fpak0055
04-07-2008, 04:17 AM
Hello ppl: i would have a little help regarding encrypted RCDATA.
I have unpacked this tool that was packed with PECOMPACT
----
PECompact 2.x -> Jeremy Collake «
00B07C54 /EB 0C JMP SHORT pleaseun.00B07C62
00B07C56 |03CA ADD ECX,EDX
00B07C58 |68 00800000 PUSH 8000
00B07C5D |6A 00 PUSH 0
00B07C5F |57 PUSH EDI
00B07C60 |FF11 CALL DWORD PTR DS:[ECX]
00B07C62 \8BC6 MOV EAX,ESI
00B07C64 5A POP EDX
00B07C65 5E POP ESI
00B07C66 5F POP EDI
00B07C67 59 POP ECX
00B07C68 5B POP EBX
00B07C69 5D POP EBP
00B07C6A FFE0 JMP EAX // ** <- set hardware breakpoint here on execution
Shift+F9 and F7 once it breaks..
00401DA4 > /EB 10 JMP SHORT pleaseun.00401DB6 // ** OEP - Borland C++
00401DA6 |66:623A BOUND DI,DWORD PTR DS:[EDX]
00401DA9 |43 INC EBX
00401DAA |2B2B SUB EBP,DWORD PTR DS:[EBX]
00401DAC |48 DEC EAX
00401DAD |4F DEC EDI
00401DAE |4F DEC EDI
00401DAF |4B DEC EBX
00401DB0 |90 NOP
00401DB1 |E9 8C105F00 JMP pleaseun.009F2E42
00401DB6 \A1 7F105F00 MOV EAX,DWORD PTR DS:[5F107F]
00401DBB C1E0 02 SHL EAX,2
00401DBE A3 83105F00 MOV DWORD PTR DS:[5F1083],EAX
00401DC3 52 PUSH EDX
00401DC4 6A 00 PUSH 0
00401DC6 E8 05D71E00 CALL pleaseun.005EF4D0 ; JMP to kernel32.GetModuleHandleA
7.5 MB unpacked + dumped
----
not so difficult to unpack PECOMPACT
Now i have the unpacked version but when i try to edit [with Restuner] RCDATA -> TFORMMAIN -> TabSheetAbout but i can't modify it: so is it encrypted ?
Please help me to understand ;)
Packed original version: http://rapidshare.com/files/105186759/pleaseunpackme.rar.html
Unpacked Version: http://rapidshare.com/files/105301259/unpacked.rar.html
TFORMMAIN raw dump with ResEdit: http://rapidshare.com/files/105424322/TFORMMAIN.rar.html [please can you analyze it?]
My target is to modify the ABOUT of the TOOLS, only for joke and "fight" with the original author: no cracks, hacks or illegal stuff.
Thank you all!!
[programs requires other .dll and ini.dat to run: if you need it, please ask!]
I have unpacked this tool that was packed with PECOMPACT
----
PECompact 2.x -> Jeremy Collake «
00B07C54 /EB 0C JMP SHORT pleaseun.00B07C62
00B07C56 |03CA ADD ECX,EDX
00B07C58 |68 00800000 PUSH 8000
00B07C5D |6A 00 PUSH 0
00B07C5F |57 PUSH EDI
00B07C60 |FF11 CALL DWORD PTR DS:[ECX]
00B07C62 \8BC6 MOV EAX,ESI
00B07C64 5A POP EDX
00B07C65 5E POP ESI
00B07C66 5F POP EDI
00B07C67 59 POP ECX
00B07C68 5B POP EBX
00B07C69 5D POP EBP
00B07C6A FFE0 JMP EAX // ** <- set hardware breakpoint here on execution
Shift+F9 and F7 once it breaks..
00401DA4 > /EB 10 JMP SHORT pleaseun.00401DB6 // ** OEP - Borland C++
00401DA6 |66:623A BOUND DI,DWORD PTR DS:[EDX]
00401DA9 |43 INC EBX
00401DAA |2B2B SUB EBP,DWORD PTR DS:[EBX]
00401DAC |48 DEC EAX
00401DAD |4F DEC EDI
00401DAE |4F DEC EDI
00401DAF |4B DEC EBX
00401DB0 |90 NOP
00401DB1 |E9 8C105F00 JMP pleaseun.009F2E42
00401DB6 \A1 7F105F00 MOV EAX,DWORD PTR DS:[5F107F]
00401DBB C1E0 02 SHL EAX,2
00401DBE A3 83105F00 MOV DWORD PTR DS:[5F1083],EAX
00401DC3 52 PUSH EDX
00401DC4 6A 00 PUSH 0
00401DC6 E8 05D71E00 CALL pleaseun.005EF4D0 ; JMP to kernel32.GetModuleHandleA
7.5 MB unpacked + dumped
----
not so difficult to unpack PECOMPACT
Now i have the unpacked version but when i try to edit [with Restuner] RCDATA -> TFORMMAIN -> TabSheetAbout but i can't modify it: so is it encrypted ?
Please help me to understand ;)
Packed original version: http://rapidshare.com/files/105186759/pleaseunpackme.rar.html
Unpacked Version: http://rapidshare.com/files/105301259/unpacked.rar.html
TFORMMAIN raw dump with ResEdit: http://rapidshare.com/files/105424322/TFORMMAIN.rar.html [please can you analyze it?]
My target is to modify the ABOUT of the TOOLS, only for joke and "fight" with the original author: no cracks, hacks or illegal stuff.
Thank you all!!
[programs requires other .dll and ini.dat to run: if you need it, please ask!]