Making unpacked progs work on both WinXP/Win9x?

[Barry]

I've been reading a few unpack tutes for UPX and managed to follow them OK, BUT when I unpack in either WinXP or Win98 the progs will only work in the OS they were unpacked in?

The tute I followed was this one:

http://www.exetools.com/forum/showth...&threadid=3185

which uses a combination of Olly, LordPE and Imprec to unpack/fix. I wasn't unpacking that particular prog in the tute but used it to unpack another UPX packed prog, this prog works when I unpacked it but only in the OS it was unpacked in

How do I make sure my unpacked UPX prog (or any other prog for that matter) will work in both WinXP and Win9x?

I know I could use UPX to unpack, but I have a scrambled UPX prog that needs to be manually unpacked as none of the UPX descramblers work on it.

I'm guessing the API calls are different under Win9x/XP and they need fixing?

Any hints please?

Hi,
there are more problems, that can prevent your proggie from running on other systems.
The first one is, that NT like systems are more strict in controlling PE header info, so try to find some program that will check it for you (I'm quite sure I've seen it somewhere, if it is your problem and you won't be able to find it, maybee I could send it to you).
The second problem could be relocations. If you unpacked your proggie, then it probably misses reloc section, because packers do it themselves; but when unpacked program runs on other system, then could be loaded to other base adress then prefered one and then it'll surely crash. If this is the case, then you have several possibilities. You can try to rebuild relocations - probably lot of work, or you can make a loader or inject code to make needed modifications after proggie is unpacked in memory.
Hope it helps.

least

Relocs u would have to rebuild on any OS.

The PE Header might trouble u,also the Import Rebuilding maybe.
Since under 2k/XP some Apis are for example forwarded to other Dlls..

Like some Kernel -> NtDll etc.

Just a guess

[Barry]

It must be the import rebuilding that screws everything up because the Packed EXE works in Win9x/WinXP. When I enter the OEP into Imprec and click the IAT Autosearch it tells me it has found something but it does not find any imports when clicking the Get Imports button! Imprec gives me an RVA and Size to enter if it fails to find anything, but entering them eventually crashes imprec?

I have to manually use the Get API Calls option and delete the inavlid entries. This allows me to use the Fix Dump option and the EXE then works, but only in the current OS.

I tried Revirgin too but that just seemed to freeze the app when I enter the OEP and clicked the Fetch IAT button!! I also tried using Olly and Ollydump to fix imports using Method 1 & 2 but no luck with that either, so I think that's why it has to be dumped and manually fixed.

If you look near the end of a UPX file with a Hex Editor you can see the DLL's and API's the program needs, so I tried to delete all the API's I didn't need via Imprec but still no luck!

I've got a few utils that have PE header fixers for NT/2K/XP such as PEditor 1.7 but they don't help when I unpack in WinXP and the prog won't run under Win9x!

Are you able to dump/rebuild the app (so it run on that system) on both systems? If so, try to do it and compare the results - then you'll see the difference.
By the way, if I remember right, UPXed programs used to have the copies of original PE header inside (after unpack), so maybee try to look inside, if there is also import/reloc section. If so, it should be quite easy to rebuild the proggie.
Also try to look for some api monitor, I'm quite sure that UPX uses normal loadLibrary/getProcAdress functions so it could give you clue, if rebuilt import table is correct.
If nothing else helps, I could try to look at it; I can't promise anything, but if I have some time, maybee I could help.
Regards
least

[Barry]

Hi least,

Yes, I can dump/rebuild the prog so it works in the OS I dumped under (but only by manually adding the API's). I also think the Import table is messed up as imprec can't find it once the OEP found using OllyDbg is entered.

The file has sections similar to UPX0/UPX1 but called CWFR and FWFR and where the UPX! sig usually goes is BWFR so this could be a new UPX scrambler or a UPX-a-like packer, not sure, PEiD says it's UPX?

An example EXE is here: hxxp://arcade.reflexive.com/downloadgame.aspx?AID=79&CID=0

Install it and check fusion.exe

You maybe able to see where the import table is hidden?

thanks!