Results 1 to 10 of 10
  1. #1
    BadBlood's Avatar
    Join Date
    Jul 2010
    Gender
    male
    Posts
    470
    Reputation
    11
    Thanks
    182
    My Mood
    Chatty

    [TUT] How To Unpackable UPX

    This Program You Can Download It From UPX Site

    What does this program do?
    For the people that have (not) seen my post about manually protecting your UPX executable.
    This program makes sure your UPX protected executable can not be unpacked with the upx -d parameter. This is easy to bypass, but its packed with UPX what would you expect?

    Can this be bypassed?
    Of course this can be bypassed, anyone with a bit of reversing knowledge can reverse the program by hand. Or probably modify the UPX executable (or re-compile a new binary from the source) and bypass the check so it continues with the actual unpacking.

    Brief overview of what UPX is and what it can do (if you havent seen my other topic about doing it manually).

    Code:

    [php]UPX achieves an excellent compression ratio and offers very fast decompression. Your executables suffer no memory overhead or other drawbacks for most of the formats supported, because of in-place decompression. UPX strengths in a nutshell:
    * excellent compression ratio: typically compresses better than WinZip/zip/gzip, use UPX to decrease the size of your distribution!
    * very fast decompression: ~10 MB/sec on an ancient Pentium 133, ~200 MB/sec on an Athlon XP 2000+.
    * no memory overhead for your compressed executables because of in-place decompression.
    * safe: you can list, test and unpack your executables. Also, a checksum of both the compressed and uncompressed file is maintained internally.
    * universal: UPX can pack a number of executable formats.
    * portable: UPX is written in portable endian-neutral C++.
    * extendable: because of the class layout it's very easy to add new executable formats or new compression algorithms.
    * free: UPX is distributed with full source code under the GNU General Public License[/php]

    1. Protect your executable with UPX.



    2. Drag and drop your program on the Unpackable UPX executable.



    3. Your program cant be unpacked with the upx -d parameter.




    And there we go, its as simple as that. If you would like to patch all strings that contain UPX in the executable you could do the following.

    Code:

    [php]if((cBuffer[i] == 0x55) && (cBuffer[i + 1] == 0x50) && (cBuffer[i + 2] == 0x58)){
    cBuffer[i] = 0x41; // Change U (0x55) to A (0x41).
    cBuffer[i + 1] = 0x41; // Change U (0x55) to A (0x41).
    cBuffer[i + 2] = 0x41; // Change U (0x55) to A (0x41).
    }[/php]

    Its best to check if the string contains (UPX0, UPX1, UPX!) and then also rename the (0, 1 or ! as well)
    This can be done by a simple modification, but ill let you figure that out on your own!

    Source:
    Code:

    [php]#include <windows.h>
    #include <stdio.h>

    int main(int argc, char *argv[]){
    if(argc < 2){
    printf("Usage: <Win32UnpackableUPX.exe> <file>\n");
    }else{
    FILE *fFile = fopen(argv[1], "rb");
    if(fFile != NULL){
    printf("File (modified): %s\n", argv[1]);

    fseek(fFile, 0, SEEK_END);
    long lSize = ftell(fFile);
    rewind(fFile);

    char *cBuffer = (char *)malloc(lSize*sizeof(char *));
    if(cBuffer != NULL){
    fread(cBuffer, 1, lSize, fFile);
    fclose(fFile);

    BOOL bUPX = FALSE;

    for(int i=0; i < lSize; i++){
    if((cBuffer[i] == 0x55) && (cBuffer[i + 1] == 0x50) && (cBuffer[i + 2] == 0x58) && cBuffer[i + 3] == 0x30){
    printf("Found byte pattern at offset: %i\n", i);
    // This is the only value we need to change (UPX0), not (UPX1) or (UPX!)
    cBuffer[i] = 0x41; // Change U (0x55) to A (0x41).

    bUPX = TRUE;
    }
    }

    if(bUPX == TRUE){
    fFile = fopen(argv[1], "wb");
    if(fFile != NULL){
    fwrite(cBuffer, 1, lSize, fFile);
    free(cBuffer);
    fclose(fFile);

    printf("File %s should be successfully patched!", argv[1]);
    }else{
    printf("Unable to open file (write binary).\n");
    return 0;
    }
    }else{
    printf("File is not packed by UPX.\n");
    free(cBuffer);

    return 0;
    }
    }else{
    printf("Error at: malloc()\n");
    return 0;
    }
    }else{
    printf("Unable to open file (read binary).\n");
    return 0;
    }
    }

    getchar();
    }
    [/php]

    Binary Or Download: Attached

    VirusTotal - Free Online Virus, Malware and URL Scanner

    Win32Unpackable UPX.exe MD5:207ac9d4e56386bceea301f521d7e557 - VirSCAN.org Scanners did not find malware!
    Last edited by AVGN; 10-09-2010 at 05:12 PM.

  2. #2
    scimmyboy's Avatar
    Join Date
    Jan 2008
    Gender
    male
    Location
    http://mpgh.net MPGHCash: $442,596,199
    Posts
    5,649
    Reputation
    26
    Thanks
    894
    My Mood
    Happy
    stupid thread is stupid.

    upx has its own built in unpacker

  3. #3
    AVGN's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Making America Great Again.
    Posts
    15,451
    Reputation
    1549
    Thanks
    6,234
    scan the rar not the exe



    ^Thanks to RJ^




  4. #4
    Timboy67678's Avatar
    Join Date
    Jul 2010
    Gender
    male
    Posts
    82
    Reputation
    25
    Thanks
    80
    My Mood
    Aggressive
    is it me or is virustotal.com down

  5. #5
    Mr.Magicman's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Sitting in my cave full of thoughts learning Asembly
    Posts
    2,103
    Reputation
    16
    Thanks
    646
    My Mood
    Cold
    That was actualy a bit clever! now i have loads of stuff im going to add to my future releases

  6. #6
    coogle007's Avatar
    Join Date
    Dec 2009
    Gender
    male
    Posts
    267
    Reputation
    18
    Thanks
    297
    My Mood
    Aggressive
    Clever i hope it works..
    My last Hack D3d Chams/Esp/Opk/Telekill
    A me me piace 'o blues e tutt'e journe aggio cant'
    pecch so stato zitto e mo 'o mumento 'e me sfuc'
    sono volgare e so che nella vita suoner
    pe chi tene 'e complessi e nun 'e v
    A me me piace 'o zucchero ca scenne dinto 'o caf
    e cu 'na presa d'annice ma chi meglio 'e me
    tengo 'a cazzimma e faccio tutto quello che mi va
    pecch so blues e nun voglio cagn'

  7. #7
    seeplusplus's Avatar
    Join Date
    Sep 2010
    Gender
    male
    Location
    Massachusetts
    Posts
    329
    Reputation
    8
    Thanks
    85
    Leeched! Can I post the link?
    Goals:
    Green = Done
    Blue = Getting Somewhere
    Red = Not Done
    • Mouse Grid
    • PTC Method
    • Trigger Bot

    I'm trying to think of more stuff!

  8. #8
    Synns's Avatar
    Join Date
    May 2007
    Gender
    male
    Posts
    5,176
    Reputation
    170
    Thanks
    2,554
    My Mood
    Bitchy
    Where is the credit to Skilinium?

  9. #9
    AVGN's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Making America Great Again.
    Posts
    15,451
    Reputation
    1549
    Thanks
    6,234
    OP FAILED TO FOLLOW RULES

    /CLOSED



    ^Thanks to RJ^




  10. #10
    Ali's Avatar
    Join Date
    Apr 2009
    Gender
    male
    Location
    Qc, Canada
    Posts
    11,453
    Reputation
    342
    Thanks
    3,514
    My Mood
    Cool
    Quote Originally Posted by AVGN View Post
    OP FAILED TO FOLLOW RULES

    /CLOSED
    And you failed to close the thread
    /Closed for real .

Similar Threads

  1. [TUT] How to add Oriental/Korean Fonts
    By Cadelaf in forum WarRock Korea Hacks
    Replies: 2
    Last Post: 05-06-2007, 12:08 PM
  2. [Tut]How to REALLY be Invisible
    By EndRiT in forum WarRock - International Hacks
    Replies: 8
    Last Post: 04-24-2007, 10:13 AM
  3. [tut]how to have lots of nades
    By damanis1 in forum WarRock - International Hacks
    Replies: 20
    Last Post: 04-22-2007, 08:51 AM
  4. [Tut]How to become invisible
    By EndRiT in forum WarRock - International Hacks
    Replies: 24
    Last Post: 04-21-2007, 06:02 PM
  5. Tut: how to make cheese
    By ace76543 in forum General
    Replies: 14
    Last Post: 01-14-2007, 10:39 AM