Jump to content
Tuts 4 You

[unpackme] PECompact v2.86.1


acidflash

Recommended Posts

Hey didn't notice the other two.. was working on some other winlicense target ;)

I'll do yours later on.. Doesn't use VM from the looks of it... So shouldn't be a problem..

Depends a bit if they changed the IAT redirs handling if it takes some extra time.. and actually looked at my method of fixing it.. though doubt it..

BTW new winlicense oep! They did a really big rewrite..

quosego

Edited by quosego
Link to comment
  • 1 month later...

unpacked

00401E6E >/$ 55 PUSH EBP

00401E6F |. 8BEC MOV EBP,ESP

00401E71 |. 6A FF PUSH -1

00401E73 |. 68 58454100 PUSH dumped_.00414558

00401E78 |. 68 904A4000 PUSH dumped_.00404A90 ; SE 处理程序安装

00401E7D |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]

00401E83 |. 50 PUSH EAX

00401E84 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP

00401E8B |. 83EC 58 SUB ESP,58

00401E8E |. 53 PUSH EBX

00401E8F |. 56 PUSH ESI

00401E90 |. 57 PUSH EDI

00401E91 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP

00401E94 |. FF15 AC314100 CALL DWORD PTR DS:[<&kernel32.GetVersion>; kernel32.GetVersion

Link to comment

PEC_EP == OEP, just so you know it ;)

00361679	50							 PUSH EAX ------------------------------[1]
0036167A 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]
0036167D 8DBB C61A0010 LEA EDI,DWORD PTR DS:[EBX+10001AC6]
00361683 33C0 XOR EAX,EAX
00361685 0206 ADD AL,BYTE PTR DS:[ESI]
00361687 74 12 JE SHORT 0036169B
00361689 0227 ADD AH,BYTE PTR DS:[EDI]
0036168B 74 11 JE SHORT 0036169E
0036168D 3C 61 CMP AL,61
0036168F 73 02 JNB SHORT 00361693
00361691 04 20 ADD AL,20
00361693 3AC4 CMP AL,AH
00361695 75 04 JNZ SHORT 0036169B
00361697 46 INC ESI
00361698 47 INC EDI
00361699 ^ EB E8 JMP SHORT 00361683
0036169B 58 POP EAX
0036169C EB 05 JMP SHORT 003616A3 ----------------------------[2]
0036169E E8 83FEFFFF CALL 00361526
003616A3 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10]
003616A6 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
003616A9 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]
003616AC 85D2 TEST EDX,EDX
003616AE 75 02 JNZ SHORT 003616B2
003616B0 8BD6 MOV EDX,ESI
003616B2 85F6 TEST ESI,ESI
003616B4 75 02 JNZ SHORT 003616B8
003616B6 8BF2 MOV ESI,EDX
003616B8 C783 C21A0010 00000000 MOV DWORD PTR DS:[EBX+10001AC2],0 ----------------------------[3]
003616C2 8B02 MOV EAX,DWORD PTR DS:[EDX]
003616C4 85C0 TEST EAX,EAX
003616C6 74 44 JE SHORT 0036170C
003616C8 52 PUSH EDX
003616C9 8983 C21A0010 MOV DWORD PTR DS:[EBX+10001AC2],EAX
003616CF A9 00000080 TEST EAX,80000000
003616D4 74 09 JE SHORT 003616DF
003616D6 25 FFFFFF7F AND EAX,7FFFFFFF
003616DB 6A 00 PUSH 0
003616DD EB 0E JMP SHORT 003616ED
003616DF 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
003616E2 0341 08 ADD EAX,DWORD PTR DS:[ECX+8]
003616E5 33C9 XOR ECX,ECX
003616E7 66:8B08 MOV CX,WORD PTR DS:[EAX]
003616EA 51 PUSH ECX
003616EB 40 INC EAX
003616EC 40 INC EAX
003616ED 50 PUSH EAX
003616EE FF75 FC PUSH DWORD PTR SS:[EBP-4]
003616F1 FF93 4D1F0010 CALL DWORD PTR DS:[EBX+10001F4D]
003616F7 5A POP EDX
003616F8 85C0 TEST EAX,EAX
003616FA ^ 0F84 6FFFFFFF JE 0036166F
00361700 8906 MOV DWORD PTR DS:[ESI],EAX //write fIAT
00361702 8902 MOV DWORD PTR DS:[EDX],EAX
00361704 83C2 04 ADD EDX,4
00361707 83C6 04 ADD ESI,4
0036170A ^ EB AC JMP SHORT 003616B8 ----------------------------[4]
0036170C 33C0 XOR EAX,EAX
0036170E 5E POP ESI
0036170F 5F POP EDI
00361710 5B POP EBX
00361711 C9 LEAVE
00361712 C2 1000 RET 10

Code in charge with IAT handling :) From [1] till [2] checks loaded libs, then from [3] till [4] processes the APIs ;)

Edited by sunbeam
Link to comment

Normal PeCompact. ;)

script

var va

var iat_st

var oep

var counter

var ImageBase

var lbase

var simb

mov counter,0

gmi eip,MODULEBASE

mov ImageBase,$RESULT

mov simb,$RESULT

rev simb

mov simb,$RESULT

eval "#0000{simb}0000{simb}#"

mov simb,$RESULT

gpa "VirtualAlloc","kernel32.dll"

bp $RESULT

erun

rtu

mov lbase,eax

erun

bc eip

rtu

find lbase,simb

cmp $RESULT,0

je quit

mov oep,[$RESULT+8]

mov iat_st,[$RESULT+30]

add oep,ImageBase

find eip,#8906890283C20483C604#

cmp $RESULT,0

je quit

mov [$RESULT],#8B028906#

find eip,#034E085156E8????????85C074#

cmp $RESULT,0

je quit

bp $RESULT+A

erun

bc eip

mov eip,oep

cmt eip,"This is the OEP"

sub oep,ImageBase

mov counter,ImageBase

add counter,3C

mov counter,[counter]

add counter,ImageBase

add counter,28

mov [counter],oep

add counter,58

mov [counter],iat_st

dpe "dump.exe", eip

msg ""The file is completely unpacked!"

ret

quit:

ret

Link to comment
Normal PeCompact. ;)

script

var va

var iat_st

var oep

var counter

var ImageBase

var lbase

var simb

mov counter,0

gmi eip,MODULEBASE

mov ImageBase,$RESULT

mov simb,$RESULT

rev simb

mov simb,$RESULT

eval "#0000{simb}0000{simb}#"

mov simb,$RESULT

gpa "VirtualAlloc","kernel32.dll"

bp $RESULT

erun

rtu

mov lbase,eax

erun

bc eip

rtu

find lbase,simb

cmp $RESULT,0

je quit

mov oep,[$RESULT+8]

mov iat_st,[$RESULT+30]

add oep,ImageBase

find eip,#8906890283C20483C604#

cmp $RESULT,0

je quit

mov [$RESULT],#8B028906#

find eip,#034E085156E8????????85C074#

cmp $RESULT,0

je quit

bp $RESULT+A

erun

bc eip

mov eip,oep

cmt eip,"This is the OEP"

sub oep,ImageBase

mov counter,ImageBase

add counter,3C

mov counter,[counter]

add counter,ImageBase

add counter,28

mov [counter],oep

add counter,58

mov [counter],iat_st

dpe "dump.exe", eip

msg ""The file is completely unpacked!"

ret

quit:

ret

Script works well, thanks :)

-acid

Link to comment
  • 8 months later...
Normal PeCompact. ;)

script

var va

var iat_st

var oep

var counter

var ImageBase

var lbase

var simb

mov counter,0

gmi eip,MODULEBASE

mov ImageBase,$RESULT

mov simb,$RESULT

rev simb

mov simb,$RESULT

eval "#0000{simb}0000{simb}#"

mov simb,$RESULT

gpa "VirtualAlloc","kernel32.dll"

bp $RESULT

erun

rtu

mov lbase,eax

erun

bc eip

rtu

find lbase,simb

cmp $RESULT,0

je quit

mov oep,[$RESULT+8]

mov iat_st,[$RESULT+30]

add oep,ImageBase

find eip,#8906890283C20483C604#

cmp $RESULT,0

je quit

mov [$RESULT],#8B028906#

find eip,#034E085156E8????????85C074#

cmp $RESULT,0

je quit

bp $RESULT+A

erun

bc eip

mov eip,oep

cmt eip,"This is the OEP"

sub oep,ImageBase

mov counter,ImageBase

add counter,3C

mov counter,[counter]

add counter,ImageBase

add counter,28

mov [counter],oep

add counter,58

mov [counter],iat_st

dpe "dump.exe", eip

msg ""The file is completely unpacked!"

ret

quit:

ret

Strong !!!!

Link to comment
  • 2 weeks later...
  • 3 weeks later...

here is my unpack...

did the esp trick to find oep, dumped...used imprec to rebuild the IAT..i used the PECompact 2.7.x.dll plug in and it worked fine, also used donny's plug, which also worked fine (nice job), either way u will end up with one invalid which u can just delete because is a junk one (un-needed, u can go to the address and c for urself) ...and used lordpe to rebuild and bam unpacked...uploaded what i did...anyquestions feel free to ask and there is no stupid questions, unless someone tells u it is stupid ^^

dumped.rar

Edited by joekames
Link to comment

Unpacked manually, 2 different methods...

First was to disable redirection (simple Jxx to patch) and remove single invalid ptr. Dumped and fixed imports with ImpREC

Second method was to make it save original import thunks back to thunk table, as IAT isnt destroyed. Instead of allowing it to save redirected crap, patch in a little jmp and PUSH DWORD PTR [EDX], POP DWORD PTR [ESI], with a jump back to where it loads next slot. (ADD EDX,4 - ADD ESI,4)

Dumped when imports were finished, code is already unpacked. Edit PE header to point to original import table and its done. ;)

I can make a small tut if anyone is interested.

HR,

Ghandi

Unpacked.2.methods.rar

Link to comment
  • 2 weeks later...
Unpacked manually, 2 different methods...

...

I can make a small tut if anyone is interested.

HR,

Ghandi

That would be great from u ;)

G

Link to comment

This is my tut...

Download : 1.98 Mb RAR(including target and tut)

http://www.4shared.com/file/106544894/52dd0fa5/UnPackMe_PeCompactV_2984.html
Link to comment
This is my tut...

Download : 1.98 Mb RAR(including target and tut)

http://www.4shared.com/file/106544894/52dd0fa5/UnPackMe_PeCompactV_2984.html

hmm, only for me the tut lng is little bit strange and looks like this?

tutioi.jpg

Link to comment
  • 1 month later...
Goldocrack
here is my work too.. easy

i also coded a small plugin for imprec juct for fun

(four lines of code, although i am sure that this can be done in less lines)

so here it is, together with sorce :lol:

Your plugin does not work on vista neither on win7

Why?

Thanks for your answer

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...