#1
|
|||
|
|||
modify UPX
Yesterday I was modify a UPX file,Fi Detected it is UPX + cryptor (¡öPE),PEID use Normal scan and Deep scan Detected it is Win32 PE File - GUI,use Hardcore scan Detected it is UPX 0.89.6 - 1.02 / 1.05 - 1.22 (Delphi) stub -> Markus & Lazlo,pe-scan Detected it is neolite 1.0x
Now I have a question,how can I modify it let it can't Detected by FI and PEID? those tool Detected what signature to sure it is a packed by UPX's File? Thanks. |
#2
|
|||
|
|||
The file can download at
hxxp://feisu.hanzify.org/Project1.exe |
#3
|
||||
|
||||
I'd change the code at the OEP to start with. However, to ensure it's not picked up by the hardcore methods, you need to ensure that the original UPX code is mangled and decrypted upon startup.
|
#4
|
|||
|
|||
I think this file original UPX code is mangled,But not full mangled,Could you tell me how to Full mangled it?
edit what bytes |
#5
|
|||
|
|||
feisu
Quote:
|
#6
|
|||
|
|||
Is only study how does it to Detect
|
#7
|
||||
|
||||
Normally, the protection is done by picking unique bytes from the entry point. So, if you place another section that is executed before the normal entrypoint, it will fool detectors that do not have the "hardcore" settings. Hardcore simply searches the entire program for those signature bytes. Unfortunately, it could find them elsewhere that are nothing to do with a certain packer, and therefore identify it wrongly.
Best thing to do for just fun is to pack a program, wrap up it's unpacking code into another section, and then right a simple decryptor to put it back and call it. Nothing can identify it then (apart from someone with a debugger of course that spots your decrypting code...) However, your not going to get very far without a good knowledge of PE files and being able to write in assembler. Don't forget to also change the section names after packing, as some identifiers also look there. As an example, I've made a UPX packed executable (Notepad) look like it was packed with Armadillo. Packed program still ran fine, but it could really confuse someone trying to unpack it However, note that some packers/cryptors will not let you edit the file at all after packing, so make sure to pick a packer that doesn't mind (or better still, write your own |
#8
|
|||
|
|||
ok,thx
|
#9
|
|||
|
|||
Hi, feisu!
I have made some transformations above UPX manually. The archive consists of two files original and patched. To trace and compare it. It is not determined with help PEiD as UPX by all methods. Enjoy! |
#10
|
|||
|
|||
That good.Now I have a see it
|
#11
|
|||
|
|||
This is not Detected by PEID,BUt is Detected by FI
|
#12
|
|||
|
|||
Hi!
Appeared, that using method "Scan Process(Dump)" PEiD finds Upx in a file. Therefore it was necessary to improve my patched file some. |
#13
|
|||
|
|||
With fi, affairs are more difficultly.
|
#14
|
|||
|
|||
well..detect packer isnt same as unpack this packer
try my litle crackme..main packer is upx combinated with peshit ..and fuxxored with my special stuff try *FULLY* unpack my target |
#15
|
|||
|
|||
Quote:
hoho.When I not busy.I well try it |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Crypt/modify a .sys ? | J4H | General Discussion | 8 | 12-03-2010 15:30 |