SunBeam
September 25th, 2006, 08:19
Hello folks. It's been a while =[
I am trying to unpack a target protected with PECompact. At first I thought it was going to be easy, but it doesn't seem so now. Here's some info, so you get a picture on why this isn't a regular PECompact unpacking scheme :
[ Showing what I have done ]
1. Loaded the target in Olly, and from the looks of the EP, it's indeed an old PECompact (1.x) - PEiD says it's v1.67 :
http://i9.tinypic.com/2hp29gp.jpg
2. Setting a hardware breakpoint on access on ESP register, when reaching the PUSHAD, and running the .dll, leads me to this spot :
http://i9.tinypic.com/47dj1vn.jpg
3. Three more F8s, and I am at OEP :
http://i10.tinypic.com/2uqekhy.jpg
[ The problem ]
When using OllyDump and trying to dump the application, I get this error : "Unable to read memory of debugged process (00400000...00423FFF)", followed by a "Bad DOS Signature!!" pop-up.
[ Alternatives ]
I've also tried normal unpackers, but they seem to not find a valid version of PECompact in the file. Also, used LordPE to dump the file at OEP, same error.
Thanks for your replies.
P.S. : I have masked the .dll name, for rules of RCE reasons. Also, the code is universal, as it can be found in any PECompact packed application. I've tried to post as general as I could so that I am not breaking rules...
I am trying to unpack a target protected with PECompact. At first I thought it was going to be easy, but it doesn't seem so now. Here's some info, so you get a picture on why this isn't a regular PECompact unpacking scheme :
[ Showing what I have done ]
1. Loaded the target in Olly, and from the looks of the EP, it's indeed an old PECompact (1.x) - PEiD says it's v1.67 :
http://i9.tinypic.com/2hp29gp.jpg
2. Setting a hardware breakpoint on access on ESP register, when reaching the PUSHAD, and running the .dll, leads me to this spot :
http://i9.tinypic.com/47dj1vn.jpg
3. Three more F8s, and I am at OEP :
http://i10.tinypic.com/2uqekhy.jpg
[ The problem ]
When using OllyDump and trying to dump the application, I get this error : "Unable to read memory of debugged process (00400000...00423FFF)", followed by a "Bad DOS Signature!!" pop-up.
[ Alternatives ]
I've also tried normal unpackers, but they seem to not find a valid version of PECompact in the file. Also, used LordPE to dump the file at OEP, same error.
Thanks for your replies.
P.S. : I have masked the .dll name, for rules of RCE reasons. Also, the code is universal, as it can be found in any PECompact packed application. I've tried to post as general as I could so that I am not breaking rules...