Masm & UPX error

[BlackVortex]

@BlackVortex: You are right !

Just tested WinUpack 0.39final and my exe is only 66 kB. ;)

But how can you unpack an upx-packed&scrambled file ?

Err, manually, with a debugger etc. It's beside the point of this thread.

Winupack's compression is unmatched ! But some antiviruses famble with it and throw "generic threats"

[PBrennick]

A simple xor encryption is a very good answer to your problem. You can also encode\decode the bytes so that the ASCII is not visible in a Hex Editor. A simple method is as follows:

Code Select Expand


; Author: Jake Commander
; Copyright The GeneSys Development System

HexEncode proc uses edi esi ebx pBuff:dword,dwLen:dword,pOutBuff:dword
;---------------------------------------
    mov     ebx, dwLen
    mov     edi, pOutBuff
    test    ebx, ebx
    mov     esi, pBuff
    jz      @F
    .repeat
      movzx   eax, byte ptr [esi]
      mov     ecx, eax
      add     edi, 2
      shr     ecx, 4
      and     eax, 1111b
      and     ecx, 1111b
      cmp     eax, 10
      sbb     edx, edx
      adc     eax, 0
      lea     eax, [eax+edx*8+'7']
      cmp     ecx, 10
      sbb     edx, edx
      adc     ecx, 0
      shl     eax, 8
      lea     ecx, [ecx+edx*8+'7']
      or      eax, ecx
      inc     esi
      mov     [edi-2], ax
      dec     ebx
    .until ZERO?
@@: mov     eax, edi
    mov     byte ptr [edi], 0
    sub     eax, pOutBuff
    ret
;---------------------------------------
HexEncode endp

; Author: Jake Commander
; Copyright The GeneSys Development System

HexDecode proc uses esi edi ebx pHexStr:dword,pOutBuffer:dword
;---------------------------------------
    mov     esi, pHexStr
    mov     edi, pOutBuffer
    jmp     @1
@@: and     ebx, 0Fh
    add     eax, ebx
    mov     [edi], al
    inc     edi
@1: movzx   edx, byte ptr[esi]
    cmp     edx, 40h
    sbb     ebx, ebx
    sub     edx, 37h
    and     ebx, 7
    inc     esi
    add     ebx, edx
    js      @F
    mov     eax, ebx
    shl     eax, 4
    mov     [edi], al
    movzx   edx, byte ptr [esi]
    cmp     edx, 40h
    sbb     ebx, ebx
    sub     edx, 37h
    and     ebx, 7
    inc     esi
    add     ebx, edx
    jns     @B
@@: ret
;---------------------------------------
HexDecode endp


You develop the encoded data block in a separate program, migrate it into yours and run HexDecode on it at the beginning of your program. Everything is done in situ because when you encode it, it is half the size so we just encode it and terminate it with a zero. So when a person looks at it with a hex editor, they see garbage, when you run your program, you get text. There is nothing secure about this but it prevents someone from very easily changing your name for instance. Doing anything more copmplicated will just make your program a fun target for the crackers so just do that to keep out th jerks.

If you need an example, I can provide one.

-- Paul
-- Paul

[hutch--]

I just had a play with WinUpack and the results are impressive but I don't know if it will run on a hardware DEP enabled machine. ( had problems with older packers some time ago that the DEP enabled OS versions would just shut the app down as many of the older packers did not maintain the distinction between data and code.

Has anyone tested it on a late OS version on hardware that supports DEP ?

[BlackVortex]

I just tested it on my machine. I enabled DEP in boot.ini and rebooted, all seems to work fine. (on fully updated XP)

Note that some shitty antiviruses don't like it, upload something here to check some nice false alarms :
http://virusscan.jotti.org/

[hutch--]

I know why it has problems with some of the crappy AV stuff, it starts with MZ but has no MZ header then starts the PE header at 10h. This will give the low end of heuristic scanning nightmares.  :bg