Text only | Text with Images

The MASM Forum Archive 2004 to 2012

General Forums => The Workshop => Topic started by: n-w on February 19, 2005, 10:27:33 AM

Title: how does a program like upx works
Post by: n-w on February 19, 2005, 10:27:33 AM
Hi!

I want to write a packer like upx. My problem are the headers - is it possible, to pack more than only the code + data segments?

What is with the section table? If I pack it, I loose all the addresses of my imports. I could write the unpacked code to a file and start it, but is it also possible to do it all in memory?
Title: Re: how does a program like upx works
Post by: pbrennick on February 19, 2005, 11:40:07 PM
In memory, is the only place that anything gets done so I don't get the question.  As far as writinfg a packer goes, do you have any programming experience?  Do you know what a PE is (it ain't what you do several times a day).  I am sorry, but you have shown up totally unknown and ...

Paul
Title: Re: how does a program like upx works
Post by: n-w on February 20, 2005, 06:40:32 AM
If I disassemble a upx-packed dll, there are less funktions than bevor. That means, every address of a "lost" Funktion must be loaded by LoadLib + GetProcAdr?
Furthermore there are less sections than bevor. So I think upx removes the section, in which where the strings of the import functions + writes some of those functions in another section.
And another question - how is it possible, to get the space for the unpacked data in memory? By VirtualAlloc?

@ Paul:
So far I have not written a packer, but a programm with self-modyfing code (only .data+.text sections were crypted -> always same size + no changes in PE header -> easy).

Sorry for my bad English.
Title: Re: how does a program like upx works
Post by: Ghirai on February 20, 2005, 08:43:08 AM
UPX is open source, you could take look.
Also, there are lots of open-source packers out there, just look for them.
Title: Re: how does a program like upx works
Post by: thomasantony on February 21, 2005, 06:29:51 AM
Hi,
    Been some time since I have been here. The packer basically makes a separate section in teh PE header for itself and the unpacking code resides there. The enrtypoint in the PE header points into this section. This unpacker 'stub' then unpacks the code data and imports to somewhere in memory.  It has to rebuild the imports if it encrypted them, using LoadLibrary, GetProcAddress. Then after everything is done, it jumps to OEP or Original Entry point which is where the actual code is unpacked to. This can be different for different packers. For eg. I think for FSg, it is 00401000.
Hope this info was useful!!

Thomas Antony :U
Title: Re: how does a program like upx works
Post by: Jibz on February 21, 2005, 09:10:13 AM
The address 401000 is not specific to the packer, but to the executable that is packed. Most linkers produce programs that expect to be loaded at 400000, which means that the sections end up at 401000. Unless the exe contains relocations, the compressor has to decompress the data back to this expected load address.
Title: Re: how does a program like upx works
Post by: n-w on February 21, 2005, 09:55:28 AM
Thx!

I think, I understood now, how those packers work.
Text only | Text with Images