Unpacking UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo

[*Marneus901*]

Tools Needed
PEiD
OllyDBG
OllyDump Plugin
Imprec
A Brain...

Instructions
Go ahead, scan the application with PEiD, to verify that it is packed by

Code:

UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo

If it is, then go ahead, open the application with OllyDBG
Do analyze.
Then, CTRL+B to search for a binary.

Code:

61 E9 87 92 FD FF 00 00 00 00

Go to the JMP below that, hit F2 (breakpoint), then F9 (Run).
The application should hit the BP.
Hit F8 (Step-over)
Your now at the OEP. So go ahead right click -> OllyDump -> Make dump.
Take note of the OEP that OllyDump provides. This is needed later.
Edit the OEP to the address you landed on.
Then take down "Start Address" - This is our RVA
Then take down "Size" - This is needed.

Now press Dump, save as dumped.exe

Now, keep OllyDBG open. Go open Imprec, and select the application thats running that we are trying to unpack.
For OEP - Put in the OEP that OllyDump provided.
RVA - The "Start Address" that OllyDump provided.
Size - The "Size" OllyDump provided.

Hit IAT AutoSeach, if done right, "Found address which may be in the Original IAT. try 'Get Import'" should popup.
The RVA and Size will automatically change.
Then hit 'Get Imports'. All the thunks should be valid:YES.
If so, then hit Auto Trace just for precautions.
Then hit 'Fix Dump', and select the dumped.exe

You unpacked UPX!

-Marneus901/Circadian

[Gordon`]

why not simply using the esp methode?

[*Marneus901*]

Didnt feel like it LOL, I would get it confused with ASPack 2.12 because its the same way (or ub3r freggin similar)

[*Marneus901*]

Well... no edit button pl0x? Wtf.
Anyways, correction to the binary.

Code:

61 E9 ?? ?? ?? ?? 00 00 00 00

Sorry for the mistake. If an edit button can please show up? (Doesnt show up after I leave) This is also why its a double post >_>
Allow an edit button pl0x?

[Leisures]

sure but it dosent find that ether...

[*Marneus901*]

sure but it dosent find that ether...

Your trying to unpack Egine.exe for Combat Arms correct?
LOL
I made this tutorial from Combat Arms...

[Leisures]

yes rite but as i sayd before it dosnet find that

[*Marneus901*]

Then you should stay away from learning to hack >_>
I made a mistake the first post, but I corrected it.

[Leisures]

learning? LOL do u know who i am?

[*Marneus901*]

Do YOU know who I am?
If you are anyone that has the right to say "Do you know who I am", in the hacking community, should be able to unpack UPX pretty easily... Or at least use OllyDBG with normal ability, and know what type of instructions that the binary creates... And if I was wrong, could find the addresses themself..

But then again, the tutorial has been fixed.

If I went on teamviewer, to help you, im sure you were doing something completely noobish...
Look for a
popad (61)
JMP [Address] (E9 ?? ?? ?? ??)
DB 00 (00)
DB 00 (00)

Noob more pl0x.

Derduh.

[minorutono]

sure but it dosent find that ether...

Uh, it does come up, i got it..

[*Marneus901*]

Uh, it does come up, i got it..

pwnt.10char

EDIT: btw, forgot to let people know, at least with me, unpacking Combat Arms, then opening the unpacked EXE will still make ollyDBG say that its packed, the OEP is outside the ehader, etc... As far as i can tell with the unpacked EXE and UPX.exe both being unpacked; Comabt Arms is unpacked.

[minorutono]

I just fixed the thing anyways o,o. even with the fails. I hope it works T_T

[kevko1991]

I got it to unpack successfully, but when I try to run combat arms it saying that something is corrupt.. What did I do wrong?

[*Marneus901*]

@kevko

then opening the unpacked EXE will still make ollyDBG say that its packed, the OEP is outside the ehader, etc... As far as i can tell with the unpacked EXE and UPX.exe both being unpacked; Comabt Arms is unpacked.
__________________

@minor
just talk in pm's. Ill help you (based on your screenshot, your OEP is incorrect.)