发帖前搜索一下论坛：
http://bbs.pediy.com/showthread.php?s=&threadid=28135

转贴一个notepad.exe 的实例

*UPolyX v0.5*
written by Delikon/www.delikon.de
ENTRYPOINT: 15360
FILEENTRYPOINT: 4760
[+] Checking for UPX
[+] Yes this is packed with UPX!
[+] Replace the section name UPX with irnY
[+] the second UPX section starts at 0x400
[+] the second UPX section is 0x4600 big
[+] Found a 0x128 big space for the decryptor
[+] using the xor/xor 4 byte decryptor
[+] Using for Register1 EBX
[+] Using for Register2 EAX
[+] use 0x1b0f74 as manipulationBytes
[+] encrypt 160 bytes from address 0x1015360 till address 0x1015400
[+] Generated 0x38 byte decryptor
[+] Generated 0xe1 bytes of trash
PRESS A KEY

D:\Documents and Settings\Administrator\Desktop>
--------------------------------------------------------------------------------

now load the notepad.exe with olly . olly should warn u about the compressed code. just say YES
the code should now look like this :

--------------------------------------------------------------------------------
010154B8 > $ 8AD0 MOV DL,AL
010154BA . C7C1 F4E70E99 MOV ECX,990EE7F4
010154C0 . 0FADD8 SHRD EAX,EBX,CL
010154C3 . 64:0FBAE5 23 BT EBP,23 ; Superfluous prefix
010154C8 . 0FBDD5 BSR EDX,EBP
010154CB . 8D0D 7C4FD641 LEA ECX,DWORD PTR DS:[41D64F7C]
010154D1 . 0FACD8 9F SHRD EAX,EBX,9F ; Shift constant out of range 1..31
010154D5 . 84C3 TEST BL,AL
010154D7 . D2DC RCR AH,CL
010154D9 . 0FC1DA XADD EDX,EBX
010154DC . C1E1 04 SHL ECX,4
010154DF . 0FC1F1 XADD ECX,ESI
010154E2 . 8AE2 MOV AH,DL
010154E4 . D1F3 SAL EBX,1
010154E6 . F7D1 NOT ECX
010154E8 . BE BD8C1F66 MOV ESI,661F8CBD
010154ED . 89F9 MOV ECX,EDI ; ntdll.7C910738
010154EF . C7C6 5DACBF86 MOV ESI,86BFAC5D
010154F5 . F2: PREFIX REPNE: ; Superfluous prefix
010154F6 . 0FA4F7 FD SHLD EDI,ESI,0FD ; Shift constant out of range 1..31
010154FA . 15 CD5CAFB6 ADC EAX,B6AF5CCD
010154FF . 0FBAE9 EC BTS ECX,0EC
01015503 . 0FA4F7 6D SHLD EDI,ESI,6D ; Shift constant out of range 1..31
01015507 . 3E:F6DC NEG AH ; Superfluous prefix
0101550A . 31CB XOR EBX,ECX
0101550C . C7C1 74678E19 MOV ECX,198E6774
01015512 . C0F8 B7 SAR AL,0B7 ; Shift constant out of range 1..31
01015515 . 0FC0F1 XADD CL,DH
01015518 . D2DC RCR AH,CL
0101551A . 0FAFDA IMUL EBX,EDX ; ntdll.KiFastSystemCallRet
0101551D . 0FC1C8 XADD EAX,ECX
01015520 . 89EE MOV ESI,EBP
01015522 . 8AE2 MOV AH,DL
01015524 . 3E:0FAFC8 IMUL ECX,EAX ; Superfluous prefix
01015528 . 0FCF BSWAP EDI ; ntdll.7C910738
0101552A . 8D2D D34AE514 LEA EBP,DWORD PTR DS:[14E54AD3]
01015530 . BE B5A4D73E MOV ESI,3ED7A4B5
01015535 . 81E1 34274ED9 AND ECX,D94E2734
0101553B . 84D5 TEST CH,DL
0101553D . 0FBBF7 BTC EDI,ESI
01015540 . 0FBAE5 63 BT EBP,63
01015544 . 0FACEA B1 SHRD EDX,EBP,0B1 ; Shift constant out of range 1..31
01015548 . F6C2 8F TEST DL,8F
0101554B . 2C 7D SUB AL,7D
0101554D . 89EE MOV ESI,EBP
0101554F . F6C6 4B TEST DH,4B
01015552 . 08C2 OR DL,AL
01015554 . C7C1 44F7DE29 MOV ECX,29DEF744
0101555A . 8AC6 MOV AL,DH
0101555C . 64:0FADFD SHRD EBP,EDI,CL ; Superfluous prefix
01015560 . EB 01 JMP SHORT notepad.01015563
01015562 01 DB 01
01015563 > F6D8 NEG AL
01015565 . F2: PREFIX REPNE: ; Superfluous prefix
01015566 . FECC DEC AH
01015568 . 0FBCDA BSF EBX,EDX ; ntdll.KiFastSystemCallRet
0101556B . 81E1 C4775EA9 AND ECX,A95E77C4
01015571 . 48 DEC EAX
01015572 . C1D6 F5 RCL ESI,0F5 ; Shift constant out of range 1..31
01015575 . 81D6 C574678E ADC ESI,8E6774C5
0101557B . 0FBCC8 BSF ECX,EAX
0101557E . 0FBBF7 BTC EDI,ESI
01015581 . 1AE2 SBB AH,DL
01015583 . 8D1D F1F0F3EA LEA EBX,DWORD PTR DS:[EAF3F0F1]
01015589 . 86E7 XCHG BH,AH
0101558B . 81F3 9110930A XOR EBX,0A931091
01015591 . 0FACFD E3 SHRD EBP,EDI,0E3 ; Shift constant out of range 1..31
01015595 . 0FBED0 MOVSX EDX,AL
01015598 . 85DA TEST EDX,EBX
0101559A . F7C0 FDCC5FA6 TEST EAX,A65FCCFD
010155A0 . 25 5CAFB6A1 AND EAX,A1B6AF5C
010155A5 . 88F0 MOV AL,DH
010155A7 . 0FCF BSWAP EDI ; ntdll.7C910738
010155A9 . 18D4 SBB AH,DL
010155AB . 0FBCDA BSF EBX,EDX ; ntdll.KiFastSystemCallRet
010155AE . 8BCF MOV ECX,EDI ; ntdll.7C910738
010155B0 . 15 C574678E ADC EAX,8E6774C5
010155B5 . F7C3 04B79EE9 TEST EBX,E99EB704
010155BB . 88F0 MOV AL,DH
010155BD . 13F5 ADC ESI,EBP
010155BF . E8 00000000 CALL notepad.010155C4
010155C4 /$ 59 POP ECX ; kernel32.7C816D4F
010155C5 |. 83C1 07 ADD ECX,7
010155C8 |. 51 PUSH ECX
010155C9 \. C3 RETN
010155CA > C3 RETN
010155CB . B8 40530101 MOV EAX,notepad.01015340
010155D0 . 50 PUSH EAX
010155D1 . B9 B8000000 MOV ECX,0B8
010155D6 > 8130 F8012700 XOR DWORD PTR DS:[EAX],2701F8
010155DC . 51 PUSH ECX
010155DD . 2BC9 SUB ECX,ECX
010155DF . B9 04000000 MOV ECX,4
010155E4 > 83C0 01 ADD EAX,1
010155E7 .^ E2 FB LOOPD SHORT notepad.010155E4
010155E9 . 59 POP ECX ; kernel32.7C816D4F
010155EA . 83E9 03 SUB ECX,3
010155ED .^ E2 E7 LOOPD SHORT notepad.010155D6
010155EF .^ EB D9 JMP SHORT notepad.010155CA
--------------------------------------------------------------------------------

set a breakpoint on the JMP
before jump the 2 LOOPD actually unpacks the code.

when it breaks on JMP, press F8 once
it should take u to :

010155CA > / C3 RETN
010155CB . | B8 40530101 MOV EAX,notepad.01015340
010155D0 . | 50 PUSH EAX ; notepad.
010155D1 . | B9 B8000000 MOV ECX,0B8
010155D6 >| 8130 F8012700 XOR DWORD PTR DS:[EAX],2701F8
010155DC . | 51 PUSH ECX
010155DD . | 2BC9 SUB ECX,ECX
010155DF . | B9 04000000 MOV ECX,4
010155E4 > | 83C0 01 ADD EAX,1
010155E7 .^| E2 FB LOOPD SHORT notepad.010155E4
010155E9 . | 59 POP ECX ; kernel32.7C816D4F
010155EA . | 83E9 03 SUB ECX,3
010155ED .^| E2 E7 LOOPD SHORT notepad.010155D6
010155EF .^\ EB D9 JMP SHORT notepad.010155CA

now press F8 once again
u'll come to somewhere like :

--------------------------------------------------------------------------------
01015341 BE DB BE
01015342 00 DB 00
01015343 10 DB 10
01015344 01 DB 01
01015345 01 DB 01
01015346 8D DB 8D
01015347 BE DB BE
01015348 00 DB 00
01015349 00 DB 00
0101534A FF DB FF
0101534B FF DB FF
0101534C 57 DB 57 ; CHAR 'W'
0101534D 83 DB 83
0101534E CD DB CD
0101534F FF DB FF
01015350 EB DB EB
01015351 10 DB 10
01015352 90 DB 90
01015353 90 NOP
01015354 90 DB 90
01015355 90 DB 90
01015356 90 DB 90
01015357 90 NOP
01015358 8A DB 8A
01015359 06 DB 06
0101535A 46 DB 46 ; CHAR 'F'
0101535B 8807 MOV BYTE PTR DS:[EDI],AL

right click. Analysis > Remove Analysis from this module
the code will become like this :

--------------------------------------------------------------------------------
01015340 60 PUSHAD
01015341 BE 00100101 MOV ESI,notepad.01011000
01015346 8DBE 0000FFFF LEA EDI,DWORD PTR DS:[ESI+FFFF0000]
0101534C 57 PUSH EDI
0101534D 83CD FF OR EBP,FFFFFFFF
01015350 EB 10 JMP SHORT notepad.01015362
01015352 90 NOP
01015353 90 NOP
01015354 90 NOP
--------------------------------------------------------------------------------

execute the PUSHD with a F8

now on the right hand-pane, right-click on ESP > Follow in dump
in the dump window below u should find something like this :

--------------------------------------------------------------------------------
0007FFA4 D3 50 B1 FE AF 8D F2 C4 95 CA 29 DC C4 FF 07 00 óP±t¯?ò?・ê)ü??.
0007FFB4 06 00 00 00 40 00 00 00 00 00 00 00 F8 53 01 01 ...@.......?S


0007FFC4 4F 6D 81 7C 38 07 91 7C FF FF FF FF 00 F0 FD 7F Om?|8‘|????.ey
0007FFD4 FA 22 55 80 C8 FF 07 00 D8 C6 40 FE FF FF FF FF ú"U??.??@t????
0007FFE4 F3 99 83 7C 58 6D 81 7C 00 00 00 00 00 00 00 00 ó™?|Xm?|........
0007FFF4 00 00 00 00 B8 54 01 01 00 00 00 00 ....?T

....
--------------------------------------------------------------------------------

now right click on D3 ( at address 0007FFA4 ) Breakpoint > Hardware, On Access > Word

now press F9 once

it should break on a jump like the following :

--------------------------------------------------------------------------------
0101548F - E9 091FFFFF JMP notepad.0100739D
01015494 0000 ADD BYTE PTR DS:[EAX],AL
01015496 0000 ADD BYTE PTR DS:[EAX],AL
01015498 0000 ADD BYTE PTR DS:[EAX],AL
0101549A 0000 ADD BYTE PTR DS:[EAX],AL
0101549C 0000 ADD BYTE PTR DS:[EAX],AL
0101549E 0000 ADD BYTE PTR DS:[EAX],AL
010154A0 0000 ADD BYTE PTR DS:[EAX],AL
010154A2 0000 ADD BYTE PTR DS:[EAX],AL
--------------------------------------------------------------------------------

take the jump with a F9, and u r at the entrypoint of the notepad.exe

now keep the olly window like this and open LORDPE
select the notepad.exe process, right click > dump full ... save it as dumped.exe

now open ImpRec
attach to active process - notepad.exe, many things will scroll down in log window

now in "IAT infos needed" window put : 739D
OEP = (RVA from olly) - (original OEP)
= 0100739D - 01000000
= 739D
press IAT autosearch, it should come up with a window "FOUND SOMETHING", press OK

now press GET IMPORTS
manythings should comeup in "Imported Functions Found" window

now press FIX DUMP & choose ur previously DUMPED.EXE by lordPE the log window should say C:\DUMPED_.EXE save successfully and voila u r DONE

thx