Being rather new to unpacking, I find it a bit confusing. I'm trying my hand at unpacking CDMA Workshop 3.7.5 and find the following:
PEiD shows UPolyX 0.3 by delikon *
Another scanner shows Themida 2.x
I'm leaning towards Themida because I see, when tracing the code, the following decrypt routine. EP at EC8000 stepping through I find:
Code:
00EC8046 55 PUSH EBP
00EC8047 89E5 MOV EBP,ESP
00EC8049 50 PUSH EAX
00EC804A 53 PUSH EBX
00EC804B 51 PUSH ECX
00EC804C 56 PUSH ESI
00EC804D 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
00EC8050 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
00EC8053 C1E9 02 SHR ECX,2
00EC8056 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00EC8059 8B5D 14 MOV EBX,DWORD PTR SS:[EBP+14]
00EC805C 85C9 TEST ECX,ECX
00EC805E 74 0A JE SHORT cdma_wor.00EC806A
00EC8060 3106 XOR DWORD PTR DS:[ESI],EAX
00EC8062 011E ADD DWORD PTR DS:[ESI],EBX
00EC8064 83C6 04 ADD ESI,4
00EC8067 49 DEC ECX
00EC8068 ^ EB F2 JMP SHORT cdma_wor.00EC805C
Then a few pushes and a RETN that goes to 00AB8000, and if tracing in Olly it crashes.
That's why I would think it Themida and not UPolyX. But I'm still a noob and figuring things out by trial and error. Any thought as to why PEiD might give a wrong packer? Bad signature database?
I should have mentioned the decrypt routine is between 00EC805C and 00EC8068. Not sure if that's just decrypting the unpack code, or what. I'll report back as I find more out.