Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-03-2003, 18:17
feisu
 
Posts: n/a
modify UPX

Yesterday I was modify a UPX file,Fi Detected it is UPX + cryptor (¡öPE),PEID use Normal scan and Deep scan Detected it is Win32 PE File - GUI,use Hardcore scan Detected it is UPX 0.89.6 - 1.02 / 1.05 - 1.22 (Delphi) stub -> Markus & Lazlo,pe-scan Detected it is neolite 1.0x

Now I have a question,how can I modify it let it can't Detected by FI and PEID?

those tool Detected what signature to sure it is a packed by UPX's File?

Thanks.
Reply With Quote
  #2  
Old 06-03-2003, 18:19
feisu
 
Posts: n/a
The file can download at
hxxp://feisu.hanzify.org/Project1.exe
Reply With Quote
  #3  
Old 06-03-2003, 20:24
Squidge's Avatar
Squidge Squidge is offline
Drunken Squirrel
 
Join Date: Oct 2002
Posts: 412
Rept. Given: 4
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 6 Posts
Squidge Reputation: 9
I'd change the code at the OEP to start with. However, to ensure it's not picked up by the hardcore methods, you need to ensure that the original UPX code is mangled and decrypted upon startup.
Reply With Quote
  #4  
Old 06-03-2003, 20:29
feisu
 
Posts: n/a
I think this file original UPX code is mangled,But not full mangled,Could you tell me how to Full mangled it?

edit what bytes
Reply With Quote
  #5  
Old 06-03-2003, 22:29
asterix asterix is offline
Friend
 
Join Date: Feb 2003
Posts: 98
Rept. Given: 1
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
asterix Reputation: 4
feisu
Quote:
Now I have a question,how can I modify it let it can't Detected by FI and PEID?
What for it is necessary for you?
Reply With Quote
  #6  
Old 06-04-2003, 06:12
feisu
 
Posts: n/a
Is only study how does it to Detect
Reply With Quote
  #7  
Old 06-04-2003, 06:27
Squidge's Avatar
Squidge Squidge is offline
Drunken Squirrel
 
Join Date: Oct 2002
Posts: 412
Rept. Given: 4
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 6 Posts
Squidge Reputation: 9
Normally, the protection is done by picking unique bytes from the entry point. So, if you place another section that is executed before the normal entrypoint, it will fool detectors that do not have the "hardcore" settings. Hardcore simply searches the entire program for those signature bytes. Unfortunately, it could find them elsewhere that are nothing to do with a certain packer, and therefore identify it wrongly.

Best thing to do for just fun is to pack a program, wrap up it's unpacking code into another section, and then right a simple decryptor to put it back and call it. Nothing can identify it then (apart from someone with a debugger of course that spots your decrypting code...)

However, your not going to get very far without a good knowledge of PE files and being able to write in assembler.

Don't forget to also change the section names after packing, as some identifiers also look there.

As an example, I've made a UPX packed executable (Notepad) look like it was packed with Armadillo. Packed program still ran fine, but it could really confuse someone trying to unpack it

However, note that some packers/cryptors will not let you edit the file at all after packing, so make sure to pick a packer that doesn't mind (or better still, write your own
Reply With Quote
  #8  
Old 06-04-2003, 18:20
feisu
 
Posts: n/a
ok,thx
Reply With Quote
  #9  
Old 06-05-2003, 07:12
asterix asterix is offline
Friend
 
Join Date: Feb 2003
Posts: 98
Rept. Given: 1
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
asterix Reputation: 4
Hi, feisu!
I have made some transformations above UPX manually.
The archive consists of two files original and patched.
To trace and compare it.
It is not determined with help PEiD as UPX by all methods.
Enjoy!
Attached Files
File Type: rar upx.rar (6.5 KB, 107 views)
Reply With Quote
  #10  
Old 06-05-2003, 18:39
feisu
 
Posts: n/a
That good.Now I have a see it
Reply With Quote
  #11  
Old 06-05-2003, 18:44
feisu
 
Posts: n/a
This is not Detected by PEID,BUt is Detected by FI
Reply With Quote
  #12  
Old 06-06-2003, 16:52
asterix asterix is offline
Friend
 
Join Date: Feb 2003
Posts: 98
Rept. Given: 1
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
asterix Reputation: 4
Hi!
Appeared, that using method "Scan Process(Dump)"
PEiD finds Upx in a file.
Therefore it was necessary to improve my patched file some.
Attached Files
File Type: rar upx2.rar (3.3 KB, 85 views)
Reply With Quote
  #13  
Old 06-06-2003, 19:05
asterix asterix is offline
Friend
 
Join Date: Feb 2003
Posts: 98
Rept. Given: 1
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
asterix Reputation: 4
With fi, affairs are more difficultly.
Reply With Quote
  #14  
Old 06-06-2003, 20:26
an0nymous
 
Posts: n/a
well..detect packer isnt same as unpack this packer

try my litle crackme..main packer is upx combinated with peshit

..and fuxxored with my special stuff

try *FULLY* unpack my target
Attached Files
File Type: zip crackme.zip (32.1 KB, 85 views)
Reply With Quote
  #15  
Old 06-09-2003, 20:11
feisu
 
Posts: n/a
Quote:
Originally posted by sKAMER
well..detect packer isnt same as unpack this packer

try my litle crackme..main packer is upx combinated with peshit

..and fuxxored with my special stuff

try *FULLY* unpack my target

hoho.When I not busy.I well try it
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Crypt/modify a .sys ? J4H General Discussion 8 12-03-2010 15:30


All times are GMT +8. The time now is 14:35.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )