MW-Blog

I stumbled onto an unknown UPX protector a while back. The stub is easy to recognize and fingerprint, and the unpacking is just as easy.

This is what the stub looks like in IDA Pro (this is the same, but as a flowchart):

UPX1:0040D2B4 public start
UPX1:0040D2B4 start proc near
UPX1:0040D2B4 mov dword ptr [ebp-4], offset loc_40D36B
UPX1:0040D2BB push 4 ; uType
UPX1:0040D2BD push 0 ; lpCaption
UPX1:0040D2BF push 0 ; lpText
UPX1:0040D2C1 push 0FFFBFFFFh ; hWnd
UPX1:0040D2C6 call ds:MessageBoxA
UPX1:0040D2CC test eax, eax
UPX1:0040D2CE jle short loc_40D2D8
UPX1:0040D2D0 push 0 ; uExitCode
UPX1:0040D2D2 call ds:ExitProcess
UPX1:0040D2D8 ; —————————————————————————
UPX1:0040D2D8
UPX1:0040D2D8 loc_40D2D8: ; CODE XREF: start+1Aj
UPX1:0040D2D8 mov eax, [ebp-4]
UPX1:0040D2DB mov eax, [eax+4]
UPX1:0040D2DE sub eax, 3
UPX1:0040D2E1 mov ecx, [ebp-4]
UPX1:0040D2E4 mov [ecx+4], eax
UPX1:0040D2E7 and dword ptr [ebp-0Ch], 0
UPX1:0040D2EB jmp short loc_40D2F4
UPX1:0040D2ED ; —————————————————————————
UPX1:0040D2ED
UPX1:0040D2ED loc_40D2ED: ; CODE XREF: start+75j
UPX1:0040D2ED mov eax, [ebp-0Ch]
UPX1:0040D2F0 inc eax
UPX1:0040D2F1 mov [ebp-0Ch], eax
UPX1:0040D2F4
UPX1:0040D2F4 loc_40D2F4: ; CODE XREF: start+37j
UPX1:0040D2F4 mov eax, [ebp-4]
UPX1:0040D2F7 mov ecx, [ebp-0Ch]
UPX1:0040D2FA cmp ecx, [eax+4]
UPX1:0040D2FD jnb short loc_40D32B
UPX1:0040D2FF mov eax, [ebp-4]
UPX1:0040D302 mov eax, [eax+4]
UPX1:0040D305 sub eax, [ebp-0Ch]
UPX1:0040D308 mov ecx, [ebp-4]
UPX1:0040D30B mov ecx, [ecx]
UPX1:0040D30D mov edx, [ebp-4]
UPX1:0040D310 mov eax, [ecx+eax-1]
UPX1:0040D314 xor eax, [edx+0Ch]
UPX1:0040D317 mov ecx, [ebp-4]
UPX1:0040D31A mov ecx, [ecx+4]
UPX1:0040D31D sub ecx, [ebp-0Ch]
UPX1:0040D320 mov edx, [ebp-4]
UPX1:0040D323 mov edx, [edx]
UPX1:0040D325 mov [ecx+edx-1], eax
UPX1:0040D329 jmp short loc_40D2ED
UPX1:0040D32B ; —————————————————————————
UPX1:0040D32B
UPX1:0040D32B loc_40D32B: ; CODE XREF: start+49j
UPX1:0040D32B mov eax, [ebp-4]
UPX1:0040D32E mov eax, [eax+8]
UPX1:0040D331 mov [ebp-8], eax
UPX1:0040D334 mov eax, [ebp-8]
UPX1:0040D337 jmp eax
UPX1:0040D337 start endp
So, nothing really groundbreaking here. Just set a breakpoint on the jmp eax instruction at the bottom and press F9 to run to it. Singlestep in once and you will land on the beginning of the UPX stub, which is trivial to unpack. If you want to add that stub into your PEiD database, here’s a signature for you:

[Unknown_UPX_Scrambler vna]
signature = C7 45 FC ?? ?? ?? ?? 6A 04 6A 00 6A 00 68 FF FF FB FF FF 15 ?? ?? ?? ?? 85 C0 7E ?? 6A 00 FF 15 ?? ?? ?? ?? 8B 45 FC 8B 40 04 83 E8 03 8B 4D FC 89 41 04 83 65 F4 00 EB ?? 8B 45 F4 40 89 45 F4 8B 45 FC 8B 4D F4 3B 48 04 73 ?? 8B 45 FC 8B 40 04 2B 45 F4 8B 4D FC 8B 09 8B 55 FC 8B 44 01 FF 33 42 0C 8B 4D FC 8B 49 04 2B 4D F4 8B 55 FC 8B 12 89 44 11 FF EB ?? 8B 45 FC 8B 40 08 89 45 F8 8B 45 F8
ep_only = true

This entry was posted on Thursday, June 14th, 2007 at 8:45 am and is filed under Packer-Magic. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.