Jump to content
Tuts 4 You

PECompact problem


grabb

Recommended Posts

Posted (edited)

I'm attempting to uncompress and PECompact 2.XX file, and having a frustrating time. I followed a number of the tutorials here, but I think I'm missing some important stuff regarding the import tables. Here's what I've done:

- Loaded .exe in IDA and saw junk

- Used a hex editor to view the file, saw the "PECompact" string and knew it needed unpacking

- Loaded .exe into ollydbg (using some stealth plugins) and found the signature PECompact "JMP EAX" instruction

- Modified the JMP EAX to JMP EIP so it goes into infinite loop at that point

- Ran the "infinite loop" version of the .exe, then attached to the process using ollydbg. Program is decrypted in memory!

- The target of the JMP EAX is the OEP, which ended up being 0x5794FA

- Attempted to do a process dump with LordPE, but the process ID didn't show up in it's list - weird.

- did process dump using ollydbg

- Found the import table using ollydbg, manually found it's start and end, and calculated size.

- Used Imprec to connect to running process.

- Gave Imprec my OEP (0x5794FA) and IAT start (0x19A000) and size (0x1F48), hit the "Get Imports" button

- Found all the imports, except for one! It looks like it's in mfc90.dll. I couldn't figure out how to resolve it.

- Used Imprec to fix my dumped .exe. It runs for a few milliseconds, then it crashes.

- The dumped .exe can be analyzed by IDA successfully, though the imports don't work at all.

So I think I have the thing unpacked, I just haven't been able to recreate the import table. Any suggestions on what to do when Imprec recovers all your imports except for one? I tried deleting it and then fixing the dumped .exe, but that resulted in a predictable crash. Thanks for any assistance.

Attached is a screenshot of Imprec showing the missing import.

post-52331-12611557117_thumb.png

Edited by grabb
Posted

It`s quiet common that there`s one invalid thunk, just cut it off.

As fpr LordPE, start it after you broke at the jmp eax, which points to the OEP.

deep0 :)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...