Ultimate Packer for eXecutables
Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004
UPX 1.92 beta Markus F.X.J. Oberhumer & Laszlo Molnar Jul 20th 2004File size Ratio Format Name
-------------------- ------ ----------- -----------
27680 -> 18976 68.55% win32/pe Webcam Shots.scrAs expected, the Backdoor is packed with UPX, and is actually about 9 KB
lighter because of it. Even though UPX is not designed for this, it is going to be
slightly annoying to reverse this program in its compressed form, so you can
simply avoid this problem by asking UPX to permanently decompress it;
you’ll reverse the decompressed file. This is done by running UPX again, this
time with the –dswitch, which replaces the compressed file with a decom-
pressed version that is functionally identical to the compressed version. At this
point, it would be wise to rerun DUMPBIN and see if you get a better result
this time. Listing 8.2 contains the DUMPBIN output for the decompressed
version.Dump of file Webcam Shots.scrSection contains the following imports:KERNEL32.DLL
0 DeleteFileA
0 ExitProcess
0 ExpandEnvironmentStringsA
0 FreeLibrary
0 GetCommandLineA
0 GetLastError
0 GetModuleFileNameA
0 GetModuleHandleA
0 GetProcAddress
0 GetSystemDirectoryA
0 CloseHandle
0 GetTempPathA
0 GetTickCount
0 GetVersionExA
0 LoadLibraryA
0 CopyFileA
0 OpenProcess
0 ReleaseMutex
0 RtlUnwind
0 CreateFileA
0 Sleep
0 TerminateProcess
0 TerminateThreadListing 8.2 DUMPBIN output for the decompressed version of the Backdoor program.288 Chapter 8