Crack UPolyX 0.51 Shell

[Break text title] crack UPolyX 0.51 Shell
[Author] xianguo
[Author mailbox] xianguo1985@163.com
Author homepage http://hi.baidu.com/zhanglinguo11
[Cracking tool] OD PEID
[Cracking platform] Win32-XPsp2
[Software Overview] The UPolyX 0.5 shell information on the network today found that there is very little information about the Shell cracking, And I have cracked it myself. I think I can give this shell more information!
[Cracking statement] is purely a personal hobby.
------------------------------------------------------------------------
[Cracking process] the latest version of UPolyX 0.51 is used for cracking. The cracking sample is a Notepad program.
This shelling program is a secondary shelling or encryption of The UPX shelling program.

Compress and then encrypt
PEID: nothing found
Core scan: ARJ Archive * // What does it mean?

OD load, code:
010143B8> 0FB7CF movzx ecx, DI // stop here
010143BB D1D6 rcl esi, 1
010143BD 69EF 6B823D0C imul ebp, EDI, 0C3D826B
010143C3 EB 01 jmp short 11.010143C6
010143C5 C3 RETN // jump here from below
010143C6 BE 40420101 mov esi, 11.01014240
010143CB 83EC 04 sub esp, 4
010143CE 893424 mov dword ptr ss: [ESP], ESI
010143D1 B9 B0000000 mov ecx, 0B0
010143D6 8136 8E931300 xor dword ptr ds: [ESI], 13938E
010143DC 51 PUSH ECX
010143DD 33C9 xor ecx, ECX
010143DF B9 04000000 mov ecx, 4
010143E4 83C6 01 add esi, 1
010143E7 ^ E2 fb loopd short 11.010143E4
010143E9 59 POP ECX
010143EA 83E9 03 sub ecx, 3
010143ED ^ E2 E7 loopd short 11.010143D6
010143EF ^ EB D4 jmp short 11.010143C5

Simple code
Jmp short 11.010143C5 is a jump up, jump to the RETN place, and then continue
0101423D 00FF add bh, BH
0101423F 0060 be add byte ptr ds: [EAX-42], AH
01014242 0000 add byte ptr ds: [EAX], AL
01014244 0101 add dword ptr ds: [ECX], EAX
01014246 8DBE 0010 ffff lea edi, dword ptr ds: [ESI + FFFF1000]
0101424C 57 PUSH EDI
0101424D 83CD ff or ebp, FFFFFFFF
01014250 EB 10 jmp short 11.01014262
01014252 90 NOP

In fact, it is to jump to 01014240, but the above assembly code will be changed when you move the mouse below, you need to right-click-analyze the code, and then you can see the following code
01014240. 60 PUSHAD
01014241. BE 00000101 mov esi, 11.01010000
01014246. 8DBE 0010 ffff lea edi, dword ptr ds: [ESI + FFFF1000]
0101424C. 57 PUSH EDI
0101424D. 83CD ff or ebp, FFFFFFFF
01014250. EB 10 jmp short 11.01014262
01014252 90 NOP
01014253 90 NOP
01014254 90 NOP

DUMP down, and then the PEID is displayed:
UPX 0.89.6-1.02/1.05-1.24-> Markus & Laszlo
The UPX shell, the rest will be well solved. The UPX shell can be easily detached, and the script can be used.

DUMP File Before loading, OD Load

01014377 FF96 F0AE0100 call dword ptr ds: [ESI + 1AEF0]
0101437D 09C0 or eax, EAX
0101437F 74 07 je short 5.01014388
01014381 8903 mov dword ptr ds: [EBX], EAX
01014383 83C3 04 add ebx, 4
01014386 ^ EB E1 jmp short 5.01014369
01014388 FF96 F4AE0100 call dword ptr ds: [ESI + 1AEF4] // run F8 directly here, but it is very close to OEP!
0101438E 61 POPAD // here F2 is disconnected
0101438F-E9 0930 ffff jmp 5.0100739D
01014394 0000 add byte ptr ds: [EAX], AL

After the program is disconnected at 0101438E, it jumps to JMP 5.0100739D.
There is OEP.
0100739D 6A 70 PUSH 70
0100739F 68 98180001 PUSH 5.01001898
010073A4 E8 BF010000 CALL 5.01007568
010073A9 33DB xor ebx, EBX
010073AB 53 PUSH EBX
010073AC 8B3D CC100001 mov edi, dword ptr ds: [10010CC]; kernel32.GetModuleHandleA
010073B2 FFD7 CALL