Flag: Tornado!
Hurricane!
|
|
| UPX |
Markus & Laszlo |
Compressor |
quig |
July 17 2005 |
|
| PE Header (UPX 0) |
no |
no |
UPX0, UPX1 |
N/A
|
|
IAT built at runtime Dlls loaded by loader one api entry per dll left
|
|
61 POPAD
E9 [4Bytes] JMP [offset] |
|
|
60 PUSHAD
BE [4 Bytes] MOV ESI[Value]
8DBE [4 bytes] LEA EDI, DWORD PTR DS:[ESI+Value]
57 PUSH EDI
83CD FF OR EBP, FFFFFFFF
EB 10 JMP SHORT [Relative Jump]
90 NOP
90 NOP
90 NOP
90 NOP
90 NOP
90 NOP |
|
|
http://www.mycgiserver.com/~bratalarm/ - Good generic unpacker
------------------------------------------------------
//OllyScript Oep finder by shag
// The amazing UPX OEP finder v2
// This script will quickly put you at the OEP of an UPX-packed EXE.
// Just run it!
// Implemented using hardware breakpoints (just for fun).
eob Break
findop eip, #61#
bphws $RESULT, "x"
run
Break:
sto
sto
bphwc $RESULT
ret
|
|
|
|
|
There are 28,220 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}