[unpackme] PECompact v2.86.1

[acidflash]

Good luck...

PECompact_UnPack_Me.rar

Edited June 11, 2008 by acidflash

[quosego]

Unpacked;

(needed to get away from winlicense.. )

Only look at it when you're stuck :

Don't cheat!!

http://www.willhostforfood.com/access.php?fileid=24402

PW: SnD123quo

quosego

PS: Thnx for the unpackme... It's a nice one for everybody new to unpacking..

Edited June 11, 2008 by quosego

[acidflash]

Unpacked;

(needed to get away from winlicense.. )

Only look at it when you're stuck :

Don't cheat!!

http://www.willhostforfood.com/access.php?fileid=24402

PW: SnD123quo

quosego

PS: Thnx for the unpackme... It's a nice one for everybody new to unpacking..

Nice work I figured I would put 3 levels of packers up (all latest legit versions)...

[quosego]

Hey didn't notice the other two.. was working on some other winlicense target

I'll do yours later on.. Doesn't use VM from the looks of it... So shouldn't be a problem..

Depends a bit if they changed the IAT redirs handling if it takes some extra time.. and actually looked at my method of fixing it.. though doubt it..

BTW new winlicense oep! They did a really big rewrite..

quosego

Edited June 11, 2008 by quosego

[jesy]

unpacked

00401E6E >/$ 55 PUSH EBP

00401E6F |. 8BEC MOV EBP,ESP

00401E71 |. 6A FF PUSH -1

00401E73 |. 68 58454100 PUSH dumped_.00414558

00401E78 |. 68 904A4000 PUSH dumped_.00404A90 ; SE 处理程序安装

00401E7D |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]

00401E83 |. 50 PUSH EAX

00401E84 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP

00401E8B |. 83EC 58 SUB ESP,58

00401E8E |. 53 PUSH EBX

00401E8F |. 56 PUSH ESI

00401E90 |. 57 PUSH EDI

00401E91 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP

00401E94 |. FF15 AC314100 CALL DWORD PTR DS:[<&kernel32.GetVersion>; kernel32.GetVersion

[SunBeam]

PEC_EP == OEP, just so you know it

00361679	50							 PUSH EAX ------------------------------[1]
0036167A	8B75 0C						MOV ESI,DWORD PTR SS:[EBP+C]
0036167D	8DBB C61A0010				  LEA EDI,DWORD PTR DS:[EBX+10001AC6]
00361683	33C0						   XOR EAX,EAX
00361685	0206						   ADD AL,BYTE PTR DS:[ESI]
00361687	74 12						  JE SHORT 0036169B
00361689	0227						   ADD AH,BYTE PTR DS:[EDI]
0036168B	74 11						  JE SHORT 0036169E
0036168D	3C 61						  CMP AL,61
0036168F	73 02						  JNB SHORT 00361693
00361691	04 20						  ADD AL,20
00361693	3AC4						   CMP AL,AH
00361695	75 04						  JNZ SHORT 0036169B
00361697	46							 INC ESI
00361698	47							 INC EDI
00361699  ^ EB E8						  JMP SHORT 00361683
0036169B	58							 POP EAX
0036169C	EB 05						  JMP SHORT 003616A3 ----------------------------[2]
0036169E	E8 83FEFFFF					CALL 00361526
003616A3	8B75 10						MOV ESI,DWORD PTR SS:[EBP+10]
003616A6	8B7D 08						MOV EDI,DWORD PTR SS:[EBP+8]
003616A9	8B55 14						MOV EDX,DWORD PTR SS:[EBP+14]
003616AC	85D2						   TEST EDX,EDX
003616AE	75 02						  JNZ SHORT 003616B2
003616B0	8BD6						   MOV EDX,ESI
003616B2	85F6						   TEST ESI,ESI
003616B4	75 02						  JNZ SHORT 003616B8
003616B6	8BF2						   MOV ESI,EDX
003616B8	C783 C21A0010 00000000		 MOV DWORD PTR DS:[EBX+10001AC2],0 ----------------------------[3]
003616C2	8B02						   MOV EAX,DWORD PTR DS:[EDX]
003616C4	85C0						   TEST EAX,EAX
003616C6	74 44						  JE SHORT 0036170C
003616C8	52							 PUSH EDX
003616C9	8983 C21A0010				  MOV DWORD PTR DS:[EBX+10001AC2],EAX
003616CF	A9 00000080					TEST EAX,80000000
003616D4	74 09						  JE SHORT 003616DF
003616D6	25 FFFFFF7F					AND EAX,7FFFFFFF
003616DB	6A 00						  PUSH 0
003616DD	EB 0E						  JMP SHORT 003616ED
003616DF	8B4D 08						MOV ECX,DWORD PTR SS:[EBP+8]
003616E2	0341 08						ADD EAX,DWORD PTR DS:[ECX+8]
003616E5	33C9						   XOR ECX,ECX
003616E7	66:8B08						MOV CX,WORD PTR DS:[EAX]
003616EA	51							 PUSH ECX
003616EB	40							 INC EAX
003616EC	40							 INC EAX
003616ED	50							 PUSH EAX
003616EE	FF75 FC						PUSH DWORD PTR SS:[EBP-4]
003616F1	FF93 4D1F0010				  CALL DWORD PTR DS:[EBX+10001F4D]
003616F7	5A							 POP EDX
003616F8	85C0						   TEST EAX,EAX
003616FA  ^ 0F84 6FFFFFFF				  JE 0036166F 
00361700	8906						   MOV DWORD PTR DS:[ESI],EAX //write fIAT
00361702	8902						   MOV DWORD PTR DS:[EDX],EAX
00361704	83C2 04						ADD EDX,4
00361707	83C6 04						ADD ESI,4
0036170A  ^ EB AC						  JMP SHORT 003616B8 ----------------------------[4]
0036170C	33C0						   XOR EAX,EAX
0036170E	5E							 POP ESI
0036170F	5F							 POP EDI
00361710	5B							 POP EBX
00361711	C9							 LEAVE
00361712	C2 1000						RET 10

Code in charge with IAT handling From [1] till [2] checks loaded libs, then from [3] till [4] processes the APIs

Edited July 24, 2008 by sunbeam

[pavka]

Normal PeCompact.

script

var va

var iat_st

var oep

var counter

var ImageBase

var lbase

var simb

mov counter,0

gmi eip,MODULEBASE

mov ImageBase,$RESULT

mov simb,$RESULT

rev simb

mov simb,$RESULT

eval "#0000{simb}0000{simb}#"

mov simb,$RESULT

gpa "VirtualAlloc","kernel32.dll"

bp $RESULT

erun

rtu

mov lbase,eax

erun

bc eip

rtu

find lbase,simb

cmp $RESULT,0

je quit

mov oep,[$RESULT+8]

mov iat_st,[$RESULT+30]

add oep,ImageBase

find eip,#8906890283C20483C604#

cmp $RESULT,0

je quit

mov [$RESULT],#8B028906#

find eip,#034E085156E8????????85C074#

cmp $RESULT,0

je quit

bp $RESULT+A

erun

bc eip

mov eip,oep

cmt eip,"This is the OEP"

sub oep,ImageBase

mov counter,ImageBase

add counter,3C

mov counter,[counter]

add counter,ImageBase

add counter,28

mov [counter],oep

add counter,58

mov [counter],iat_st

dpe "dump.exe", eip

msg ""The file is completely unpacked!"

ret

quit:

ret

[acidflash]

Normal PeCompact.

script

var va

var iat_st

var oep

var counter

var ImageBase

var lbase

var simb

mov counter,0

gmi eip,MODULEBASE

mov ImageBase,$RESULT

mov simb,$RESULT

rev simb

mov simb,$RESULT

eval "#0000{simb}0000{simb}#"

mov simb,$RESULT

gpa "VirtualAlloc","kernel32.dll"

bp $RESULT

erun

rtu

mov lbase,eax

erun

bc eip

rtu

find lbase,simb

cmp $RESULT,0

je quit

mov oep,[$RESULT+8]

mov iat_st,[$RESULT+30]

add oep,ImageBase

find eip,#8906890283C20483C604#

cmp $RESULT,0

je quit

mov [$RESULT],#8B028906#

find eip,#034E085156E8????????85C074#

cmp $RESULT,0

je quit

bp $RESULT+A

erun

bc eip

mov eip,oep

cmt eip,"This is the OEP"

sub oep,ImageBase

mov counter,ImageBase

add counter,3C

mov counter,[counter]

add counter,ImageBase

add counter,28

mov [counter],oep

add counter,58

mov [counter],iat_st

dpe "dump.exe", eip

msg ""The file is completely unpacked!"

ret

quit:

ret

Script works well, thanks

-acid

[SunBeam]

Good work, pavka You've become a "script kiddie" Messin' with you

[Godkiller]

Normal PeCompact.

script

var va

var iat_st

var oep

var counter

var ImageBase

var lbase

var simb

mov counter,0

gmi eip,MODULEBASE

mov ImageBase,$RESULT

mov simb,$RESULT

rev simb

mov simb,$RESULT

eval "#0000{simb}0000{simb}#"

mov simb,$RESULT

gpa "VirtualAlloc","kernel32.dll"

bp $RESULT

erun

rtu

mov lbase,eax

erun

bc eip

rtu

find lbase,simb

cmp $RESULT,0

je quit

mov oep,[$RESULT+8]

mov iat_st,[$RESULT+30]

add oep,ImageBase

find eip,#8906890283C20483C604#

cmp $RESULT,0

je quit

mov [$RESULT],#8B028906#

find eip,#034E085156E8????????85C074#

cmp $RESULT,0

je quit

bp $RESULT+A

erun

bc eip

mov eip,oep

cmt eip,"This is the OEP"

sub oep,ImageBase

mov counter,ImageBase

add counter,3C

mov counter,[counter]

add counter,ImageBase

add counter,28

mov [counter],oep

add counter,58

mov [counter],iat_st

dpe "dump.exe", eip

msg ""The file is completely unpacked!"

ret

quit:

ret

Strong !!!!

[Eviler]

Upload My work

UnPacked.rar

Edited April 12, 2009 by Eviler

[ala_borbe]

here is my work too.. easy

i also coded a small plugin for imprec juct for fun

(four lines of code, although i am sure that this can be done in less lines)

so here it is, together with sorce

pecompact_unpack_me_dump_.rar

PECompact_2.86.1_imprec.rar

Edited April 12, 2009 by donny

[joekames]

here is my unpack...

did the esp trick to find oep, dumped...used imprec to rebuild the IAT..i used the PECompact 2.7.x.dll plug in and it worked fine, also used donny's plug, which also worked fine (nice job), either way u will end up with one invalid which u can just delete because is a junk one (un-needed, u can go to the address and c for urself) ...and used lordpe to rebuild and bam unpacked...uploaded what i did...anyquestions feel free to ask and there is no stupid questions, unless someone tells u it is stupid ^^

dumped.rar

Edited May 4, 2009 by joekames

[ghandi]

Unpacked manually, 2 different methods...

First was to disable redirection (simple Jxx to patch) and remove single invalid ptr. Dumped and fixed imports with ImpREC

Second method was to make it save original import thunks back to thunk table, as IAT isnt destroyed. Instead of allowing it to save redirected crap, patch in a little jmp and PUSH DWORD PTR [EDX], POP DWORD PTR [ESI], with a jump back to where it loads next slot. (ADD EDX,4 - ADD ESI,4)

Dumped when imports were finished, code is already unpacked. Edit PE header to point to original import table and its done.

I can make a small tut if anyone is interested.

HR,

Ghandi

Unpacked.2.methods.rar

[Goaul]

Unpacked manually, 2 different methods...

...

I can make a small tut if anyone is interested.

HR,

Ghandi

That would be great from u

G

[phiphi]

This is my tut...

Download : 1.98 Mb RAR(including target and tut)

http://www.4shared.com/file/106544894/52dd0fa5/UnPackMe_PeCompactV_2984.html

[Goaul]

This is my tut...

Download : 1.98 Mb RAR(including target and tut)

http://www.4shared.com/file/106544894/52dd0fa5/UnPackMe_PeCompactV_2984.html

hmm, only for me the tut lng is little bit strange and looks like this?

[Goldocrack]

here is my work too.. easy

i also coded a small plugin for imprec juct for fun

(four lines of code, although i am sure that this can be done in less lines)

so here it is, together with sorce

Your plugin does not work on vista neither on win7

Why?

Thanks for your answer