1, for use Detect It Easy check housing;
2,
using x32dbg open the shell program, at Options -> Options
add interval setting 0 ~ FFFFFFFF ignored entirely exception> -;
3, we F9 to run the program at the entrance, saw pushad, we use ESP's law shelling;
4, position after running lea eax, we can see under which jne upx (3.91) .407ABB, jmp upx (3.91) .4012CD, our current EIP address 00407AB7, here is a big jump, it is highly It may be the OEP, the jmp breakpoint, F9 to run here, single step into;
5, where husking operation can be performed;
6, again check the shell;
7. Conclusions;
The shell is a good compression tools, compressed with UPX executable file size is reduced by 50% -70%, but the same method for each version of UPX, which means that this method can take off more UPX versions;