Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Thursday, March 21 2019 @ 02:53 AM CET
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo

 
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking
View previous topic :: View next topic  
Author Message
sharpe
Frequent poster
Frequent poster


Joined: 20 Mar 2005
Posts: 65

PostPosted: Wed Sep 21, 2005 2:14 pm    Post subject: UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo Reply with quote

I use a piece of software that I have actually purchased (believe it or not) and I am interested in reversing it to find out how it's 30 day time restriction works. I will refrain from mentioning what the software is, as I wish to obey the forum rules.

Does anyone have any tips on how to get started? I have identified the packer: UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo (PEiD) and I have identified the code entry point:

0068D3F2 > 61 POPAD
0068D3F3 .-E9 9CA1E8FF JMP converte.00517594 <---HERE

and I am rather interested in attempting to bypass the time restriction mechanism for the simple sake of learning.

Does anyone have any tips? I have done quite a few crackmes but never with a "real" scenario.

Thanks in advance,
Best,
sharpe
Back to top
View user's profile Send private message Visit poster's website
moniker
Regular
Regular


Joined: 05 Sep 2005
Posts: 123
Location: lage lande

PostPosted: Wed Sep 21, 2005 11:31 pm    Post subject: Reply with quote

first of all you won't need to unpack upx to be able to investigate the exe.
break when the program is started and all the code is unpacked in memory and you can start searching.


however if you want you can upx very easyly, and there are tutorials on unpacking upx all over the web, so grab one of those and get to it.

in short they will tell you to trace until you are on the OEP
make you dump it with ollydump or so
make you rebuild your imports
Back to top
View user's profile Send private message
|ShAdOw|
New to the board
New to the board


Joined: 15 Apr 2005
Posts: 7
Location: N/A

PostPosted: Mon Sep 26, 2005 3:25 pm    Post subject: Reply with quote

unpacking UPX is piece of cake.
Open target in Olly, u should see first line: PUSHAD hopefully. It depends of UPX and packing method. Not every UPX packed app has PUSHAD. At least i know some. Then scroll down a bit and u will see POPAD and after this jmp to OEP.
Put BP on your POPAD (if it is the right one), press F9 in Olly, Olly beaks, press F8 2x and u will hopefully land at OEP. Dump this target with Olly dump plugin and u are lucky enough u dont even need to do nothing anymore, just run the unpacked app. If it does not run then remember the OEP and fix it with procdump. Sometimes OEP gets fcked up, the use good old IMPREC to recover EXE. Its very easy.
Just take some large app pack with upx and then try to unpack it.
Best way to learn is to make experiments and learn from your mistakes.
I learned all this by this way. And of course thanks to BIW tuts.
Back to top
View user's profile Send private message
Khaosgott96
Frequent poster
Frequent poster


Joined: 15 Aug 2005
Posts: 74

PostPosted: Mon Sep 26, 2005 4:58 pm    Post subject: Reply with quote

you could also write an inline patch Wink

regards
Back to top
View user's profile Send private message
parabytes
Frequent poster
Frequent poster


Joined: 14 Apr 2005
Posts: 92
Location: Israel

PostPosted: Sat Oct 08, 2005 9:46 am    Post subject: Reply with quote

Isn't it all clearer and easier to just use 'upx -d' Smile
_________________
thoughts roam free and endless..
Back to top
View user's profile Send private message Visit poster's website
tanatos
Frequent poster
Frequent poster


Joined: 16 Feb 2005
Posts: 68

PostPosted: Sat Oct 08, 2005 11:27 am    Post subject: hmmm Reply with quote

execute that jump you are on and you are into the unpacked exe...(unpacked in pc memory) and from there (guessin you are usin olly) do a string search and look for strings shown in the 30days trial...waitin for further results... Very Happy
Back to top
View user's profile Send private message
tgo
New to the board
New to the board


Joined: 02 Oct 2005
Posts: 3

PostPosted: Sat Oct 08, 2005 4:25 pm    Post subject: Reply with quote

if you didnt understand the olly way then upx -d or peid should handle it
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
 Copyright © 2019 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.13 seconds