Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 08-01-2011, 11:08 AM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default UPX Delphi stub?

Hi!

I'm trying to unpack an exe which seems to UPX-protected. PEiD tells me it might be UPX 0.89.6 - 1.02 / 1.05 - 2.90 (Delphi) stub -> Markus & Laszlo [Overlay].

The target is available at http://www.megaupload.com/?d=DFDVT7JS

Is there any way to have this unpacked (semi-)automatically?
Reply With Quote
  #2  
Old 08-01-2011, 12:09 PM
ac!d ac!d is offline
Member
 
Join Date: Sep 2010
Posts: 25
Default

download UPX, google for it. then in command prompt do "UPX -d filename.exe" to decompress it automatically. (if it's a non 'hacked' upx version)
Reply With Quote
  #3  
Old 08-01-2011, 05:43 PM
SunBeam SunBeam is offline
Senior Member
 
Join Date: Jun 2011
Posts: 61
Default

CFF Explorer can do it as well ;-) Also, try TitanEngine, it's bound to unpack even modified UPX-es ;-)

Here: http://www.multiupload.com/T9F4WBF8RY
Reply With Quote
  #4  
Old 08-02-2011, 07:32 AM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default

Thanks for your help. I did indeed try to use the regular upx tool to decompress the files and yes, they don't appear to be modified/crypted in any way (decompression can be done using this way).

I also did it manually (using OllyDbg/OllyDmp and ImpREC). This also produces a working PE file with a correct import table.

But my problem is that there still seems to be some kind of detection inside the file. Whenenver I run a particular function (adding a printer in this case), the application immediately closes without any error, even if I don't attach any debugger to it.

First I thought this might be a result of an incorrect dump / unpacking attempt but now I'm quite sure, there are other problems.

So I guess, it might be one of the following:

- Application checks digital signature, MD5 or simply file size
- Application has other packed parts which get uncompressed during runtime (not at startup)
- Export table (app exports three symbols) got corrupted
- some "Sentinel" envelope magic (application uses SafeNet-Dongles / sx32w.dll)
Reply With Quote
  #5  
Old 08-02-2011, 09:27 AM
SunBeam SunBeam is offline
Senior Member
 
Join Date: Jun 2011
Posts: 61
Default

Can you pack it all in an archive or simply send me the setup via PM? Using only .exe/.dll doesn't run software properly. I guess I need the rest of the files.

Thanks.
Reply With Quote
  #6  
Old 08-02-2011, 09:52 AM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default

[Please DO NOT quote whole messages, it is unnecessary]

I would love to do so but the entire archive would be around 500MB :-( If you still want to take a look, please let me know and I'll upload it.

In the meantime, I've found the conditional jump at 0062DA7B which (in the end) leads to a call to ExitProcess. If I'll patch this, the app won't crash anymore and I'm able to see more precisely where the problem might be: It seems to be a problem with some embedded ressources. The dialog which opens "after patch" is missing all bitmaps. Maybe the unpacking process destroyed some ressources and the application crash is just an exception handler for this circumstance?

Last edited by Git : 08-02-2011 at 12:58 PM.
Reply With Quote
  #7  
Old 08-03-2011, 03:04 AM
SunBeam SunBeam is offline
Senior Member
 
Join Date: Jun 2011
Posts: 61
Default

Upload it, please. 2 archives of 250 would do.
Reply With Quote
  #8  
Old 08-03-2011, 10:35 AM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default

Sorry, the archive is about 1GB and I've forgot to split it. I hope, that's okay for you. Otherwise please let me know and I'll split and reupload it.

http://www.megaupload.com/?d=53PA2SAY
Reply With Quote
  #9  
Old 08-03-2011, 03:10 PM
SunBeam SunBeam is offline
Senior Member
 
Join Date: Jun 2011
Posts: 61
Default

It's OK. I got it ;-) Now let's see..
Reply With Quote
  #10  
Old 08-03-2011, 05:06 PM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default

Well, I'm starting to think this is way to heavy for my understanding. There were many most paranoic theories I've already checked but nothing got me any closer to the main problem. Also I'm absolutely unsure about the purpose of the ips_color_start.exe (which isn't needed to start the app).

Just in case you don't see the problem: After launching the (unpacked) ips_color.exe, click on "Demo" (if a dialog about registration appears on your system) and then, for example, click on the left first button, labled "Scan Preview". The original application starts to draw a sample image but the unpacked one just crashes. There are many other parts of the application which behave in the same way (e.g. try to add a printer using Settings/Hardware).

I'm still guessing it has something to do with references not pointing to correct location after unpacking the file. The executable seems to fail loading (embedded) bitmaps, like the preview image or icons for added printers. Doesn't look like a protection; more like a development mistake
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.