Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Is it possible for UPX to scramble referenced text strings? (https://forum.exetools.com/showthread.php?t=3194)

Nilrem 01-12-2004 00:09
Is it possible for UPX to scramble referenced text strings?
 
Is it possible for UPX to scramble referenced text strings? I've manually unpacked a program that was protected by UPX and the referenced text strings seem to be scrambled (messed up), if I unpack it with a program (ResTuner), then the text strings are fine.

Nilrem 01-12-2004 06:26
Here's the file packed, if you manually unpack using the standard UPX unpacking method, then you'll see what I mean about the referenced text strings been messed up compared to it been unpacked through ResTuner.

hxxp://www.grinders.withernsea.com/tools/pwsetup1_6415613.rar

MaRKuS-DJM 01-12-2004 21:10
for me, all strings are correct if i unpack the file with Olly

MaRKuS-DJM 01-12-2004 21:29
maybe it has to do something with Import-fixing. did you use ImportRec or OllyDump?

and where are the text-strings scrambled? W32Dasm? or Olly? i use W32Dasm patch by ColdCoder + Bratalarm

Nilrem 01-12-2004 21:42
ImportRec, and I checked them in Olly, if you check them in Olly you should land at one that is
"ggggg" or something along those lines and in the automatically unpacked version it's not scrambled it's... well I'm at school right now, but hopefully you see my point.

Nilrem 01-15-2004 01:01
Can anybody help me with this please? I've had a look around but can't seem to come up with anything.

Nilrem 01-17-2004 16:09
Can someone please take a look at the program when manually unpacked in Olly please? Of course I could automatically unpack it but I'd rather find out what is causing the strings to become incorrect.
Sorry for being impatient.

britedream 01-17-2004 17:17
I didn't manually unpack it , but I de-mutate it , then de-upx it, all the strings are fine.

britedream 01-17-2004 17:41
I did manually unpack it , and all strings are fine, please state which address is the string you refering to at, so I can check it for you.

Nilrem 01-18-2004 19:45
Open it in Olly, then right click and select 'Search for->All referenced text strings" and the one you land at will be "gggg" when it shouldn't be that.

britedream 01-18-2004 20:18
the first thing you land on is your initial cpu selection (oep), which is fine.

Nilrem 01-18-2004 21:09
If I look below that, I get this:


Text strings referenced in PopUpWas:UPX1, item 1
Address=00529B8B
Disassembly=ASCII "UUUUUUUUUUUUUUU"

britedream 01-18-2004 23:56
I don't think you are dumping from the right oep, eventhough my pc config. may be different than yours , but the last 2 or 3 digits of the address should be the same, my oep =4751e4.

regards


All times are GMT +8. The time now is 12:20.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX