[bruno2223]

UPX was also good to protect the code, not only for compacting:

1. I used UPX to compact my Delphi EXE file.

2. Then I openned up any HEXA editor

3. looked for "UPX" string and changed to "222x"

Doing this, the UPX unpack tool didn't work and crackers could not easily see or edit my source code with Assembly (as UPX mess with everything!)

Thanks UPX :-)

[userbinator]

As someone "on the other side ;-)", I don't think you protected much. UPX is pretty much the classic "Hello World" of unpacking manually, and tools like PEid will still be able to tell it's UPX from the decompressor stub alone.

It's been years since I unpacked a UPX manually, but I still remember what it looks like: a PUSHA at the start to save all the registers, a lot of decompression code, and finally a POPA and a JMP to the OEP. Incidentally this general pattern is also shared by a bunch of other simple packers (more focused on compression than anti-RE) so unpacking them follows the same process.

[s3arch]

Also it really doesn't matter what custom/tweaked packers the authors use.

It has been years. I vaguely remember, there is always a general standard way of unpacking.

Using the debugger, you keep track of those jmp instructions until unpacking is done. And then dump the memory to a file.

[slezyr]

That's interesting. The UPX string is most likely a name of section in PE file. It's first UPX string you will find in the file.

How did UPX loader managed to find the section in which packed content is stored?

UPD. It's REALLY easy to "hack" this protection. You simply need to attach a debugger and you will see unprotected exe file in the memory. There are tools to convert loaded unprotected exe file into regular exe file on the disk. So... No one really tried to hack you. Sorry.

[bruno2223]

I dunno know. But this method worked for years!

[slezyr]

See my update. You could only stop kids, who tried to use UPX unpackers.

[bruno2223]

Nice to know!

Well, It was another protection layer for, like you sad, to keep bad kids away.

This was 10 years ago already.

[goldenkey]

Armadillo from Silicon Works is what anyone used if they were serious. You haven't met my friends Olly and Ada ;-)

[davexunit]

What a malicious thing to do. Computer users deserve to be able to inspect the code running on their machines.

[jamesrom]

Of course you can inspect it. Understanding it, however...

[davexunit]

The user already doesn't have the source. Obfuscating the binary is just hostile.

[jamesrom]

No, that's my point.

You can inspect the code running on your machine. The machine code.

At what level should one expect it's user to understand the code running on one's machine? If I have you the source to my application in brainfuck, would that suffice?