jory/upx
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: jory:43116a9f2fbc2af573eb742b0cfc600092c282c4
Branches Tags
jory:devel
jory:stealthy
jory:test-misc
jory:jreiser-riscv64
jory:master
jory:v5.0.2
jory:v5.0.1
jory:v5.0.0
jory:v4.2.4
jory:v4.2.3
jory:v4.2.2
jory:v4.2.1
jory:v4.2.0
jory:v4.1.0
jory:v4.0.2
jory:v4.0.1
jory:v4.0.0
jory:v3.99
jory:v3.96
jory:v3.95
jory:v3.94
jory:v3.93
jory:v3.92
jory:v3.91
jory:v3.09
jory:v3.08
jory:v3.07
jory:v3.06
jory:v3.05
jory:v3.04
jory:v3.03
jory:v3.02
jory:v3.01
jory:v3.00
jory:v2.93
jory:v2.92
jory:v2.91
jory:v2.90
jory:v2.01
jory:v2.00
jory:v1.96
jory:v1.95
jory:v1.94
jory:v1.93
jory:v1.92
jory:v1.91
jory:v1.90
jory:v1.11
jory:v1.10
..
compare: jory:3a828abcb973177390e8fb9ebff6c52bc9e3872e
Branches Tags
jory:devel
jory:stealthy
jory:test-misc
jory:jreiser-riscv64
jory:master
jory:v5.0.2
jory:v5.0.1
jory:v5.0.0
jory:v4.2.4
jory:v4.2.3
jory:v4.2.2
jory:v4.2.1
jory:v4.2.0
jory:v4.1.0
jory:v4.0.2
jory:v4.0.1
jory:v4.0.0
jory:v3.99
jory:v3.96
jory:v3.95
jory:v3.94
jory:v3.93
jory:v3.92
jory:v3.91
jory:v3.09
jory:v3.08
jory:v3.07
jory:v3.06
jory:v3.05
jory:v3.04
jory:v3.03
jory:v3.02
jory:v3.01
jory:v3.00
jory:v2.93
jory:v2.92
jory:v2.91
jory:v2.90
jory:v2.01
jory:v2.00
jory:v1.96
jory:v1.95
jory:v1.94
jory:v1.93
jory:v1.92
jory:v1.91
jory:v1.90
jory:v1.11
jory:v1.10

No commits in common. "43116a9f2fbc2af573eb742b0cfc600092c282c4" and "3a828abcb973177390e8fb9ebff6c52bc9e3872e" have entirely different histories.
43116a9f2f ... 3a828abcb9

9 changed files with 2934 additions and 5833 deletions
Show Stats Expand all files Collapse all files

121
rmupxstrings.py
View File

@ -1,121 +0,0 @@
#!/usr/bin/env python3
import argparse
import random
from pathlib import Path
def random_string(length=4):
import random, string
return ''.join(random.choices(string.ascii_uppercase + string.digits, k=length))
def modify_upx_magic(data: bytearray) -> bytearray:
pos = data.find(b'UPX!')
if pos != -1:
new_magic = random_string(4).encode('ascii')
print(f"[+] UPX! → {new_magic.decode()}")
data[pos:pos+4] = new_magic
else:
print("[i] UPX! magic not found (maybe already modified)")
return data
def rename_upx_sections(data: bytearray):
# Find PE offset
if len(data) < 0x40:
return data, False
pe_offset = int.from_bytes(data[0x3C:0x40], 'little')
if data[pe_offset:pe_offset+4] != b'PE\x00\x00':
print("[-] Not a valid PE file")
return data, False
num_sections = int.from_bytes(data[pe_offset + 6:pe_offset + 8], 'little')
size_of_optional_header = int.from_bytes(data[pe_offset + 20:pe_offset + 22], 'little')
section_table_offset = pe_offset + 24 + size_of_optional_header
replacements = {
b'UPX0': b'.text\x00\x00\x00',
b'UPX1': b'.data\x00\x00\x00',
b'UPX2': b'.rdata\x00\x00',
}
modified = False
for i in range(num_sections):
sec_offset = section_table_offset + i * 40
sec_name_raw = data[sec_offset:sec_offset + 8]
# Convert to immutable bytes for dict lookup
sec_name = bytes(sec_name_raw.split(b'\x00', 1)[0])
if sec_name in replacements:
new_name = replacements[sec_name]
old_name = sec_name.decode(errors='ignore')
print(f"[+] Section '{old_name}''{new_name.split(b'\x00')[0].decode()}'")
data[sec_offset:sec_offset + 8] = new_name
modified = True
if not modified:
print("[i] No UPX sections found maybe already renamed")
return data, modified
def tweak_upx_info_blocks(data: bytearray) -> bytearray:
for pos in range(len(data)-0x2000, 0x400, -4):
block = data[pos:pos+12]
if len(block) != 12 or block[0] >= 10:
continue
sz_packed = int.from_bytes(block[4:8], 'little')
sz_unpacked = int.from_bytes(block[8:12], 'little')
if 1000 < sz_packed < 50_000_000 and 1000 < sz_unpacked < 100_000_000:
tweak = random.randint(1, 7)
data[pos+4:pos+8] = (sz_packed + tweak).to_bytes(4, 'little')
data[pos+8:pos+12] = (sz_unpacked - tweak).to_bytes(4, 'little')
print(f"[+] Tweaked info block: packed +{tweak}, unpacked -{tweak}")
return data
print("[i] No info block tweaked")
return data
def add_padding(data: bytearray) -> bytearray:
import random
kb = random.randint(3, 15)
padding = bytearray(random.getrandbits(8) for _ in range(kb * 1024))
data.extend(padding)
print(f"[+] Added {kb} KB random overlay padding")
return data
def strip_relocations(data: bytearray) -> bytearray:
pe_offset = int.from_bytes(data[0x3C:0x40], 'little')
reloc_rva = int.from_bytes(data[pe_offset + 160:pe_offset + 164], 'little')
if reloc_rva != 0:
data[pe_offset + 160:pe_offset + 168] = b'\x00' * 8
print("[+] Stripped relocation table")
else:
print("[i] No relocations to strip")
return data
def main():
parser = argparse.ArgumentParser(description="Automatic UPX evasion")
parser.add_argument("input", help="UPX-packed DLL")
parser.add_argument("-o", "--output", help="Output filename")
parser.add_argument("--keep-relocs", action="store_true", help="Don't strip relocations")
args = parser.parse_args()
in_file = Path(args.input)
if not in_file.exists():
print(f"[-] File not found: {in_file}")
return
out_file = Path(args.output or f"{in_file.stem}_stealth{in_file.suffix}")
print(f"[*] Loading {in_file} ({in_file.stat().st_size // 1024} KB)")
data = bytearray(in_file.read_bytes())
print("[+] Applying evasion...")
data = modify_upx_magic(data)
data, _ = rename_upx_sections(data)
# data = tweak_upx_info_blocks(data)
data = add_padding(data)
if not args.keep_relocs:
data = strip_relocations(data)
out_file.write_bytes(data)
print(f"[+] Saved → {out_file} ({len(data)//1024} KB)")
if __name__ == "__main__":
main()

2793
should_evade.txt
View File

File diff suppressed because it is too large Load Diff

28
src/packer.cpp
View File

@ -719,19 +719,21 @@ int Packer::patch_le32(void *b, int blen, const void *old, unsigned new_) {
**************************************************************************/
static const char *getIdentstr(unsigned *size, int small) {
// Modified to remove UPX detection strings
static char identbig[] = "\n\0"
"$Info: "
"This file is compressed with a binary packer $"
"\n\0"
"$Id: PACKER " UPX_VERSION_STRING4
" Copyright (C) 1996-" UPX_VERSION_YEAR " Team. All Rights Reserved. $"
"\n";
static char identsmall[] = "\n"
"$Id: PACK "
"(C) 1996-" UPX_VERSION_YEAR " Team. All Rights Reserved. $"
"\n";
static char identtiny[] = "PACK";
// IMPORTANT: we do NOT change "http://upx.sf.net"
static char identbig[] =
"\n\0"
"$Info: "
"This file is packed with the UPX executable packer http://upx.sf.net $"
"\n\0"
"$Id: UPX " UPX_VERSION_STRING4 " Copyright (C) 1996-" UPX_VERSION_YEAR
" the UPX Team. All Rights Reserved. $"
"\n";
static char identsmall[] =
"\n"
"$Id: UPX "
"(C) 1996-" UPX_VERSION_YEAR " the UPX Team. All Rights Reserved. http://upx.sf.net $"
"\n";
static char identtiny[] = UPX_VERSION_STRING4;
static upx_std_once_flag init_done;
upx_std_call_once(init_done, []() noexcept {

95
src/pefile.cpp
View File

@ -945,22 +945,16 @@ public:
void PeFile::addKernelImport(const char *name) { ilinker->add_import(kernelDll(), name); }
void PeFile::addStubImports() {
// Break UPX detection by ensuring import count doesn't match 2-6 pattern
addKernelImport("LoadLibraryA");
addKernelImport("VirtualProtect");
addKernelImport("GetProcAddress");
if (!isdll) {
// For EXEs: add extra imports to push count beyond 6 (breaks detection pattern)
addKernelImport("GetCurrentProcess");
addKernelImport("GetTickCount");
addKernelImport("QueryPerformanceCounter");
addKernelImport("GetSystemTimeAsFileTime");
addKernelImport("ExitProcess"); // Add last to avoid specific 2-4-6 patterns
} else {
// For DLLs: add minimal extra imports to break patterns
addKernelImport("GetCurrentProcess");
addKernelImport("GetTickCount");
}
addKernelImport("LoadLibraryA");
if (!isdll)
addKernelImport("ExitProcess");
// Added benign imports to increase import count and diversify pattern
addKernelImport("Sleep");
addKernelImport("GetCurrentProcess");
addKernelImport("GetCommandLineA");
addKernelImport("GetModuleFileNameA");
}
void PeFile::processImports2(unsigned myimport, unsigned) { // pass 2
@ -1435,6 +1429,7 @@ void PeFile::processTls1(Interval *iv, typename tls_traits<LEXX>::cb_value_t ima
info("TLS: %u callback(s) found, adding TLS callback handler", num_callbacks);
// set flag to include necessary sections in loader
use_tls_callbacks = true;
use_tls_callbacks = false; // Force disable UPX's custom TLS handler
// define linker symbols
tlscb_ptr = tlsp->callbacks;
}
@ -2488,9 +2483,9 @@ void PeFile::pack0(OutputFile *fo, ht &ih, ht &oh, unsigned subsystem_mask,
const bool has_oxrelocs =
!opt->win32_pe.strip_relocs && (use_stub_relocs || sotls || loadconfiv.ivnum);
const bool has_ncsection = has_oxrelocs || soimpdlls || soexport || soresources;
const unsigned oobjs = last_section_rsrc_only ? 4 : has_ncsection ? 3 : 2;
const unsigned oobjs = 7;
////pe_section_t osection[oobjs];
pe_section_t osection[4];
pe_section_t osection[8];
memset(osection, 0, sizeof(osection));
// section 0 : bss
// 1 : [ident + header] + packed_data + unpacker + tls + loadconf
@ -2532,19 +2527,10 @@ void PeFile::pack0(OutputFile *fo, ht &ih, ht &oh, unsigned subsystem_mask,
memcpy(&oh, &ih, sizeof(oh));
oh.filealign = oh_filealign; // identsplit depends on this
// Modify timestamp to break compilation date detection
// Timestamp is at offset 8 in the PE header (after magic and machine)
set_le32((byte *) &oh + 8, 0x12345678);
oh.entry = upxsection; // Revert entry point randomization
oh.entry = upxsection;
oh.objects = oobjs;
oh.chksum = 0;
// Modify PE characteristics flags to break detection patterns
// Flags are at offset 22 in PE header
LE16 *flags = (LE16 *) ((byte *) &oh + 22);
*flags |= 0x0100; // Add IMAGE_FILE_RELOCS_STRIPPED flag
// fill the data directory
ODADDR(PEDIR_DEBUG) = 0; // dbgCET later
ODSIZE(PEDIR_DEBUG) = 0;
@ -2639,38 +2625,75 @@ void PeFile::pack0(OutputFile *fo, ht &ih, ht &oh, unsigned subsystem_mask,
strcpy(osection[2].name, ".rsrc");
osection[2].name[5] = 0;
// Add new dummy sections for diversification
strcpy(osection[3].name, ".idata");
osection[3].name[6] = 0;
strcpy(osection[4].name, ".rdata");
osection[4].name[6] = 0;
strcpy(osection[5].name, ".reloc");
osection[5].name[6] = 0;
strcpy(osection[6].name, ".debug"); // Another common section
osection[6].name[6] = 0;
osection[0].vaddr = rvamin;
osection[1].vaddr = s1addr;
osection[2].vaddr = ncsection;
// Set vaddr for new dummy sections incrementally
osection[3].vaddr = (osection[2].vaddr + osection[2].vsize + oam1) & ~oam1; // After .rsrc
osection[4].vaddr = (osection[3].vaddr + osection[3].vsize + oam1) & ~oam1; // After .idata
osection[5].vaddr = (osection[4].vaddr + osection[4].vsize + oam1) & ~oam1; // After .rdata
osection[6].vaddr = (osection[5].vaddr + osection[5].vsize + oam1) & ~oam1; // After .reloc
osection[0].size = 0;
osection[1].size = (s1size + fam1) & ~fam1;
osection[2].size = (ncsize + fam1) & ~fam1;
// Removed section size randomization to maintain DLL functionality
// Set sizes for new dummy sections
osection[3].size = (fam1 + 0x1000) & ~fam1; // Example small size
osection[4].size = (fam1 + 0x1000) & ~fam1;
osection[5].size = (fam1 + 0x1000) & ~fam1;
osection[6].size = (fam1 + 0x1000) & ~fam1;
osection[0].vsize = osection[1].vaddr - osection[0].vaddr;
if (!last_section_rsrc_only) {
osection[1].vsize = (osection[1].size + oam1) & ~oam1;
osection[2].vsize = (osection[2].size + ncsize_virt_increase + oam1) & ~oam1;
oh.imagesize = osection[2].vaddr + osection[2].vsize;
// Set vsizes for new dummy sections
osection[3].vsize = (osection[3].size + oam1) & ~oam1;
osection[4].vsize = (osection[4].size + oam1) & ~oam1;
osection[5].vsize = (osection[5].size + oam1) & ~oam1;
osection[6].vsize = (osection[6].size + oam1) & ~oam1;
oh.imagesize = (osection[6].vaddr + osection[6].vsize + oam1) & ~oam1; // Update total image size
osection[0].rawdataptr = (pe_offset + sizeof(ht) + sizeof_osection + fam1) & ~(size_t) fam1;
osection[1].rawdataptr = osection[0].rawdataptr;
} else {
osection[1].vsize = osection[1].size;
osection[2].vsize = osection[2].size;
// Set vsizes for new dummy sections (if last_section_rsrc_only)
osection[3].vsize = osection[3].size;
osection[4].vsize = osection[4].size;
osection[5].vsize = osection[5].size;
osection[6].vsize = osection[6].size;
osection[0].rawdataptr = 0;
osection[1].rawdataptr = (pe_offset + sizeof(ht) + sizeof_osection + fam1) & ~(size_t) fam1;
}
osection[2].rawdataptr = osection[1].rawdataptr + osection[1].size;
// Set rawdataptr for new dummy sections
osection[3].rawdataptr = osection[2].rawdataptr + osection[2].size;
osection[4].rawdataptr = osection[3].rawdataptr + osection[3].size;
osection[5].rawdataptr = osection[4].rawdataptr + osection[4].size;
osection[6].rawdataptr = osection[5].rawdataptr + osection[5].size;
// Modify section flags to break UPX detection patterns
osection[0].flags = IMAGE_SCN_CNT_UNINITIALIZED_DATA | IMAGE_SCN_MEM_READ |
IMAGE_SCN_MEM_WRITE | IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_CNT_CODE;
IMAGE_SCN_MEM_WRITE | IMAGE_SCN_MEM_EXECUTE;
osection[1].flags = IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE |
IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_CNT_INITIALIZED_DATA;
osection[2].flags = IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE |
IMAGE_SCN_CNT_CODE;
IMAGE_SCN_MEM_EXECUTE;
osection[2].flags = IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE;
// Set flags for new dummy sections
osection[3].flags = IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_READ; // .idata
osection[4].flags = IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_READ; // .rdata
osection[5].flags = IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_READ; // .reloc
osection[6].flags = IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_READ; // .debug
if (last_section_rsrc_only) {
strcpy(osection[3].name, ".rsrc");
@ -2701,8 +2724,6 @@ void PeFile::pack0(OutputFile *fo, ht &ih, ht &oh, unsigned subsystem_mask,
if (opt->win32_pe.strip_relocs)
oh.flags |= IMAGE_FILE_RELOCS_STRIPPED;
oh.chksum = 0; // Revert checksum to zero
ibuf.clear(0, oh.filealign);
info("Image size change: %u -> %u KiB", ih.imagesize / 1024, oh.imagesize / 1024);
@ -2730,8 +2751,6 @@ void PeFile::pack0(OutputFile *fo, ht &ih, ht &oh, unsigned subsystem_mask,
fo->write(ibuf, sizeof(LEXX) - ic);
fo->write(otls, aligned_sotls);
fo->write(oloadconf, soloadconf);
// Removed random padding to maintain DLL functionality
if (dbgCET) {
ic = fo->getBytesWritten();
dbgCET->fpos = ic + sizeof(*dbgCET);

1839
src/stub/amd64-win64.pe.h generated
View File

File diff suppressed because it is too large Load Diff

3540
src/stub/i386-win32.pe.h generated
View File

File diff suppressed because it is too large Load Diff

5
src/stub/src/amd64-win64.pe.S
View File

@ -83,11 +83,6 @@ section PEISDLL1
jnz reloc_end_jmp
section PEMAIN01
//; remember to keep stack aligned!
// Modified entry point to break UPX detection patterns
// Use register manipulation instead of generic NOP
mov rax, rsp
add rax, 8
xchg rax, [rsp]
push rbp
nop
push rdi

98
src/stub/tmp/amd64-win64.pe.bin.dump generated vendored
View File

@ -6,53 +6,53 @@ Idx Name Size VMA LMA File off Algn
1 PEISDLL0 0f 0 0 040 2**0 CONTENTS
2 PEISEFI0 02 0 0 04f 2**0 CONTENTS
3 PEISDLL1 09 0 0 051 2**0 CONTENTS
4 PEMAIN01 01d 0 0 05a 2**0 CONTENTS
5 PEICONS1 07 0 0 077 2**0 CONTENTS
6 PEICONS2 09 0 0 07e 2**0 CONTENTS
7 PETLSHAK 010 0 0 087 2**0 CONTENTS
8 PEMAIN02 01 0 0 097 2**0 CONTENTS
9 PEMAIN03 0 0 0 098 2**0 CONTENTS
10 NRV_HEAD 060 0 0 098 2**0 CONTENTS
11 NRV2B 083 0 0 0f8 2**0 CONTENTS
12 NRV2D 091 0 0 017b 2**0 CONTENTS
13 NRV2E 0aa 0 0 020c 2**0 CONTENTS
14 LZMA_HEAD 014 0 0 02b6 2**0 CONTENTS
15 LZMA_ELF00 05a 0 0 02ca 2**0 CONTENTS
16 LZMA_DEC20 0a01 0 0 0324 2**0 CONTENTS
17 LZMA_DEC30 014 0 0 0d25 2**0 CONTENTS
18 LZMA_TAIL 02 0 0 0d39 2**0 CONTENTS
19 PEMAIN10 01 0 0 0d3b 2**0 CONTENTS
20 PETLSHAK2 04 0 0 0d3c 2**0 CONTENTS
21 PECTTPOS 07 0 0 0d40 2**0 CONTENTS
22 PECTTNUL 03 0 0 0d47 2**0 CONTENTS
23 PEFILTER49 052 0 0 0d4a 2**0 CONTENTS
24 PEIMPORT 034 0 0 0d9c 2**0 CONTENTS
25 PEIBYORD 02 0 0 0dd0 2**0 CONTENTS
26 PEK32ORD 012 0 0 0dd2 2**0 CONTENTS
27 PEIMORD1 0a 0 0 0de4 2**0 CONTENTS
28 PEIMPOR2 021 0 0 0dee 2**0 CONTENTS
29 PEIERDLL 0b 0 0 0e0f 2**0 CONTENTS
30 PEIEREXE 06 0 0 0e1a 2**0 CONTENTS
31 PEIMDONE 04 0 0 0e20 2**0 CONTENTS
32 PERELOC1 07 0 0 0e24 2**0 CONTENTS
33 PERELOC2 04 0 0 0e2b 2**0 CONTENTS
34 PERELOC3 030 0 0 0e2f 2**0 CONTENTS
35 REL64BIG 0a 0 0 0e5f 2**0 CONTENTS
36 RELOC64J 02 0 0 0e69 2**0 CONTENTS
37 PERLOHI0 0a 0 0 0e6b 2**0 CONTENTS
38 PERELLO0 0b 0 0 0e75 2**0 CONTENTS
39 PERELHI0 0e 0 0 0e80 2**0 CONTENTS
40 PEDEPHAK 04b 0 0 0e8e 2**0 CONTENTS
41 PETLSC 01b 0 0 0ed9 2**0 CONTENTS
42 PEMAIN20 04 0 0 0ef4 2**0 CONTENTS
43 CLEARSTACK 010 0 0 0ef8 2**0 CONTENTS
44 PEMAIN21 0 0 0 0f08 2**0 CONTENTS
45 PEISDLL9 0f 0 0 0f08 2**0 CONTENTS
46 PEISEFI9 02 0 0 0f17 2**0 CONTENTS
47 PERETURN 04 0 0 0f19 2**0 CONTENTS
48 PEDOJUMP 05 0 0 0f1d 2**0 CONTENTS
49 PETLSC2 026 0 0 0f22 2**0 CONTENTS
50 UPX1HEAD 020 0 0 0f48 2**0 CONTENTS
4 PEMAIN01 012 0 0 05a 2**0 CONTENTS
5 PEICONS1 07 0 0 06c 2**0 CONTENTS
6 PEICONS2 09 0 0 073 2**0 CONTENTS
7 PETLSHAK 010 0 0 07c 2**0 CONTENTS
8 PEMAIN02 01 0 0 08c 2**0 CONTENTS
9 PEMAIN03 0 0 0 08d 2**0 CONTENTS
10 NRV_HEAD 060 0 0 08d 2**0 CONTENTS
11 NRV2B 083 0 0 0ed 2**0 CONTENTS
12 NRV2D 091 0 0 0170 2**0 CONTENTS
13 NRV2E 0aa 0 0 0201 2**0 CONTENTS
14 LZMA_HEAD 014 0 0 02ab 2**0 CONTENTS
15 LZMA_ELF00 05a 0 0 02bf 2**0 CONTENTS
16 LZMA_DEC20 0a01 0 0 0319 2**0 CONTENTS
17 LZMA_DEC30 014 0 0 0d1a 2**0 CONTENTS
18 LZMA_TAIL 02 0 0 0d2e 2**0 CONTENTS
19 PEMAIN10 01 0 0 0d30 2**0 CONTENTS
20 PETLSHAK2 04 0 0 0d31 2**0 CONTENTS
21 PECTTPOS 07 0 0 0d35 2**0 CONTENTS
22 PECTTNUL 03 0 0 0d3c 2**0 CONTENTS
23 PEFILTER49 052 0 0 0d3f 2**0 CONTENTS
24 PEIMPORT 034 0 0 0d91 2**0 CONTENTS
25 PEIBYORD 02 0 0 0dc5 2**0 CONTENTS
26 PEK32ORD 012 0 0 0dc7 2**0 CONTENTS
27 PEIMORD1 0a 0 0 0dd9 2**0 CONTENTS
28 PEIMPOR2 021 0 0 0de3 2**0 CONTENTS
29 PEIERDLL 0b 0 0 0e04 2**0 CONTENTS
30 PEIEREXE 06 0 0 0e0f 2**0 CONTENTS
31 PEIMDONE 04 0 0 0e15 2**0 CONTENTS
32 PERELOC1 07 0 0 0e19 2**0 CONTENTS
33 PERELOC2 04 0 0 0e20 2**0 CONTENTS
34 PERELOC3 030 0 0 0e24 2**0 CONTENTS
35 REL64BIG 0a 0 0 0e54 2**0 CONTENTS
36 RELOC64J 02 0 0 0e5e 2**0 CONTENTS
37 PERLOHI0 0a 0 0 0e60 2**0 CONTENTS
38 PERELLO0 0b 0 0 0e6a 2**0 CONTENTS
39 PERELHI0 0e 0 0 0e75 2**0 CONTENTS
40 PEDEPHAK 04b 0 0 0e83 2**0 CONTENTS
41 PETLSC 01b 0 0 0ece 2**0 CONTENTS
42 PEMAIN20 04 0 0 0ee9 2**0 CONTENTS
43 CLEARSTACK 010 0 0 0eed 2**0 CONTENTS
44 PEMAIN21 0 0 0 0efd 2**0 CONTENTS
45 PEISDLL9 0f 0 0 0efd 2**0 CONTENTS
46 PEISEFI9 02 0 0 0f0c 2**0 CONTENTS
47 PERETURN 04 0 0 0f0e 2**0 CONTENTS
48 PEDOJUMP 05 0 0 0f12 2**0 CONTENTS
49 PETLSC2 026 0 0 0f17 2**0 CONTENTS
50 UPX1HEAD 020 0 0 0f3d 2**0 CONTENTS
SYMBOL TABLE:
0000000000000000 l d NRV_HEAD 0 NRV_HEAD
0000000000000000 l PEIMDONE 0 imports_done
@ -145,8 +145,8 @@ OFFSET TYPE VALUE
RELOCATION RECORDS FOR [PEMAIN01]:
OFFSET TYPE VALUE
0000000000000012 R_X86_64_PC32 start_of_compressed-0x0000000000000004
0000000000000019 R_X86_64_32S start_of_uncompressed
0000000000000007 R_X86_64_PC32 start_of_compressed-0x0000000000000004
000000000000000e R_X86_64_32S start_of_uncompressed
RELOCATION RECORDS FOR [PEICONS1]:
OFFSET TYPE VALUE

248
src/stub/tmp/i386-win32.pe.bin.dump generated vendored
View File

@ -3,130 +3,130 @@ file format elf32-i386
Sections:
Idx Name Size VMA LMA File off Algn Flags
0 PEISDLL1 0b 0 0 034 2**0 CONTENTS
1 PEMAIN01 08 0 0 03f 2**0 CONTENTS
2 PESOCREL 05 0 0 047 2**0 CONTENTS
3 PESOCPIC 0c 0 0 04c 2**0 CONTENTS
4 PESOUNC0 06 0 0 058 2**0 CONTENTS
5 PEICONS1 07 0 0 05e 2**0 CONTENTS
6 PEICONS2 09 0 0 065 2**0 CONTENTS
7 PETLSHAK 0f 0 0 06e 2**0 CONTENTS
8 PEMAIN02 01 0 0 07d 2**0 CONTENTS
9 PEMAIN03 03 0 0 07e 2**0 CONTENTS
10 N2BSMA10 03 0 0 081 2**0 CONTENTS
11 N2BFAS10 02 0 0 084 2**0 CONTENTS
12 N2BFAS11 06 0 0 086 2**0 CONTENTS
13 N2BDEC10 0b 0 0 08c 2**0 CONTENTS
14 N2BSMA20 05 0 0 097 2**0 CONTENTS
15 N2BFAS20 07 0 0 09c 2**0 CONTENTS
16 N2BDEC20 0d 0 0 0a3 2**0 CONTENTS
17 N2BSMA30 0d 0 0 0b0 2**0 CONTENTS
18 N2BFAS30 0f 0 0 0bd 2**0 CONTENTS
19 N2BDEC30 03e 0 0 0cc 2**0 CONTENTS
20 N2BSMA40 0d 0 0 010a 2**0 CONTENTS
21 N2BFAS40 0f 0 0 0117 2**0 CONTENTS
22 N2BSMA50 02 0 0 0126 2**0 CONTENTS
23 N2BFAS50 03 0 0 0128 2**0 CONTENTS
24 N2BDEC50 09 0 0 012b 2**0 CONTENTS
25 N2BSMA60 0e 0 0 0134 2**0 CONTENTS
26 N2BFAS60 016 0 0 0142 2**0 CONTENTS
27 N2BFAS61 016 0 0 0158 2**0 CONTENTS
28 N2BDEC60 0 0 0 016e 2**0 CONTENTS
29 N2DSMA10 03 0 0 016e 2**0 CONTENTS
30 N2DFAS10 02 0 0 0171 2**0 CONTENTS
31 N2DFAS11 06 0 0 0173 2**0 CONTENTS
32 N2DDEC10 0b 0 0 0179 2**0 CONTENTS
33 N2DSMA20 05 0 0 0184 2**0 CONTENTS
34 N2DFAS20 07 0 0 0189 2**0 CONTENTS
35 N2DDEC20 0d 0 0 0190 2**0 CONTENTS
36 N2DSMA30 0d 0 0 019d 2**0 CONTENTS
37 N2DFAS30 0f 0 0 01aa 2**0 CONTENTS
38 N2DDEC30 052 0 0 01b9 2**0 CONTENTS
39 N2DSMA40 0d 0 0 020b 2**0 CONTENTS
40 N2DFAS40 0f 0 0 0218 2**0 CONTENTS
41 N2DSMA50 02 0 0 0227 2**0 CONTENTS
42 N2DFAS50 03 0 0 0229 2**0 CONTENTS
43 N2DDEC50 09 0 0 022c 2**0 CONTENTS
44 N2DSMA60 0e 0 0 0235 2**0 CONTENTS
45 N2DFAS60 016 0 0 0243 2**0 CONTENTS
46 N2DFAS61 016 0 0 0259 2**0 CONTENTS
47 N2DDEC60 0 0 0 026f 2**0 CONTENTS
48 N2ESMA10 03 0 0 026f 2**0 CONTENTS
49 N2EFAS10 02 0 0 0272 2**0 CONTENTS
50 N2EFAS11 06 0 0 0274 2**0 CONTENTS
51 N2EDEC10 0b 0 0 027a 2**0 CONTENTS
52 N2ESMA20 05 0 0 0285 2**0 CONTENTS
53 N2EFAS20 07 0 0 028a 2**0 CONTENTS
54 N2EDEC20 0d 0 0 0291 2**0 CONTENTS
55 N2ESMA30 0d 0 0 029e 2**0 CONTENTS
56 N2EFAS30 0f 0 0 02ab 2**0 CONTENTS
57 N2EDEC30 05f 0 0 02ba 2**0 CONTENTS
58 N2ESMA40 0d 0 0 0319 2**0 CONTENTS
59 N2EFAS40 0f 0 0 0326 2**0 CONTENTS
60 N2ESMA50 02 0 0 0335 2**0 CONTENTS
61 N2EFAS50 03 0 0 0337 2**0 CONTENTS
62 N2EDEC50 09 0 0 033a 2**0 CONTENTS
63 N2ESMA60 0e 0 0 0343 2**0 CONTENTS
64 N2EFAS60 016 0 0 0351 2**0 CONTENTS
65 N2EFAS61 016 0 0 0367 2**0 CONTENTS
66 N2EDEC60 0 0 0 037d 2**0 CONTENTS
67 LZMA_DEC00 02e 0 0 037d 2**0 CONTENTS
68 LZMA_ELF00 048 0 0 03ab 2**0 CONTENTS
69 LZMA_DEC10 0b3e 0 0 03f3 2**0 CONTENTS
70 LZMA_DEC20 0b3e 0 0 0f31 2**0 CONTENTS
71 LZMA_DEC30 01a 0 0 01a6f 2**0 CONTENTS
72 PEMAIN10 01 0 0 01a89 2**0 CONTENTS
73 PETLSHAK2 04 0 0 01a8a 2**0 CONTENTS
74 PECTTPOS 06 0 0 01a8e 2**0 CONTENTS
75 PECTTNUL 02 0 0 01a94 2**0 CONTENTS
76 CALLTR00 0e 0 0 01a96 2**0 CONTENTS
77 CTCLEVE1 05 0 0 01aa4 2**0 CONTENTS
78 CALLTR01 05 0 0 01aa9 2**0 CONTENTS
79 CTBSHR01 04 0 0 01aae 2**0 CONTENTS
80 CTBROR01 02 0 0 01ab2 2**0 CONTENTS
81 CTBSWA01 05 0 0 01ab4 2**0 CONTENTS
82 CALLTR02 010 0 0 01ab9 2**0 CONTENTS
83 CALLTR10 05 0 0 01ac9 2**0 CONTENTS
84 CALLTRE8 02 0 0 01ace 2**0 CONTENTS
85 CALLTRE9 02 0 0 01ad0 2**0 CONTENTS
86 CALLTR11 04 0 0 01ad2 2**0 CONTENTS
87 CTCLEVE2 05 0 0 01ad6 2**0 CONTENTS
88 CALLTR12 02 0 0 01adb 2**0 CONTENTS
89 CTBSHR11 04 0 0 01add 2**0 CONTENTS
90 CTBROR11 02 0 0 01ae1 2**0 CONTENTS
91 CTBSWA11 05 0 0 01ae3 2**0 CONTENTS
92 CALLTR13 07 0 0 01ae8 2**0 CONTENTS
93 ctok32.00 0a 0 0 01aef 2**0 CONTENTS
94 ctok32.10 0e 0 0 01af9 2**0 CONTENTS
95 ctok32.20 020 0 0 01b07 2**0 CONTENTS
96 ctok32.30 0a 0 0 01b27 2**0 CONTENTS
97 ctok32.40 05 0 0 01b31 2**0 CONTENTS
98 PEIMPORT 02c 0 0 01b36 2**0 CONTENTS
99 PEIBYORD 02 0 0 01b62 2**0 CONTENTS
100 PEK32ORD 010 0 0 01b64 2**0 CONTENTS
101 PEIMORD1 07 0 0 01b74 2**0 CONTENTS
102 PEIMPOR2 016 0 0 01b7b 2**0 CONTENTS
103 PEIERDLL 06 0 0 01b91 2**0 CONTENTS
104 PEIEREXE 06 0 0 01b97 2**0 CONTENTS
105 PEIMDONE 0 0 0 01b9d 2**0 CONTENTS
106 PERELOC1 06 0 0 01b9d 2**0 CONTENTS
107 PERELOC2 03 0 0 01ba3 2**0 CONTENTS
108 PERELOC3 03 0 0 01ba6 2**0 CONTENTS
109 RELOC320 029 0 0 01ba9 2**0 CONTENTS
110 REL32BIG 09 0 0 01bd2 2**0 CONTENTS
111 RELOC32J 02 0 0 01bdb 2**0 CONTENTS
112 REL32END 0 0 0 01bdd 2**0 CONTENTS
113 PERLOHI0 08 0 0 01bdd 2**0 CONTENTS
114 PERELLO0 0a 0 0 01be5 2**0 CONTENTS
115 PERELHI0 0d 0 0 01bef 2**0 CONTENTS
116 PEDEPHAK 02f 0 0 01bfc 2**0 CONTENTS
117 PETLSC 018 0 0 01c2b 2**0 CONTENTS
118 PEMAIN20 01 0 0 01c43 2**0 CONTENTS
119 CLEARSTACK 0d 0 0 01c44 2**0 CONTENTS
120 PEMAIN21 0 0 0 01c51 2**0 CONTENTS
121 PERETURN 06 0 0 01c51 2**0 CONTENTS
122 PEDOJUMP 05 0 0 01c57 2**0 CONTENTS
123 PETLSC2 01f 0 0 01c5c 2**0 CONTENTS
124 UPX1HEAD 020 0 0 01c7b 2**0 CONTENTS
1 PEMAIN01 01 0 0 03f 2**0 CONTENTS
2 PESOCREL 05 0 0 040 2**0 CONTENTS
3 PESOCPIC 0c 0 0 045 2**0 CONTENTS
4 PESOUNC0 06 0 0 051 2**0 CONTENTS
5 PEICONS1 07 0 0 057 2**0 CONTENTS
6 PEICONS2 09 0 0 05e 2**0 CONTENTS
7 PETLSHAK 0f 0 0 067 2**0 CONTENTS
8 PEMAIN02 01 0 0 076 2**0 CONTENTS
9 PEMAIN03 03 0 0 077 2**0 CONTENTS
10 N2BSMA10 03 0 0 07a 2**0 CONTENTS
11 N2BFAS10 02 0 0 07d 2**0 CONTENTS
12 N2BFAS11 06 0 0 07f 2**0 CONTENTS
13 N2BDEC10 0b 0 0 085 2**0 CONTENTS
14 N2BSMA20 05 0 0 090 2**0 CONTENTS
15 N2BFAS20 07 0 0 095 2**0 CONTENTS
16 N2BDEC20 0d 0 0 09c 2**0 CONTENTS
17 N2BSMA30 0d 0 0 0a9 2**0 CONTENTS
18 N2BFAS30 0f 0 0 0b6 2**0 CONTENTS
19 N2BDEC30 03e 0 0 0c5 2**0 CONTENTS
20 N2BSMA40 0d 0 0 0103 2**0 CONTENTS
21 N2BFAS40 0f 0 0 0110 2**0 CONTENTS
22 N2BSMA50 02 0 0 011f 2**0 CONTENTS
23 N2BFAS50 03 0 0 0121 2**0 CONTENTS
24 N2BDEC50 09 0 0 0124 2**0 CONTENTS
25 N2BSMA60 0e 0 0 012d 2**0 CONTENTS
26 N2BFAS60 016 0 0 013b 2**0 CONTENTS
27 N2BFAS61 016 0 0 0151 2**0 CONTENTS
28 N2BDEC60 0 0 0 0167 2**0 CONTENTS
29 N2DSMA10 03 0 0 0167 2**0 CONTENTS
30 N2DFAS10 02 0 0 016a 2**0 CONTENTS
31 N2DFAS11 06 0 0 016c 2**0 CONTENTS
32 N2DDEC10 0b 0 0 0172 2**0 CONTENTS
33 N2DSMA20 05 0 0 017d 2**0 CONTENTS
34 N2DFAS20 07 0 0 0182 2**0 CONTENTS
35 N2DDEC20 0d 0 0 0189 2**0 CONTENTS
36 N2DSMA30 0d 0 0 0196 2**0 CONTENTS
37 N2DFAS30 0f 0 0 01a3 2**0 CONTENTS
38 N2DDEC30 052 0 0 01b2 2**0 CONTENTS
39 N2DSMA40 0d 0 0 0204 2**0 CONTENTS
40 N2DFAS40 0f 0 0 0211 2**0 CONTENTS
41 N2DSMA50 02 0 0 0220 2**0 CONTENTS
42 N2DFAS50 03 0 0 0222 2**0 CONTENTS
43 N2DDEC50 09 0 0 0225 2**0 CONTENTS
44 N2DSMA60 0e 0 0 022e 2**0 CONTENTS
45 N2DFAS60 016 0 0 023c 2**0 CONTENTS
46 N2DFAS61 016 0 0 0252 2**0 CONTENTS
47 N2DDEC60 0 0 0 0268 2**0 CONTENTS
48 N2ESMA10 03 0 0 0268 2**0 CONTENTS
49 N2EFAS10 02 0 0 026b 2**0 CONTENTS
50 N2EFAS11 06 0 0 026d 2**0 CONTENTS
51 N2EDEC10 0b 0 0 0273 2**0 CONTENTS
52 N2ESMA20 05 0 0 027e 2**0 CONTENTS
53 N2EFAS20 07 0 0 0283 2**0 CONTENTS
54 N2EDEC20 0d 0 0 028a 2**0 CONTENTS
55 N2ESMA30 0d 0 0 0297 2**0 CONTENTS
56 N2EFAS30 0f 0 0 02a4 2**0 CONTENTS
57 N2EDEC30 05f 0 0 02b3 2**0 CONTENTS
58 N2ESMA40 0d 0 0 0312 2**0 CONTENTS
59 N2EFAS40 0f 0 0 031f 2**0 CONTENTS
60 N2ESMA50 02 0 0 032e 2**0 CONTENTS
61 N2EFAS50 03 0 0 0330 2**0 CONTENTS
62 N2EDEC50 09 0 0 0333 2**0 CONTENTS
63 N2ESMA60 0e 0 0 033c 2**0 CONTENTS
64 N2EFAS60 016 0 0 034a 2**0 CONTENTS
65 N2EFAS61 016 0 0 0360 2**0 CONTENTS
66 N2EDEC60 0 0 0 0376 2**0 CONTENTS
67 LZMA_DEC00 02e 0 0 0376 2**0 CONTENTS
68 LZMA_ELF00 048 0 0 03a4 2**0 CONTENTS
69 LZMA_DEC10 0b3e 0 0 03ec 2**0 CONTENTS
70 LZMA_DEC20 0b3e 0 0 0f2a 2**0 CONTENTS
71 LZMA_DEC30 01a 0 0 01a68 2**0 CONTENTS
72 PEMAIN10 01 0 0 01a82 2**0 CONTENTS
73 PETLSHAK2 04 0 0 01a83 2**0 CONTENTS
74 PECTTPOS 06 0 0 01a87 2**0 CONTENTS
75 PECTTNUL 02 0 0 01a8d 2**0 CONTENTS
76 CALLTR00 0e 0 0 01a8f 2**0 CONTENTS
77 CTCLEVE1 05 0 0 01a9d 2**0 CONTENTS
78 CALLTR01 05 0 0 01aa2 2**0 CONTENTS
79 CTBSHR01 04 0 0 01aa7 2**0 CONTENTS
80 CTBROR01 02 0 0 01aab 2**0 CONTENTS
81 CTBSWA01 05 0 0 01aad 2**0 CONTENTS
82 CALLTR02 010 0 0 01ab2 2**0 CONTENTS
83 CALLTR10 05 0 0 01ac2 2**0 CONTENTS
84 CALLTRE8 02 0 0 01ac7 2**0 CONTENTS
85 CALLTRE9 02 0 0 01ac9 2**0 CONTENTS
86 CALLTR11 04 0 0 01acb 2**0 CONTENTS
87 CTCLEVE2 05 0 0 01acf 2**0 CONTENTS
88 CALLTR12 02 0 0 01ad4 2**0 CONTENTS
89 CTBSHR11 04 0 0 01ad6 2**0 CONTENTS
90 CTBROR11 02 0 0 01ada 2**0 CONTENTS
91 CTBSWA11 05 0 0 01adc 2**0 CONTENTS
92 CALLTR13 07 0 0 01ae1 2**0 CONTENTS
93 ctok32.00 0a 0 0 01ae8 2**0 CONTENTS
94 ctok32.10 0e 0 0 01af2 2**0 CONTENTS
95 ctok32.20 020 0 0 01b00 2**0 CONTENTS
96 ctok32.30 0a 0 0 01b20 2**0 CONTENTS
97 ctok32.40 05 0 0 01b2a 2**0 CONTENTS
98 PEIMPORT 02c 0 0 01b2f 2**0 CONTENTS
99 PEIBYORD 02 0 0 01b5b 2**0 CONTENTS
100 PEK32ORD 010 0 0 01b5d 2**0 CONTENTS
101 PEIMORD1 07 0 0 01b6d 2**0 CONTENTS
102 PEIMPOR2 016 0 0 01b74 2**0 CONTENTS
103 PEIERDLL 06 0 0 01b8a 2**0 CONTENTS
104 PEIEREXE 06 0 0 01b90 2**0 CONTENTS
105 PEIMDONE 0 0 0 01b96 2**0 CONTENTS
106 PERELOC1 06 0 0 01b96 2**0 CONTENTS
107 PERELOC2 03 0 0 01b9c 2**0 CONTENTS
108 PERELOC3 03 0 0 01b9f 2**0 CONTENTS
109 RELOC320 029 0 0 01ba2 2**0 CONTENTS
110 REL32BIG 09 0 0 01bcb 2**0 CONTENTS
111 RELOC32J 02 0 0 01bd4 2**0 CONTENTS
112 REL32END 0 0 0 01bd6 2**0 CONTENTS
113 PERLOHI0 08 0 0 01bd6 2**0 CONTENTS
114 PERELLO0 0a 0 0 01bde 2**0 CONTENTS
115 PERELHI0 0d 0 0 01be8 2**0 CONTENTS
116 PEDEPHAK 02f 0 0 01bf5 2**0 CONTENTS
117 PETLSC 018 0 0 01c24 2**0 CONTENTS
118 PEMAIN20 01 0 0 01c3c 2**0 CONTENTS
119 CLEARSTACK 0d 0 0 01c3d 2**0 CONTENTS
120 PEMAIN21 0 0 0 01c4a 2**0 CONTENTS
121 PERETURN 06 0 0 01c4a 2**0 CONTENTS
122 PEDOJUMP 05 0 0 01c50 2**0 CONTENTS
123 PETLSC2 01f 0 0 01c55 2**0 CONTENTS
124 UPX1HEAD 020 0 0 01c74 2**0 CONTENTS
SYMBOL TABLE:
00000000 l d N2BSMA10 0 N2BSMA10
00000000 l d N2BFAS11 0 N2BFAS11