Flag: Tornado! Hurricane!


Packer Name Packer Author Classification Analysis By Last Updated
UPX Crypt archphase (NWC) UPX Modifier quig May 1 2005
Allocation Anti-Debug Anti-Disassembly Section Name Sample
PE Header (UPX) yes yes .nwc (default) N/A
Notes
modified upx packed exe

adds new section with variable section name to exe for decode stub

uses a variable passkey for encryption

offsets align with sample

Transfer Command
jmp esi
Entry Point Signature
00407000 > BF 30544000      MOV EDI,in.00405430       ;this block is entire decode loop
00407005   81FF D0554000    CMP EDI,in.004055D0
0040700B   74 10            JE SHORT in.0040701D
0040700D   812F 0B000000    SUB DWORD PTR DS:[EDI],0B
00407013   83C7 04          ADD EDI,4
00407016   BB 05704000      MOV EBX,in.00407005
0040701B   FFE3             JMP EBX
0040701D   BE 30544000      MOV ESI,in.00405430
00407022  -FFE6             JMP ESI                   ;esi=405430  end of decode loop                         

00405430   ? 60             PUSHAD               ;start of regular upx stub
00405431   ? BE 00504000    MOV ESI,in.00405000
00405436   . 8DBE 00C0FFFF  LEA EDI,DWORD PTR DS:[ESI+FFFFC000]
0040543C   . 57             PUSH EDI
0040543D   . 83CD FF        OR EBP,FFFFFFFF
00405440   . EB 10          JMP SHORT in.00405452
00405442     90             NOP
00405443     90             NOP
00405444     90             NOP
00405445     90             NOP
00405446     90             NOP
00405447     90             NOP
Known Unpackers

There are 30,781 total registered users.


Recently Created Topics
How can I write olly...
Oct/05
Career: Malware Reve...
Sep/30
How to produce separ...
Sep/20
How to decompile a f...
Sep/16
How to trap mouse cl...
Sep/03
Intel pin in loaded ...
Jun/27
Going to do today wi...
Jun/27
how to create delphi...
Jun/27
enabling menu in a s...
Jun/18
How to get the Image...
Jun/17


Recent Forum Posts
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin


Recent Blog Entries
hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

oleavr
Apr/17
frida.re 1.2.0 is out, with...

gareebnavas
Jan/21
Android Malware Analysis

More ...


Recent Blog Comments
pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

newlulu on:
Jun/10
Advanced debugging techniques

newlulu on:
Jun/10
2 anti-trace mechanisms spe...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit