Unpacking UPX 1.x, possible self-modifying code

[Pharaoh]

I'm reletively new at unpacking UPX, and i have tried LordPE, Peid, generic unpackers, PE explorer, ImpREC, and a few others.

The unpacked EXE files i generate with the unpackers do not run, and ImpREC cannot restore IAT, and neither can advanced methods in LordPE.

If i use PE explorer, extract, and run the EXE i get "the entry point in the DLL getactiveobject 'ole32" could not be located". ImpREC cannot restore IAT tables on that one either.

I try to mimic a tutorial of a simpler program step by step, and OLLY iterates through around 100 messageboxes of "self-modifying" or "polymorphic" code warnings, and wants to delete the procedure code sections in those areas.

Earlier versions of this program are protected with the SAME UPX version, and Team DVT created a keygen for them, so i know it is possible.

using DEDE, a delphi unpacker on the unpacked EXE from PE explorer, i can see virtually every tform and procedure. I can even see the actual registration procedure that runs when you click the "register" button, and view the ASM and calls. TMG ripper studio FAILS and crashes on trying to extract and process the datarefs.

The program is autorun design specialty 4.0.5. Team DVT keygenned 2.0.0.3.

I think trying to get the unpacked EXE might be too much trouble, and ripping the ASM keygen routine might be easier. but TMG ripper crashes hard. any ideas or suggestions? i normally tackle simple CD checks and simple registration schemes, but this has really got me irritated and i dont want to give up.

[SKiLLa]

I checked the newest version 4.0.0.23. It's packed with UPX v1.x; so first thing I tried was unpacking it with upx.exe itself. As long as the .exe keeps it's original name the unpacked version runs fine. Pressing [trial] in the unpacked version terminates the process after the nag-screen, but reversing it any further looks pretty easy ...

[Soul12]

this is a normal error, caused by the fact that delphi apps have allot of sections... so if you look at the packed .exe itl only have 4 while the unpacked will prolly have 6, in such cases the easiest approach is to use Upx.exe itself... and this will reverse the process completely

if the upx has been modyfied...all you gotta do is add the Upx! tags in the start of the .txt again...and it should unpack

[Pharaoh]

I got it to work!!!!!!!!!!!!!!!

First i used UPX-it to UNPACK the EXE.

Next i loaded it into DeDe and found the tregform and the button you click to register after you load in the serial and key.

i got the address of the beginning of tform.button1.click, and found it in olly.

after entering in a name and serial, i found the serial MUST start with "002"

i used an old Eithel Team serial and traced the procedures for a long time, until i saw the beginnings of a serial being created in a series of loops.

it progressively got longer, shorter, and after about 6 min of hitting F7, it returned to just above the call where "please input name and code again" was called.

basically, it takes the name, serial, and key, and calls 5 procedures, and the resulting "good" serial is compared by another procedure with the strings in EAX and ECX. all i did was fish the serial in olly's window and enter it in a still packed version, and viola. i now have a registered copy.

thanks for all your help, and i will post a tutorial on this. this is defintely worth learning for newbies like me!!

are we allowed to post the serials on here, or maybe a working keygen as "solutions" for others to learn too?

[SKiLLa]

I guess a tutor about the serial-fishing will be appreciated, but I doubt posting working serials or keygens (on a commercial program) here is ok, since one might consider it 'warez' ... but it's good to hear you've tackled it