-
PEiD detects it as UPX, but it appears to be a custom packer.
-
0x00401000 - Beginning of NOP slide to OEP
-
Using the "Find OEP by Section Hop" option in OllyDump will take you to OEP.
-
There are very few imports, there is a non-standard section named .petite
-
This sample is packed with PEtite
-
0x004012C0
-
You can use the PUSHAD/POPAD breakpoint technique to find OEP
-
Search for anti-analysis tricks, GetTickCount is called very close to the end of the packing phase.
If you run the program until the message box appears LordPE can dump it well.
-
The malware NULLs the PE header as an anti-dump mechanism. You can use LordPE to reconstruct the header manually, copy the header from the unpacked version and fix it up in LordPE, or if you dumped the program with LordPE the header will be fine.
-
Run the original .exe until the message box appears, at this point all of the imports are loaded. Attach ImpREC, enter OEP, clirk IAT AutoSearch and GetImports, then fix your dump.