Download the binary with sourcecode
e4dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3c8W2L8r3W2C8L8$3&6Q4x3X3g2V1k6g2)9J5c8Y4A6A6M7s2y4Q4x3V1k6g2f1r3!0D9P5g2S2Q4x3U0f1J5x3s2j5H3i4K6u0W2y4g2)9J5k6i4u0S2M7R3`.`.
*UPolyX v0.5* written by Delikon/2edK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3c8W2L8r3W2C8L8$3&6Q4x3X3g2V1k6b7`.`. ENTRYPOINT: 82b0 FILEENTRYPOINT: 26b0 [+] Checking for UPX [+] Yes this is packed with UPX! [+] Replace the section name UPX with jEtw [+] the second UPX section starts at 0x400 [+] the second UPX section is 0x2600 big [+] Found a 0x19c big space for the decryptor [+] using the xor/xor decryptor type 0 [+] Using for Register1 EBX [+] Using for Register2 ESI [+] using offset 1 [+] use 0x2d as manipulationByte [+] encrypt 150 bytes from address 0x4082b0 till address 0x408346 [+] Generated 0x33 byte decryptor [+] Generated 0x15a bytes of trash PRESS A KEY
脱壳:
OD加载后,往下翻:
……
004085E9 .^\E2 FB loopd short 004085E6
004085EB . 59 pop ecx
004085EC . 49 dec ecx
004085ED .^ 75 DE jnz short 004085CD
004085EF . FFE6 jmp esi //F4
004085F1 00 db 00
004085F2 00 db 00
004085F3 00 db 00
