UPX program CRACKING PROCESS

Comments: For entry-level cracking, use ollydbg. I use UPX to shell NOTEPAD. EXE and select OllyDbg 1.09d For shelling. First, load the shelled program. The program locates at 01014110 $60 PUSHAD. Select ctrl f and enter the search content "POPAD". OD locates at 0101425E> 61 POPAD, And the cursor points to 1425E, f4 runs to the entry-level cracking of this line, using ollydbg
I use UPX to shell NOTEPAD. EXE and select OllyDbg 1.09d For shelling. First, load the shelled program,
The program locates at PUSHAD 01014110 $60, and selects ctrl f to enter the search content "POPAD ",
OD locates at 0101425E> 61 POPAD, cursor points to 1425E, F4 runs to this row, F8 one step
To 0101425F.-E9 7C28FFFF JMP notepad1_1006ae0, Which is OEP
F7 one-step follow-in, locate the real entry of the program: 01006AE0 6A 70 PUSH 70, haha,
Select OD's OllyDump/Dump Debug Process. Remove the check box "Rebuild Import"
, (I need ImpRec to recreate its input table ). Select Dump to generate a new file, which cannot be run directly,
(Prompt: The application initialization (0xc0000005) fails. Click "OK" to terminate the application.
Program ). Because there is no Rebuild Import table. Run Import REConstructor 1.6.
Final, run the shelling program at the same time, find the process where the shelling program is located in ImpRec, you can see
IAT Infos: the OEP 00014110 has been used :)
Enter the real OEP 0006AE0 (Note: RVA, You need to subtract Image Base 01000000), select
IAT AutoSearch, ImpRec prompts Fond address, click OK and select "Get Imports"
The input table Functions under Imported Functions Found are valid. Click Fix Dump.
Select the file just dumped and click OK.
Run the program and find that it is ready to run. Shell removal is successful !!!