Flag: Tornado! Hurricane!

OpenRCE Packer Database >> UPXScramb v2.1

Packer Name Packer Author Classification Analysis By Last Updated
UPXScramb v2.1 Vjacheslav Patkov UPX Modifier saphex January 27 2008
Allocation Anti-Debug Anti-Disassembly Section Name Sample
PE Header no no [configurable, default = pe section names] N/A
Notes
The upx version used to perform the analysis on this modifier, was upx v3.01.
This scrambler has options that may change the analysis. I choose to use the following options:
- Clear signature and section names
- Clear 5 bytes before signature

The option, crypt jump to original entry point, wasn't used because it screws up the import address table. The source code for this scrambler is freely available at Vjacheslav Patkov home page.

Transfer Command
00000000 61                popad
00000001 8D 44 24 ??       lea     eax, [esp+value]
00000004 6A 00             push    0
00000006 39 C4             cmp     esp, eax
00000005 75 FA             jnz     short 00000004
00000007 83 EC 80          sub     esp, 0FFFFFF80h
0000000A E9 ?? ?? ?? ??    jmp     value
Entry Point Signature
00000000 60                 pushad
00000001 BE ?? ?? ?? ??     mov     esi, offset value
00000005 8D BE ?? ?? ?? ??  lea     edi, [esi-value]
0000000B 57                 push    edi
0000000C EB ??              jmp     short value
0000000E 90                 nop
0000000F 8A 06              mov     al, [esi]
00000011 46                 inc     esi
00000012 88 07              mov     [edi], al
00000014 47                 inc     edi
Known Unpackers
A easy way to uncompress using OllyDbg.

At entry point, add a breakpoint in the pushad instruction and
run the application. After it breaks, follow the ESP register
value in dump, add a hardware breakpoint with 4 bytes length
in the first bytes. Then run the application again. When it
breaks, the EIP will be at the transfer command.

There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit