Flag: Tornado! Hurricane!

OpenRCE Packer Database >> UpxCrypter_II*

Packer Name Packer Author Classification Analysis By Last Updated
UpxCrypter_II* unknown UPX Modifier quig May 1 2005
Allocation Anti-Debug Anti-Disassembly Section Name Sample
PE Header (UPX 0) yes yes UPX0, UPX1, UPX2 N/A
Notes
Exception handler struc is

struc {
long prevrecord
long current handler
}

This packer calls a function, which puts the fx return adderss on teh stack.
THen it pushs the old exception handler on teh stack,
then sets the current exception handler to the stack pointer...since the stack
now contains 2 consectuive valid addresses...it is the equiv of a exec handler
struc being built on the stack.

THen the packer deliberatly throws an err transfering execution to the initial
calls return address.

THen it does a small opcode trick to try to further throw off disassembly before
doing the decode loop and transferring execution to the original UPX stub.

0012FFC0 0012FFE0 Pointer to next SEH record
0012FFC4 31009206 SE handler

SAMPLE IS ONLY FOR CRYPTER STUB

offsets line up, however sample used to be a virus. the viral body has been overwritten so only the crypter stub remains. Will crash mid way through upx decompression routines after crypter.

Transfer Command
PUSH EAX  
...
RETN
Entry Point Signature
31009200 > 5B               POP EBX                         ; KERNEL32.7C581AF6
31009201   E8 59000000      CALL 3100925F                   ; call puts fx ret address on stack (31009206)
31009206   8B6424 08        MOV ESP,DWORD PTR SS:[ESP+8]

3100925F   2BC0             SUB EAX,EAX                  ;eax=0                                ___
31009261   64:FF30          PUSH DWORD PTR FS:[EAX]      ;store old exception handler on stack    |_SEE NOTE
31009264   64:8920          MOV DWORD PTR FS:[EAX],ESP   ;reset except handler struc to stack  ___| 
31009267   B8 78563412      MOV EAX,12345678
3100926C   8703             XCHG DWORD PTR DS:[EBX],EAX  ;raise exception

31009206   8B6424 08        MOV ESP,DWORD PTR SS:[ESP+8]           ;execution resumes here
3100920A   B8 EB040000      MOV EAX,4EB                            ;harmless junk inst with real code inside
3100920F  ^EB FA            JMP SHORT 3100920B                     ;3100920B = EB 04 jmp 31009211  
31009211   64:67:A1 1800    MOV EAX,DWORD PTR FS:[18]              ; 
31009216   8B40 30          MOV EAX,DWORD PTR DS:[EAX+30]          ; |- Debugger detection from PEB
31009219   0FB640 02        MOVZX EAX,BYTE PTR DS:[EAX+2]          ;/
3100921D   83F8 00          CMP EAX,0
31009220   75 3C            JNZ SHORT 3100925E                      ;Jmp if DebuggerDetected   
31009222   E8 00000000      CALL 31009227                           ;call opcode Decoder        
31009227   5D               POP EBP                                 ;remove return addr on stack ebp=eip
31009228   81ED 20234000    SUB EBP,402320                          
3100922E   8B85 67234000    MOV EAX,DWORD PTR SS:[EBP+402367]
31009234   0385 6F234000    ADD EAX,DWORD PTR SS:[EBP+40236F]
3100923A   8BF0             MOV ESI,EAX
3100923C   8B85 6B234000    MOV EAX,DWORD PTR SS:[EBP+40236B]
31009242   0385 6F234000    ADD EAX,DWORD PTR SS:[EBP+40236F]
31009248   50               PUSH EAX                                ;OEP for real UPX Stub (still to be decoded)
31009249   8BFE             MOV EDI,ESI
3100924B   33C9             XOR ECX,ECX                             ;ecx=length counter
3100924D   AC               LODS BYTE PTR DS:[ESI]                  ;
3100924E   3285 77234000    XOR AL,BYTE PTR SS:[EBP+402377]         ; |-Decode loop
31009254   AA               STOS BYTE PTR ES:[EDI]                  ;/
31009255   41               INC ECX
31009256   3B8D 73234000    CMP ECX,DWORD PTR SS:[EBP+402373]
3100925C  ^7C EF            JL SHORT 3100924D                        ;More to decode jump back up                    
3100925E   C3               RETN                                     ;if decoder ran then rets to OEP of upx stub
                                                                     ;else goes to junk block
 
31008220   . 60             PUSHAD                                   ;now we are at regular UPX stub
31008221   . BE 00600031    MOV ESI,31006000
31008226   . 8DBE 00B0FFFF  LEA EDI,DWORD PTR DS:[ESI+FFFFB000]
3100822C   . 57             PUSH EDI
3100822D   . 83CD FF        OR EBP,FFFFFFFF
31008230   . EB 10          JMP SHORT 31008242                       ;  31008242
31008232     90             NOP
31008233     90             NOP
31008234     90             NOP
31008235     90             NOP
31008236     90             NOP
31008237     90             NOP
Known Unpackers

There are 30,781 total registered users.


Recently Created Topics
How can I write olly...
Oct/05
Career: Malware Reve...
Sep/30
How to produce separ...
Sep/20
How to decompile a f...
Sep/16
How to trap mouse cl...
Sep/03
Intel pin in loaded ...
Jun/27
Going to do today wi...
Jun/27
how to create delphi...
Jun/27
enabling menu in a s...
Jun/18
How to get the Image...
Jun/17


Recent Forum Posts
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin


Recent Blog Entries
oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

oleavr
Apr/17
frida.re 1.2.0 is out, with...

More ...


Recent Blog Comments
pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

newlulu on:
Jun/10
Advanced debugging techniques

newlulu on:
Jun/10
2 anti-trace mechanisms spe...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit