UPX Delphi stub?

[oxident]

Hi!

I'm trying to unpack an exe which seems to UPX-protected. PEiD tells me it might be UPX 0.89.6 - 1.02 / 1.05 - 2.90 (Delphi) stub -> Markus & Laszlo [Overlay].

The target is available at http://www.megaupload.com/?d=DFDVT7JS

Is there any way to have this unpacked (semi-)automatically?

[ac!d]

download UPX, google for it. then in command prompt do "UPX -d filename.exe" to decompress it automatically. (if it's a non 'hacked' upx version)

[SunBeam]

CFF Explorer can do it as well ;-) Also, try TitanEngine, it's bound to unpack even modified UPX-es ;-)

Here: http://www.multiupload.com/T9F4WBF8RY

[oxident]

Thanks for your help. I did indeed try to use the regular upx tool to decompress the files and yes, they don't appear to be modified/crypted in any way (decompression can be done using this way).

I also did it manually (using OllyDbg/OllyDmp and ImpREC). This also produces a working PE file with a correct import table.

But my problem is that there still seems to be some kind of detection inside the file. Whenenver I run a particular function (adding a printer in this case), the application immediately closes without any error, even if I don't attach any debugger to it.

First I thought this might be a result of an incorrect dump / unpacking attempt but now I'm quite sure, there are other problems.

So I guess, it might be one of the following:

- Application checks digital signature, MD5 or simply file size
- Application has other packed parts which get uncompressed during runtime (not at startup)
- Export table (app exports three symbols) got corrupted
- some "Sentinel" envelope magic (application uses SafeNet-Dongles / sx32w.dll)

[SunBeam]

Can you pack it all in an archive or simply send me the setup via PM? Using only .exe/.dll doesn't run software properly. I guess I need the rest of the files.

Thanks.

[oxident]

[Please DO NOT quote whole messages, it is unnecessary]

I would love to do so but the entire archive would be around 500MB :-( If you still want to take a look, please let me know and I'll upload it.

In the meantime, I've found the conditional jump at 0062DA7B which (in the end) leads to a call to ExitProcess. If I'll patch this, the app won't crash anymore and I'm able to see more precisely where the problem might be: It seems to be a problem with some embedded ressources. The dialog which opens "after patch" is missing all bitmaps. Maybe the unpacking process destroyed some ressources and the application crash is just an exception handler for this circumstance?

[SunBeam]

Upload it, please. 2 archives of 250 would do.

[oxident]

Sorry, the archive is about 1GB and I've forgot to split it. I hope, that's okay for you. Otherwise please let me know and I'll split and reupload it.

http://www.megaupload.com/?d=53PA2SAY

[SunBeam]

It's OK. I got it ;-) Now let's see..

[oxident]

Well, I'm starting to think this is way to heavy for my understanding. There were many most paranoic theories I've already checked but nothing got me any closer to the main problem. Also I'm absolutely unsure about the purpose of the ips_color_start.exe (which isn't needed to start the app).

Just in case you don't see the problem: After launching the (unpacked) ips_color.exe, click on "Demo" (if a dialog about registration appears on your system) and then, for example, click on the left first button, labled "Scan Preview". The original application starts to draw a sample image but the unpacked one just crashes. There are many other parts of the application which behave in the same way (e.g. try to add a printer using Settings/Hardware).

I'm still guessing it has something to do with references not pointing to correct location after unpacking the file. The executable seems to fail loading (embedded) bitmaps, like the preview image or icons for added printers. Doesn't look like a protection; more like a development mistake