Jump to content
Tuts 4 You
Sign in to follow this  
Teddy Rogers

Unpecompact 2 + Source Code...

Rate this topic

Recommended Posts

Teddy Rogers

UnPeCompact 2 version 1.0 + Source Code by Mad Mickael...

Ted.

Unpecomp2.zip

  • Like 1

Share this post


Link to post
Share on other sites
Hasl

very nice tools ted i love it may be it's interesting section :thumbsup::thumbsup:

Share this post


Link to post
Share on other sites
Napalm

Thanks Ted, Works brilliantly.

Napalm

Share this post


Link to post
Share on other sites
soda

Thanks Ted

but manually unpacking pecompact is very simple by ready your tut

Share this post


Link to post
Share on other sites
ALiEN

Yep unpacking pecompact is easy... but with this tool we can save time :lol:

Thanks to MadMickael/FFF for coding it and Ted for posting it to us! ;)

ALiEN.

Share this post


Link to post
Share on other sites
Guest oriceon

Teddy Rogers, thanks for this tool!

Share this post


Link to post
Share on other sites
human

well i coded based from my oepfind debug engine unpec2 in asm, but one problem that all those and even ollydump fail to dump.

you wanna try target and findout why? :P

try PECompact2.55 unpackme from snd(that pacman on screen). and tell me whats wrong:)

i know whats wrong thats why i will change dump by imagesize to section by section dump.

also to be true mad mickael ****ed up ordinals, so far i havent encountered any exe that uses it, due bug there code will crash.

why?

oplait:

mov eax, CURRENTTHUNK

test eax, 0x80000000

jne ordinal

add eax, fmapview

ordinal:

MOV edx, FTHUNK

add edx, fmapview

mov ebx,[eax] //EBX == LA BONNE VALEUR

can you see read from memory in eax?

well ordinal is if most significant bit is set so 0x80000000

well but there will never be memory under address 0x8xxxxxxx

why?

due windows uses for programs 2GB space, but even there is no data to read.

we can expand space to 3GB by boot params large address aware or something like that but also PE exe has to be compiled with that param.

and from 0xC0000000 always is kernel.

edit:

ok here is my asm version of unpec2, whole code is mine, i just took places to break from mad mickael and optimized iat fixer, if on any file it will fail send it to me.

this one can now also unpack pecompact 2.55 unpackme.(i tested all unpackme from 2.40 till 2.78a and they work and compress with upx so nothing wrong with them)

why it failed before and fails for michael well its due header and 1st section most are after header so 401000

but here we have 410000 so 64kb not 4kb and rest 60kb is empty thats why we cant do readprocessmemory on whole imagesize due this area from 401000 till 410000 isnt allocated and api fails and dump is impossible, same is with ollydump, same bug. simple solution is to dump 4kb header but set in exe sizeofhader to 64kb and then copy from memory to dump section by section and now it works.

enjoy my first unpacker:)

unpec2.rar

Edited by human (see edit history)

Share this post


Link to post
Share on other sites
Loki

Nice work human. Thanks for including the source... will have a read of that later.

Share this post


Link to post
Share on other sites
Guest nofrillz

Thanks heaps ted, I know this is old but it seems there is a new worm using this packer?! that I didn't have time to unpack manually.

Share this post


Link to post
Share on other sites
T0ni

Thanks for the source, human.

Best regards,

T0ni

Share this post


Link to post
Share on other sites
glaufan
UnPeCompact 2 version 1.0 + Source Code by Mad Mickael...

Ted.

thanks! very useful =D

Share this post


Link to post
Share on other sites
NeO

thx human and ted for source :P

Share this post


Link to post
Share on other sites
Nitrocica
UnPeCompact 2 version 1.0 + Source Code by Mad Mickael...

Ted.

THX!!! Very useful! :D

Share this post


Link to post
Share on other sites
sukpuk

Hi

You guys are genious. I have tried the unpackers and they worked well on on of my file BUT the problem is

that I can not see any Menu and dialong items in Resources and i get a message that Exe is still compressed :(

However I can see the Icons now which were compressed before. Sobasically Unpackers have onl unpacked Icons in the exe...

Any Idea. I am a newbie and am learning so am very confused...

Do any one of you have any new UNPECompact version that can do the job on new versions.

Thanks to all.

Share this post


Link to post
Share on other sites
nickpalingcool
Hi

You guys are genious. I have tried the unpackers and they worked well on on of my file BUT the problem is

that I can not see any Menu and dialong items in Resources and i get a message that Exe is still compressed :(

However I can see the Icons now which were compressed before. Sobasically Unpackers have onl unpacked Icons in the exe...

Any Idea. I am a newbie and am learning so am very confused...

Do any one of you have any new UNPECompact version that can do the job on new versions.

Thanks to all.

thats because the compiled unpacker is packed by UPX, you need to unpack it first before open it in resource editor to work. its not because we are genius, u need learn to know something, and we are here for learn and share the knowledge.

Share this post


Link to post
Share on other sites
sukpuk
Hi

You guys are genious. I have tried the unpackers and they worked well on on of my file BUT the problem is

that I can not see any Menu and dialong items in Resources and i get a message that Exe is still compressed :(

However I can see the Icons now which were compressed before. Sobasically Unpackers have onl unpacked Icons in the exe...

Any Idea. I am a newbie and am learning so am very confused...

Do any one of you have any new UNPECompact version that can do the job on new versions.

Thanks to all.

thats because the compiled unpacker is packed by UPX, you need to unpack it first before open it in resource editor to work. its not because we are genius, u need learn to know something, and we are here for learn and share the knowledge.

Thanks for quick reply and advise.

Did you mean that the EXE i want to uppack is compressed with UPX first and then recompressed with Pecompact ?

When I check my Exe with "exeinfope" it tells me that it is packed with " PEcompact ver.2.78a ~2.94 - www.bitsum.com "

I will appreciate your comments please. Please guide me how should I unpack.

Many Thanks

Share this post


Link to post
Share on other sites
sukpuk
Hi

You guys are genious. I have tried the unpackers and they worked well on on of my file BUT the problem is

that I can not see any Menu and dialong items in Resources and i get a message that Exe is still compressed :(

However I can see the Icons now which were compressed before. Sobasically Unpackers have onl unpacked Icons in the exe...

Any Idea. I am a newbie and am learning so am very confused...

Do any one of you have any new UNPECompact version that can do the job on new versions.

Thanks to all.

thats because the compiled unpacker is packed by UPX, you need to unpack it first before open it in resource editor to work. its not because we are genius, u need learn to know something, and we are here for learn and share the knowledge.

Thanks for quick reply and advise.

Did you mean that the EXE i want to uppack is compressed with UPX first and then recompressed with Pecompact ?

When I check my Exe with "exeinfope" it tells me that it is packed with " PEcompact ver.2.78a ~2.94 - www.bitsum.com "

I will appreciate your comments please. Please guide me how should I unpack.

Many Thanks

Hi Guys

I am still wating for some expert comments on my earlier request... Please reply

Thanks.

Share this post


Link to post
Share on other sites
sameer

Hi , this is great tool thank you but I dont know if there is an easy way to fix the program after unpacking ,I did try it in PEcompact 2.x and the program dosnt work I get Run time error "floating point support not loaded"

Share this post


Link to post
Share on other sites
nguyenhung0702

Thanks for share!

Share this post


Link to post
Share on other sites
BoRoV

Thx!

Share this post


Link to post
Share on other sites
好小愛新

THX Ted;)

Share this post


Link to post
Share on other sites
xcoderx1

yea U are THE BEST.

Share this post


Link to post
Share on other sites
Caliber.

Very nice tool. (:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...