Hi, I'm trying to unpack a program protected by UPX (pe-scan reports possible UPX 0.80 - 1.23) called unwc that can be found at h**p://www.etextwizard.com/download/unwc/unwc.zip

What I've done so far is:
(1) I traced through the unpacking routine and found that the possible OEP is at 4B8290.
(2) I put the program in an infinite loop at the jump and tried to do a full dump with both procdump and lordpe.
(3) After dumping, I tried to change the program entry point to B8290 using PEditor but when I tried to run it, it says "The application failed to initialize properly (0xc0000005). Click on OK to terminate the application.
(4) I did another full dump and used imprec to fix the IAT. But when I tried to run the program, it just disappears.

Can anyone tell me what I've done wrong? I've been fiddling with it for a few days but still can't find the problem. Thank you for your help.

Note: I'm using Win2k, if that will make any difference.

upx.exe -d packedfile.exe

Hi onebishort, I tried to do UPX -d but it tells me:
"upx: unwc.exe: CantUnpackExeception: header checksum error", that's why I resort to manual unpacking (besides, it's about time I do some practice :P)

You don't need to repair the Import's in a UPX packed prgoram is it doesn't mess with them. Just pause the program with something like Ollydbg and dump. Change OEP with something like LordPE and it's done.

4b8290 is the correct OEP, but it seems to be double-packed.

Thanks squidge, for the reply. I've never come across the methods to unpack a double-packed program (I've searched the messageboard without success too). Do you know of any tutorials that I can learn more about it? Thanks a lot for all the help.

basically all you do is unpack the program as normal until it is in running state, and then unpack again until you get through to the main program.

Thanks for the quick reply squidge. From what you said, is this what I should do?
(1) Go on debugging after the jump to 4b8290 until I find another unpacking routine.
(2) Get the jump to the next OEP.
(3) Stall program and dump.
(4) Change PE to correct OEP?

Sorry, just trying make sure what I'm thinking is correct. Thanks heaps for the help

UPX starts out with pushad, so all you basically have to do is find the first popad that gets called, dump the process, and restore the EP to the OEP. There are also quite a few un-UPX'ers floating around ...

yup

OK, people must be getting really bored here lately because now we're starting to correct each others grammar, which just ain't right ;-) So here's one those on both sides of the protection fence might want to look at for fun.

RAW DUMP this with Icedump /DUMP and use the Dumpfixer option of PEditor 1.7 (VS=RS, VO=RO) and change the OEP. This is all that's needed, please don't use any fancy-ass tools to rebuild the IT and autodump it and such, it's overkill and often doesn't seem to work with UPX.

Now things get fun, anti- code up the yingyang to marvel over. Anti- regmon, filemon, winhex. winice.exe, trw2000, trw, loader32, w32dasm89, procdump, ollydbg, 202 (winice vxd ID),... probably missed some, didn't even see Meltice. "Monitor Tools Found" and "Debugging Tools Found" strings, and finally a nice filesize check. Can all be circumvented to get a running app, at least runtime.

Just thought I'd pass this on...

Cheers,
Kayaker

Hmmmmm.....

This "people" aint really bored. Was only trying to make a small tease by implying, with the start of the sentence, that squige was wrong about his program "not being faulty", when we all know its not, and then re-directing the implication to a "wrong" common gramatical usage, which squidge correctly understood as just a silly pedantic exercise.

Regards.

execrise?

I'm not playing this game anymore, you canna even get me name rate !

BWAHAHAHAHAHAAAHAHAHAHAHAH.................

Pops got caught in his own game

Later, Woodmann

Sorry, couldn't resist

Well "xkuse" meeeeee. I never calimed I could sel. In fact I've known for more that 50 years that I kaint. If I could spell, my father probably would have insisted I go to med school instead of the low life I have chosen. But I do regret muspelling "what's his name's, name" Purely unintentional and usually results from too many hours actually sitting here doing actual work on this here machine that has nothing to do with reversing. Also results from a failure to squint hard enough if I happen to not be wearing my glasses at the time. Getting older is hard on the eye sight. Damn I need a secretary who can spell.

Humbugaly (see I can make up words too)

Pups, err, Pops.

(Edit: At the personal request of "what's his name" I identify him for all the world as "SquiDge" with a capital "D" to emphasize its importance, and to remind me, myself, and I to include it always in the future.) And I removed some of the evidence of my past transgression.

Regards.

will I blam ma keyboad, itz alwayz stucs on t

ma tapo ers

Woodmann-Wootmann,Wotman

JMI-JEM,JIM

KaYaker-Kayakor,Kayako

esther-assther-askther,eater

Retards

So you think it's funny do ya to miss of my name on yer list?

As my son would say... It was my bad.

/me is so ashamed, /me goes back to study me dictionary and improves me eyesight. Surgery might help. Perhaps a frontal lobotomy??

mea culpa, mea maxima culpa.

Regards.

It doesn't seem like you've edited the post to include my name as of yet...

esther,
You make me laugh to hard...........



Woodmann

Woodmann-Wootmann,Wotman:

Don't laugh too hard, you could hurt yourself.

Regards.

>>So you think it's funny do ya to miss of my name on yer list?

Ya won me to flam ya?

http://www.geocities.com/SouthBeach/Lagoon/9819/squidge.html

http://www.agentland.com/Download/Intelligent_Agent/244.html


dum thiz iz off topic

Regrets

Errr... Thanks.... Bitch

What have I wrot, er wrought? Sorry I brought it up....

Yeah, Kayaker, it's all your fault

Stop Bit'ching Kayaker ya bitch
Btw Why didn't delete all thiz weird post

No delete coz it funee