Log in

View Full Version : PECompact v1.67 Delphi DLL


SunBeam
September 25th, 2006, 08:19
Hello folks. It's been a while =[

I am trying to unpack a target protected with PECompact. At first I thought it was going to be easy, but it doesn't seem so now. Here's some info, so you get a picture on why this isn't a regular PECompact unpacking scheme :

[ Showing what I have done ]

1. Loaded the target in Olly, and from the looks of the EP, it's indeed an old PECompact (1.x) - PEiD says it's v1.67 :
http://i9.tinypic.com/2hp29gp.jpg

2. Setting a hardware breakpoint on access on ESP register, when reaching the PUSHAD, and running the .dll, leads me to this spot :
http://i9.tinypic.com/47dj1vn.jpg

3. Three more F8s, and I am at OEP :
http://i10.tinypic.com/2uqekhy.jpg

[ The problem ]

When using OllyDump and trying to dump the application, I get this error : "Unable to read memory of debugged process (00400000...00423FFF)", followed by a "Bad DOS Signature!!" pop-up.

[ Alternatives ]

I've also tried normal unpackers, but they seem to not find a valid version of PECompact in the file. Also, used LordPE to dump the file at OEP, same error.


Thanks for your replies.

P.S. : I have masked the .dll name, for rules of RCE reasons. Also, the code is universal, as it can be found in any PECompact packed application. I've tried to post as general as I could so that I am not breaking rules...

naides
September 25th, 2006, 08:46
Hi I am not clear about something:

You mention that your target is a .dll

How did you loaded it into Olly?

OllyDump appears to want to dump the exe module around mem location 400000 if you look at the memory map, where is your .dll module located??

SunBeam
September 25th, 2006, 09:19
I loaded it with LOADDLL, Olly's .dll loader...

I did that. Tried to dump the .dll from memory at its location. Posting 2 more pics :
http://i9.tinypic.com/2pyn6ae.jpg

As you can see, EP = 89F000. If you look below, you'll see that PUSH. So : 89F000 + 16F4C = OEP :
http://i9.tinypic.com/48m5rif.jpg

Well, this is what OllyDump shows me :
http://i9.tinypic.com/2a98luf.jpg

And this is how memory map looks like :
http://i10.tinypic.com/2ym6fth.jpg

Now, if I try to dump, it says it can't read memory from 400000 till 423FFF, which, looking at the pics above, you can see that there is memory in that region. Even if I change address to 880000, where the .dll header is, I get same results. Can't read memory :|...

naides
September 25th, 2006, 11:04
Please PM a link to your .dll
I will take a look, so we are in the same page when we talk

SiGiNT
September 25th, 2006, 14:33
Just re-read a tut over at ARTeam, for unpacking an .ocx it recommends using LordPE when at the OEP.

SiGiNT

SunBeam
September 25th, 2006, 17:22
Thanks for the heads up, sigint33. It wasn't LordPE, but reading the tutorial, I learnt how to change file characteristics, to make Olly load the .dll as an .exe Now everything works. File is dumped, fixed, changed characteristics back, and working !

Thanks everyone !

P.S. : This is the tutorial I read, in case someone needs it :

Unpacking PECompact 1.68-1.84 OCX Control by Ferrari

naides
September 25th, 2006, 17:35
I am glad It worked for you.

I took a look at your file

Just as an alternative: I used PE Tools 1.5

Pick the loadDLL process,

In the lower window find your target.dll

Right-click on it and choose "dump full"

Dumped without a problem.

SiGiNT
September 25th, 2006, 21:20
Nice info naides - I knew I was keeping PE Tools for something! I know RTFM!

SiGiNT

nchanta
September 26th, 2006, 01:50
When using OllyDump and LoadDll.exe you may find that you are unable to dump.

This is because OllyDump gets the ImageBase of the main process, which is different for the loaded dll.

To dump the dll properly, simply change the ImageBase to what you see in the Memory list (usually 0x01000000 or something similar) and it should dump fine...

(or you can change the dll to load as an exe and dump that way )

SunBeam
September 26th, 2006, 21:25
It wasn't the "Dump Full" what the problem was, but "Dump at OEP". And I've tried changing Image Base and get same error. Only method is the one with changing characteristics