With UPX encryption notepad, simple with Stud_PE check section table information.
VSize | | | Name aubject VOffset | | | RSize ROffset Charact. |
01 | | | | UPX0 0000F000 00001000 | | | E0000080 00000000 00000400
02 | | | | UPX1 00005000 00010000 | | | 00004600 00000400 E0000040
03 | | | j RSRC 00008000 00015000 | | | | 00007200 00004A00 C0000040
It looks not encryption resources
OD loaded after below
01014241. Wish 00000101 MOV NOTEPAD. 01010000; ESI, Esi = SEC upx1
01014246. 8DBE 0010FFFF LEA EDI, dwords theptr DS: [ESI + FFFF1000]; Edi = SEC upx0
0101424C. 57 shall EDI
0101424D. 83CD FF EBP, OR FFFFFFFF
01014250. EB JMP without 01014262 NOTEPAD. 10
The UPX1 and UPX0 section respectively in the first address esi and edi
See above UPX0 segment of the RSize 0, suspected to be released unpack data space. And UPX1 section should is encrypted program code.
Continue to look down
01014258 > / AL, Chinese 8A06 MOV theptr DS: [ESI]; / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
ESI 0101425A. | 46 INC
0101425B. | 8807 MOV Chinese theptr DS: [EDI], AL
0101425D. | 47 INC EDI
0101425E | > ADD EBX, 01DB EBX
01014260. | 07 JNZ NOTEPAD. 75 without 01014269; Data in the SEC to upx1 step.adopting upx0 SEC
01014262 > | 8B1E MOV EBX, dwords ESI] [theptr DS:
01014264. | 83EE fc-series, ESI SUB - 4
01014267. | 11DB ADC and EBX EBX
01014269 > ^ \ 72 ED 01014258 NOTEPAD. JB without
0101426B. 01000000 MOV EAX and 1 B8
01014270 > 01DB ADD EBX, EBX
01014272. 75 07 JNZ NOTEPAD. Without 0101427B
01014274. 8B1E MOV EBX, dwords ESI] [theptr DS:
01014276. 83EE fc-series, ESI SUB - 4
01014279. 11DB ADC EBX, EBX
...
0101431A > / AL, Chinese 8A07 MOV theptr DS: [EDI]; / / / / / / / / / / / / / / / / / / / / / / / / /