Results 1 to 9 of 9

Thread: Unusual UPX activity

  1. #1
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750

    Unusual UPX activity

    I've encountered a file that seems to have an unusual version of UPX, I've never had problems unpacking UPX with commonly available tools - this one exhibits a Dillo like property - it creates a child process in Documents and Settings labeled TCLXX.TMP where XX = a number in multiples of 5, the child appears to contain the IAT - one utility reports unpacking it successfully but it will not run - complaining it can't create TCL.SETUP - Acess Denied. RDG reports UPX .86 -1.24 is this unusual and I've just never noticed it before? Or is this a new strain?

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  2. #2
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    Is the file available somewhere?
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  3. #3
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Polaris,

    Check your PM.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  4. #4
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    Maybe I am missing something, but:

    Ultimate Packer for eXecutables
    Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004
    UPX 1.25w Markus F.X.J. Oberhumer & Laszlo Molnar Jun 29th 2004

    File size Ratio Format Name
    -------------------- ------ ----------- -----------
    2270615 <- 1198487 52.78% win32/pe *******.exe

    Unpacked 1 file.
    and the resulting file is just a plain VC++ 6 executable:

    .text:0040C1F0 ; int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)
    .text:0040C1F0 __stdcall WinMain(x, x, x, x) proc near ; CODE XREF: start+12Fp
    .text:0040C1F0
    .text:0040C1F0 hInstance = dword ptr 4
    .text:0040C1F0 hPrevInstance = dword ptr 8
    .text:0040C1F0 lpCmdLine = dword ptr 0Ch
    .text:0040C1F0 nShowCmd = dword ptr 10h
    .text:0040C1F0
    .text:0040C1F0 sub esp, 120h
    .text:0040C1F6 push ebx
    .text:0040C1F7 push ebp
    .text:0040C1F8 push esi
    .text:0040C1F9 push edi
    .text:0040C1FA push offset unk_40C3F0
    .text:0040C1FF call loc_450810
    .text:0040C1FF
    .text:0040C204 push offset unk_56A6B8
    .text:0040C209 push 0
    .text:0040C20B mov dword_56A6B4, 1
    .text:0040C215 call ds:setlocale
    .text:0040C215
    .text:0040C21B add esp, 0Ch
    .text:0040C21E call ds:GetCommandLineA
    .text:0040C21E
    .text:0040C224 mov ebx, eax
    .text:0040C226 mov ebp, 2
    Are you sure you sent me the correct link?
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  5. #5
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Polaris,

    I admit I'm a total idiot when it comes to unpacking UPX - I've never encountered one that a few utilities I have couldn't handle - what did you use to unpack this - it appears that it was done with a utility. What really puzzled me is 3/4 of the time PE Explorer has no problem - with this one using PE Explorer came close to locking up 2 different computers - even after closing everything and no visible unusual processes running I had a cyclic usage of the cpu that forced me to re-boot.

    SiGiNT

    Chalk it up to a BRAIN FART (and a loud one!!), I downloaded upx and geewiz - it's unpacked!

    Thinking about changing my sig to "Sometimes it's so fucking simple you waste a lot of time finding out"
    Last edited by SiGiNT; December 14th, 2005 at 16:34.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  6. #6
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    Don't worry, you now learned that UPX can be used to unpack also.... Also, imho, you should stop using the PEXplorer and start some manual unpacking using ollydebugger... This way you will learn actually how UPX packing works.

    Keep it up!
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  7. #7
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    I'm a fair reverser - when the target is not packed, but I hate unpacking stuff manually, (yeah I know comes with the territory), it's kinda like opening the child-proof lid to get to the Viagra.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  8. #8
    Hmm... "Dillo like property"? It might not have been completely unpacked yet. I've seen a few apps that were first packed with a drop-and-run scheme as you described (the decompressor is written in VC++ 6 and seems to nearly always use flate compression) and then further packed with UPX.

    I've unpacked many UPXs manually... and never do they drop-and-run. The decompression is always performed in memory. There is probably another layer of compression.

  9. #9
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    This was a little Mickey Mouse puzzle generating prog. the "child processes" seem to be different puzzle templates - it has many running at the same time - the author was very clever writing this one, when you enter a serial it won't break on an common API, or any that I've found - the only way I've found to break on the serial routine is to bring up the reg screen - which puts it in an endless loop, and animate over, then quickly pause olly when it hesitates. serial is 4 groups of 3 numbers they have to be fished out one group at a time. - In short a reg. routine written by a puzzle maker.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

Similar Threads

  1. Unusual crackme by ksydfius
    By My Infected Computer in forum Blogs Forum
    Replies: 0
    Last Post: June 16th, 2013, 17:49
  2. An Unusual Crash
    By Suteki in forum The Newbie Forum
    Replies: 4
    Last Post: November 5th, 2007, 12:19
  3. Unusual tests for DRx registers
    By evaluator in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: January 3rd, 2004, 13:08
  4. Unusual setup program
    By john whitt in forum Malware Analysis and Unpacking Forum
    Replies: 13
    Last Post: March 1st, 2002, 02:10
  5. Unusual UnPackMe
    By NchantA in forum Mini Project Area
    Replies: 17
    Last Post: November 26th, 2000, 21:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •