I've encountered a file that seems to have an unusual version of UPX, I've never had problems unpacking UPX with commonly available tools - this one exhibits a Dillo like property - it creates a child process in Documents and Settings labeled TCLXX.TMP where XX = a number in multiples of 5, the child appears to contain the IAT - one utility reports unpacking it successfully but it will not run - complaining it can't create TCL.SETUP - Acess Denied. RDG reports UPX .86 -1.24 is this unusual and I've just never noticed it before? Or is this a new strain?

SiGiNT

Is the file available somewhere?

Polaris,

Check your PM.

SiGiNT

Maybe I am missing something, but:



and the resulting file is just a plain VC++ 6 executable:



Are you sure you sent me the correct link?

Polaris,

I admit I'm a total idiot when it comes to unpacking UPX - I've never encountered one that a few utilities I have couldn't handle - what did you use to unpack this - it appears that it was done with a utility. What really puzzled me is 3/4 of the time PE Explorer has no problem - with this one using PE Explorer came close to locking up 2 different computers - even after closing everything and no visible unusual processes running I had a cyclic usage of the cpu that forced me to re-boot.

SiGiNT

Chalk it up to a BRAIN FART (and a loud one!!), I downloaded upx and geewiz - it's unpacked!

Thinking about changing my sig to "Sometimes it's so fucking simple you waste a lot of time finding out"

Don't worry, you now learned that UPX can be used to unpack also.... Also, imho, you should stop using the PEXplorer and start some manual unpacking using ollydebugger... This way you will learn actually how UPX packing works.

Keep it up!

I'm a fair reverser - when the target is not packed, but I hate unpacking stuff manually, (yeah I know comes with the territory), it's kinda like opening the child-proof lid to get to the Viagra.

SiGiNT

Hmm... "Dillo like property"? It might not have been completely unpacked yet. I've seen a few apps that were first packed with a drop-and-run scheme as you described (the decompressor is written in VC++ 6 and seems to nearly always use flate compression) and then further packed with UPX.

I've unpacked many UPXs manually... and never do they drop-and-run. The decompression is always performed in memory. There is probably another layer of compression.

This was a little Mickey Mouse puzzle generating prog. the "child processes" seem to be different puzzle templates - it has many running at the same time - the author was very clever writing this one, when you enter a serial it won't break on an common API, or any that I've found - the only way I've found to break on the serial routine is to bring up the reg screen - which puts it in an endless loop, and animate over, then quickly pause olly when it hesitates. serial is 4 groups of 3 numbers they have to be fished out one group at a time. - In short a reg. routine written by a puzzle maker.

SiGiNT