Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   PEiD and UPX (https://forum.exetools.com/showthread.php?t=8196)

Asus 09-23-2005 00:20
PEiD and UPX
 
Hi,
I have an exe file idents as UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo by PEiD, but when I try to use UPX 1.93 to unpack it, I got the below result:

Quote:
cmd> upx -d -f winkey.exe
Ultimate Packer for eXecutables
Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
UPX 1.93 beta Markus F.X.J. Oberhumer & Laszlo Molnar Feb 7th 2005

File size Ratio Format Name
-------------------- ------ ----------- -----------
upx: packer.exe: CantUnpackException: file is modified/hacked/protected; take ca
re!!!

Unpacked 0 files.
Is it modified really and how do I get packer exactly? :confused:

Unforgiv3N 09-23-2005 01:31
Maybe That is Scrambled UPX File. or used Faked UPX Singature
Try Unpacker for UPX Plugins for PEiD in 80% of Cases it will work

otherwise you should attach the file

TQN 09-23-2005 01:37
With UPX, we can use PE Explorer. The UPX plugin of PE Explorer is great, it can unpack all most UPX (scramble, modified) file. Open your exe with PE Explorer and save to new exe. This way is fastest.

WerEsT 09-23-2005 03:28
Asus
Use Upx Ripper 1.3
http://www.hanzify.org/?Go=Show::List&ID=5441&Down=1&L=cn
or attach file.

pluscontrol 09-23-2005 04:16
upx is not a difficult packer, you can unpack it by hand with little effort and there are a lot of tuts to guide you

Darus 09-23-2005 05:00
and there are some scripts for ollydebug

Asus 09-23-2005 19:38
Thanks to all who replied and give me idea! But I used PEiD to unpack it, it seems successed, but when I run that file, I got the box with:

Application Error
----------------------
The application failed to initialize properly (0xc0000005). Click on OK to terminate the application.

Any suggestion?

tnx.

taos 09-23-2005 21:10
IAT rebuilding error, use IMPREC to fix it.(get some tuts before)

Asus 09-23-2005 22:57
Thanks for your reply - tao. I will see what I can do;-)

Newbie_Cracker 09-23-2005 23:16
Asus, it's better to give us a download link to help better. :)

Asus 09-24-2005 00:00
WASM seems down so I can not get UPX-Ripper, may anyone attach it?

WerEsT 09-24-2005 02:48
1 Attachment(s)
Quote:
Originally Posted by Asus
WASM seems down so I can not get UPX-Ripper, may anyone attach it?
Asus
/ UPX-Ripper 1.3 in attach /

Unforgiv3N 09-24-2005 02:57
if it was packed by UPX, it will open into Heaven$oft Resource Tuner and if you save the file it will Unpack with Resource Tuner Embedded UPX Plugins.

Try it also.

learner38 09-24-2005 06:12
Heaven$oft Resource Tuner and PE Explorer is the same plugin
and working sooo nice.. tested by ME..
about ripper not working with all..
PE exploer in our FTP..
thanks Unforgi3n and TQN

Asus 09-24-2005 07:18
Again, thanks to all people who helped me;-) But all of them are failed to unpack files I had in my hand. :confused:

demon_da 09-24-2005 18:58
try to analyze your target with RDG Packer Detector! it have better result if your target have fake sign!

Asus 09-25-2005 13:49
1 Attachment(s)
I also attached 02 file that identified with UPX by PEiD. Please help me.

Peter[Pan] 09-25-2005 14:30
They are both certainly UPX'D, do it manually, open them in ollydbg, and scroll down to the

POPAD
JMP ADDRESS

they are right at the bottom, just before all the 0's (not the bottom, bottom, but i mean the bottom of the code you see)

Break on the JMP ADDRESS, and step into the oep, then dump from here, and rebuild the iat.


All times are GMT +8. The time now is 03:57.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX