Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   File Unpacking (http://www.reteam.org/board/forumdisplay.php?f=27)
-   -   PID says UPX but problems happen. (http://www.reteam.org/board/showthread.php?t=4631)

aiwnjoo 02-27-2012 05:19 PM

PID says UPX but problems happen.
 
1 Attachment(s)
Hi,

Protection ID says it is packed with UPX (Latest) so I unpack it then the file does not run so presume something else is at work here and would be good if you can provide any information on this.

Thanks,

Git 02-27-2012 06:16 PM

PE Explorer unpacks several flavors of UPX.

Git

kao 02-27-2012 06:36 PM

There's additional protection for the most juicy part of code. Small virtual machine - VMProtect, if I'm not mistaken.
See here:
Code:

UPX0:00401800  push    ebp
UPX0:00401801  mov    ebp, esp
UPX0:00401803  and    esp, 0FFFFFFF8h
UPX0:00401806  push    ecx
UPX0:00401807  push    ebx
UPX0:00401808  push    esi
UPX0:00401809  push    edi
UPX0:0040180A  jmp    loc_40B517  ; --> oops. nasty code follows! :)



All times are GMT -4. The time now is 01:40 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.