Flag: Tornado! Hurricane!

OpenRCE Packer Database >> UPXScramb v2.1

Packer Name Packer Author Classification Analysis By Last Updated
UPXScramb v2.1 Vjacheslav Patkov UPX Modifier saphex January 27 2008
Allocation Anti-Debug Anti-Disassembly Section Name Sample
PE Header no no [configurable, default = pe section names] N/A
Notes
The upx version used to perform the analysis on this modifier, was upx v3.01.
This scrambler has options that may change the analysis. I choose to use the following options:
- Clear signature and section names
- Clear 5 bytes before signature

The option, crypt jump to original entry point, wasn't used because it screws up the import address table. The source code for this scrambler is freely available at Vjacheslav Patkov home page.

Transfer Command
00000000 61                popad
00000001 8D 44 24 ??       lea     eax, [esp+value]
00000004 6A 00             push    0
00000006 39 C4             cmp     esp, eax
00000005 75 FA             jnz     short 00000004
00000007 83 EC 80          sub     esp, 0FFFFFF80h
0000000A E9 ?? ?? ?? ??    jmp     value
Entry Point Signature
00000000 60                 pushad
00000001 BE ?? ?? ?? ??     mov     esi, offset value
00000005 8D BE ?? ?? ?? ??  lea     edi, [esi-value]
0000000B 57                 push    edi
0000000C EB ??              jmp     short value
0000000E 90                 nop
0000000F 8A 06              mov     al, [esi]
00000011 46                 inc     esi
00000012 88 07              mov     [edi], al
00000014 47                 inc     edi
Known Unpackers
A easy way to uncompress using OllyDbg.

At entry point, add a breakpoint in the pushad instruction and
run the application. After it breaks, follow the ESP register
value in dump, add a hardware breakpoint with 4 bytes length
in the first bytes. Then run the application again. When it
breaks, the EIP will be at the transfer command.

There are 30,635 total registered users.


Recently Created Topics
Keep you Slim Easily
Apr/19
Your Best Slim &...
Apr/19
Amazing Your Lucky Skin
Apr/18
Your Skin Very Soft...
Apr/17
Question about debbu...
Apr/16
IDA PRO Struct Point...
Apr/15
problems with pseudo...
Apr/04
Problem with ollydbg
Mar/22
Should binaries be n...
Mar/22
Ida pro on infineon ...
Mar/10


Recent Forum Posts
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin
Pydbg load() issue
phreak
Pydbg load() issue
netw0rm
How would you interp...
mbin
Pydbg load() issue
phreak


Recent Blog Entries
loisjoneis
Apr/19
Detox Max Review - amazing ...

martanhawkings
Apr/19
iPhone 4S- Purchase Apple’s...

elenablacik
Apr/18
Cleanse Pure Premium Supple...

hermesfrsac
Apr/17
Il convient que vous devrie...

oleavr
Apr/17
frida.re 1.2.0 is out, with...

More ...


Recent Blog Comments
pedram on:
Dec/21
frida.github.io: scriptable...

cin100dy on:
Dec/16
Devil May Cry Cosplay Costu...

NeOXQuiCk on:
Nov/26
DONGLE

maharlee on:
Nov/21
Cheap Nike Shoes NZ,Nike Sh...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit