Log in

View Full Version : PeCompact 2.X unpacking problem


robson
April 8th, 2013, 12:49
Hi everybody,

I have this problem and I hope that somebody more experienced will be able to point me in the right direction.
I successfully unpacked program on Windows XP packed with PECompact 2.X. Unpacked program runs on Windows XP fine, no issues. I copied it to Windows 7 32 bit and it fails to run there. After some investigation, I realized that the problem is that Image Base changes and invalidates some memory references in the program and causes unhandled exceptions. I tried to change the image base using LordPE editor to be what I believe it suppose to be, but when the program is loaded into memory it doesn’t use this image base as I would expect.

Please can somebody tell me how to fix this particular issue I am dealing with? How come it does work on Windows XP but not on Windows 7?

Thank you for your help.
Robson

Kayaker
April 8th, 2013, 16:48
Assuming that the unpacked file isn't using XP hardcoded IAT addresses, you can try turning ASLR off. Open the file in CFF Explorer or other and under Optional Header/Dll Characteristics uncheck 'Dll can move'. It should then load at 0x400000.
Otherwise it could be a .reloc issue, see here for example
http://www.woodmann.com/forum/showthread.php?14494-Pointers-in-unpacked-file-don-t-get-rebased

robson
April 8th, 2013, 18:16
Quote:
[Originally Posted by Kayaker;94488]Assuming that the unpacked file isn't using XP hardcoded IAT addresses, you can try turning ASLR off. Open the file in CFF Explorer or other and under Optional Header/Dll Characteristics uncheck 'Dll can move'. It should then load at 0x400000.
Otherwise it could be a .reloc issue, see here for example
http://www.woodmann.com/forum/showthread.php?14494-Pointers-in-unpacked-file-don-t-get-rebased


I unchecked 'Dll can move', saved the updated application binary and the application works like a charm. Thank you.