Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 02-27-2012, 05:19 PM
aiwnjoo aiwnjoo is offline
Member
 
Join Date: Oct 2008
Posts: 10
Default PID says UPX but problems happen.

Hi,

Protection ID says it is packed with UPX (Latest) so I unpack it then the file does not run so presume something else is at work here and would be good if you can provide any information on this.

Thanks,
Attached Files
File Type: zip AEHook.zip (20.2 KB, 7 views)
Reply With Quote
  #2  
Old 02-27-2012, 06:16 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

PE Explorer unpacks several flavors of UPX.

Git
Reply With Quote
  #3  
Old 02-27-2012, 06:36 PM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

There's additional protection for the most juicy part of code. Small virtual machine - VMProtect, if I'm not mistaken.
See here:
Code:
UPX0:00401800  push    ebp
UPX0:00401801  mov     ebp, esp
UPX0:00401803  and     esp, 0FFFFFFF8h
UPX0:00401806  push    ecx
UPX0:00401807  push    ebx
UPX0:00401808  push    esi
UPX0:00401809  push    edi
UPX0:0040180A  jmp     loc_40B517  ; --> oops. nasty code follows! :)
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.