Flag: Tornado!
Hurricane!
|
|
| UPXScramb v2.1 |
Vjacheslav Patkov |
UPX Modifier |
saphex |
January 27 2008 |
|
| PE Header |
no |
no |
[configurable, default = pe section names] |
N/A
|
|
The upx version used to perform the analysis on this modifier, was upx v3.01.
This scrambler has options that may change the analysis. I choose to use the following options:
- Clear signature and section names
- Clear 5 bytes before signature
The option, crypt jump to original entry point, wasn't used because it screws up the import address table. The source code for this scrambler is freely available at Vjacheslav Patkov home page.
|
|
00000000 61 popad
00000001 8D 44 24 ?? lea eax, [esp+value]
00000004 6A 00 push 0
00000006 39 C4 cmp esp, eax
00000005 75 FA jnz short 00000004
00000007 83 EC 80 sub esp, 0FFFFFF80h
0000000A E9 ?? ?? ?? ?? jmp value |
|
|
00000000 60 pushad
00000001 BE ?? ?? ?? ?? mov esi, offset value
00000005 8D BE ?? ?? ?? ?? lea edi, [esi-value]
0000000B 57 push edi
0000000C EB ?? jmp short value
0000000E 90 nop
0000000F 8A 06 mov al, [esi]
00000011 46 inc esi
00000012 88 07 mov [edi], al
00000014 47 inc edi |
|
|
A easy way to uncompress using OllyDbg.
At entry point, add a breakpoint in the pushad instruction and
run the application. After it breaks, follow the ESP register
value in dump, add a hardware breakpoint with 4 bytes length
in the first bytes. Then run the application again. When it
breaks, the EIP will be at the transfer command. |
|
|
|
|
There are 21,677 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}