News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

how does a program like upx works

Started by n-w, February 19, 2005, 10:27:33 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

n-w

February 19, 2005, 10:27:33 AM
Hi!

I want to write a packer like upx. My problem are the headers - is it possible, to pack more than only the code + data segments?

What is with the section table? If I pack it, I loose all the addresses of my imports. I could write the unpacked code to a file and start it, but is it also possible to do it all in memory?

pbrennick

#1
February 19, 2005, 11:40:07 PM
In memory, is the only place that anything gets done so I don't get the question.  As far as writinfg a packer goes, do you have any programming experience?  Do you know what a PE is (it ain't what you do several times a day).  I am sorry, but you have shown up totally unknown and ...

Paul

n-w

#2
February 20, 2005, 06:40:32 AM
If I disassemble a upx-packed dll, there are less funktions than bevor. That means, every address of a "lost" Funktion must be loaded by LoadLib + GetProcAdr?
Furthermore there are less sections than bevor. So I think upx removes the section, in which where the strings of the import functions + writes some of those functions in another section.
And another question - how is it possible, to get the space for the unpacked data in memory? By VirtualAlloc?

@ Paul:
So far I have not written a packer, but a programm with self-modyfing code (only .data+.text sections were crypted -> always same size + no changes in PE header -> easy).

Sorry for my bad English.

Ghirai

#3
February 20, 2005, 08:43:08 AM
UPX is open source, you could take look.
Also, there are lots of open-source packers out there, just look for them.
MASM32 Project/RadASM mirror - http://ghirai.com/hutch/mmi.html

thomasantony

#4
February 21, 2005, 06:29:51 AM
Hi,
    Been some time since I have been here. The packer basically makes a separate section in teh PE header for itself and the unpacking code resides there. The enrtypoint in the PE header points into this section. This unpacker 'stub' then unpacks the code data and imports to somewhere in memory.  It has to rebuild the imports if it encrypted them, using LoadLibrary, GetProcAddress. Then after everything is done, it jumps to OEP or Original Entry point which is where the actual code is unpacked to. This can be different for different packers. For eg. I think for FSg, it is 00401000.
Hope this info was useful!!

Thomas Antony :U
There are 10 types of people in the world. Those who understand binary and those who don't.


Programmer's Directory. Submit for free

Jibz

#5
February 21, 2005, 09:10:13 AM
The address 401000 is not specific to the packer, but to the executable that is packed. Most linkers produce programs that expect to be loaded at 400000, which means that the sections end up at 401000. Unless the exe contains relocations, the compressor has to decompress the data back to this expected load address.

n-w

#6
February 21, 2005, 09:55:28 AM
Thx!

I think, I understood now, how those packers work.
Print
Go Up Pages1
User actions