follow the ESP register
value in dump, add a hardware breakpoint with 4 bytes length
in the first bytes. Then run the application again. When it
breaks, the EIP will be at the transfer command.

There are 30,780 total registered users.


Recently Created Topics
How to decompile a f...
Sep/16
How to trap mouse cl...
Sep/03
Intel pin in loaded ...
Jun/27
Going to do today wi...
Jun/27
how to create delphi...
Jun/27
enabling menu in a s...
Jun/18
How to get the Image...
Jun/17
OllyDBG Process Term...
Apr/28
Reversing opcode
Apr/24
Question about debbu...
Apr/16


Recent Forum Posts
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin
Pydbg load() issue
phreak


Recent Blog Entries
oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

oleavr
Apr/17
frida.re 1.2.0 is out, with...

gareebnavas
Jan/21
Android Malware Analysis

oleavr
Dec/21
frida.github.io: scriptable...

More ...


Recent Blog Comments
pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

newlulu on:
Jun/10
Advanced debugging techniques

newlulu on:
Jun/10
2 anti-trace mechanisms spe...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit