Unusual UPX activity

[SiGiNT]

I've encountered a file that seems to have an unusual version of UPX, I've never had problems unpacking UPX with commonly available tools - this one exhibits a Dillo like property - it creates a child process in Documents and Settings labeled TCLXX.TMP where XX = a number in multiples of 5, the child appears to contain the IAT - one utility reports unpacking it successfully but it will not run - complaining it can't create TCL.SETUP - Acess Denied. RDG reports UPX .86 -1.24 is this unusual and I've just never noticed it before? Or is this a new strain?

SiGiNT

[Polaris]

Is the file available somewhere?

[SiGiNT]

Polaris,

Check your PM.

SiGiNT

[Polaris]

Maybe I am missing something, but:

Ultimate Packer for eXecutables
Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004
UPX 1.25w Markus F.X.J. Oberhumer & Laszlo Molnar Jun 29th 2004

File size Ratio Format Name
-------------------- ------ ----------- -----------
2270615 <- 1198487 52.78% win32/pe *******.exe

Unpacked 1 file.

and the resulting file is just a plain VC++ 6 executable:

.text:0040C1F0 ; int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)
.text:0040C1F0 __stdcall WinMain(x, x, x, x) proc near ; CODE XREF: start+12Fp
.text:0040C1F0
.text:0040C1F0 hInstance = dword ptr 4
.text:0040C1F0 hPrevInstance = dword ptr 8
.text:0040C1F0 lpCmdLine = dword ptr 0Ch
.text:0040C1F0 nShowCmd = dword ptr 10h
.text:0040C1F0
.text:0040C1F0 sub esp, 120h
.text:0040C1F6 push ebx
.text:0040C1F7 push ebp
.text:0040C1F8 push esi
.text:0040C1F9 push edi
.text:0040C1FA push offset unk_40C3F0
.text:0040C1FF call loc_450810
.text:0040C1FF
.text:0040C204 push offset unk_56A6B8
.text:0040C209 push 0
.text:0040C20B mov dword_56A6B4, 1
.text:0040C215 call ds:setlocale
.text:0040C215
.text:0040C21B add esp, 0Ch
.text:0040C21E call ds:GetCommandLineA
.text:0040C21E
.text:0040C224 mov ebx, eax
.text:0040C226 mov ebp, 2

Are you sure you sent me the correct link?

[SiGiNT]

Polaris,

I admit I'm a total idiot when it comes to unpacking UPX - I've never encountered one that a few utilities I have couldn't handle - what did you use to unpack this - it appears that it was done with a utility. What really puzzled me is 3/4 of the time PE Explorer has no problem - with this one using PE Explorer came close to locking up 2 different computers - even after closing everything and no visible unusual processes running I had a cyclic usage of the cpu that forced me to re-boot.

SiGiNT

Chalk it up to a BRAIN FART (and a loud one!!), I downloaded upx and geewiz - it's unpacked!

Thinking about changing my sig to "Sometimes it's so fucking simple you waste a lot of time finding out"

[Polaris]

Don't worry, you now learned that UPX can be used to unpack also.... Also, imho, you should stop using the PEXplorer and start some manual unpacking using ollydebugger... This way you will learn actually how UPX packing works.

Keep it up!

[SiGiNT]

I'm a fair reverser - when the target is not packed, but I hate unpacking stuff manually, (yeah I know comes with the territory), it's kinda like opening the child-proof lid to get to the Viagra.

SiGiNT

[LLXX]

Hmm... "Dillo like property"? It might not have been completely unpacked yet. I've seen a few apps that were first packed with a drop-and-run scheme as you described (the decompressor is written in VC++ 6 and seems to nearly always use flate compression) and then further packed with UPX.

I've unpacked many UPXs manually... and never do they drop-and-run. The decompression is always performed in memory. There is probably another layer of compression.

[SiGiNT]

This was a little Mickey Mouse puzzle generating prog. the "child processes" seem to be different puzzle templates - it has many running at the same time - the author was very clever writing this one, when you enter a serial it won't break on an common API, or any that I've found - the only way I've found to break on the serial routine is to bring up the reg screen - which puts it in an endless loop, and animate over, then quickly pause olly when it hesitates. serial is 4 groups of 3 numbers they have to be fished out one group at a time. - In short a reg. routine written by a puzzle maker.

SiGiNT