#1
|
|||
|
|||
Is it possible for UPX to scramble referenced text strings?
Is it possible for UPX to scramble referenced text strings? I've manually unpacked a program that was protected by UPX and the referenced text strings seem to be scrambled (messed up), if I unpack it with a program (ResTuner), then the text strings are fine.
|
#2
|
|||
|
|||
Here's the file packed, if you manually unpack using the standard UPX unpacking method, then you'll see what I mean about the referenced text strings been messed up compared to it been unpacked through ResTuner.
hxxp://www.grinders.withernsea.com/tools/pwsetup1_6415613.rar |
#3
|
||||
|
||||
for me, all strings are correct if i unpack the file with Olly
|
#4
|
||||
|
||||
maybe it has to do something with Import-fixing. did you use ImportRec or OllyDump?
and where are the text-strings scrambled? W32Dasm? or Olly? i use W32Dasm patch by ColdCoder + Bratalarm |
#5
|
|||
|
|||
ImportRec, and I checked them in Olly, if you check them in Olly you should land at one that is
"ggggg" or something along those lines and in the automatically unpacked version it's not scrambled it's... well I'm at school right now, but hopefully you see my point. Last edited by Nilrem; 01-12-2004 at 23:17. |
#6
|
|||
|
|||
Can anybody help me with this please? I've had a look around but can't seem to come up with anything.
|
#7
|
|||
|
|||
Can someone please take a look at the program when manually unpacked in Olly please? Of course I could automatically unpack it but I'd rather find out what is causing the strings to become incorrect.
Sorry for being impatient. |
#8
|
|||
|
|||
I didn't manually unpack it , but I de-mutate it , then de-upx it, all the strings are fine.
|
#9
|
|||
|
|||
I did manually unpack it , and all strings are fine, please state which address is the string you refering to at, so I can check it for you.
|
#10
|
|||
|
|||
Open it in Olly, then right click and select 'Search for->All referenced text strings" and the one you land at will be "gggg" when it shouldn't be that.
|
#11
|
|||
|
|||
the first thing you land on is your initial cpu selection (oep), which is fine.
|
#12
|
|||
|
|||
If I look below that, I get this:
Text strings referenced in PopUpWas:UPX1, item 1 Address=00529B8B Disassembly=ASCII "UUUUUUUUUUUUUUU" |
#13
|
|||
|
|||
I don't think you are dumping from the right oep, eventhough my pc config. may be different than yours , but the last 2 or 3 digits of the address should be the same, my oep =4751e4.
regards |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
IDA can't properly deal with RUST strings | WhoCares | General Discussion | 3 | 07-08-2021 10:46 |
Strings plugin for x64dbg | hors | Developer Section | 0 | 03-16-2019 01:42 |
hint_calls.py: IDA plugin to show a function's summary (calls,strings) as hover hints | sh3dow | Source Code | 0 | 12-13-2016 22:28 |
Allocating BSTR strings in IE9 | r00t | General Discussion | 4 | 01-31-2013 12:47 |
Problem with referenced strings in Olly. | Fade | General Discussion | 5 | 05-08-2006 22:40 |