Jump to content
Tuts 4 You

Unpecompact 2 + Source Code...


Teddy Rogers

Recommended Posts

Yep unpacking pecompact is easy... but with this tool we can save time :lol:

Thanks to MadMickael/FFF for coding it and Ted for posting it to us! ;)

ALiEN.

Link to comment
  • 2 months later...

well i coded based from my oepfind debug engine unpec2 in asm, but one problem that all those and even ollydump fail to dump.

you wanna try target and findout why? :P

try PECompact2.55 unpackme from snd(that pacman on screen). and tell me whats wrong:)

i know whats wrong thats why i will change dump by imagesize to section by section dump.

also to be true mad mickael ****ed up ordinals, so far i havent encountered any exe that uses it, due bug there code will crash.

why?

oplait:

mov eax, CURRENTTHUNK

test eax, 0x80000000

jne ordinal

add eax, fmapview

ordinal:

MOV edx, FTHUNK

add edx, fmapview

mov ebx,[eax] //EBX == LA BONNE VALEUR

can you see read from memory in eax?

well ordinal is if most significant bit is set so 0x80000000

well but there will never be memory under address 0x8xxxxxxx

why?

due windows uses for programs 2GB space, but even there is no data to read.

we can expand space to 3GB by boot params large address aware or something like that but also PE exe has to be compiled with that param.

and from 0xC0000000 always is kernel.

edit:

ok here is my asm version of unpec2, whole code is mine, i just took places to break from mad mickael and optimized iat fixer, if on any file it will fail send it to me.

this one can now also unpack pecompact 2.55 unpackme.(i tested all unpackme from 2.40 till 2.78a and they work and compress with upx so nothing wrong with them)

why it failed before and fails for michael well its due header and 1st section most are after header so 401000

but here we have 410000 so 64kb not 4kb and rest 60kb is empty thats why we cant do readprocessmemory on whole imagesize due this area from 401000 till 410000 isnt allocated and api fails and dump is impossible, same is with ollydump, same bug. simple solution is to dump 4kb header but set in exe sizeofhader to 64kb and then copy from memory to dump section by section and now it works.

enjoy my first unpacker:)

unpec2.rar

Edited by human
  • Like 1
Link to comment
  • 10 months later...
Guest nofrillz

Thanks heaps ted, I know this is old but it seems there is a new worm using this packer?! that I didn't have time to unpack manually.

Link to comment
  • 1 month later...
  • 4 months later...
  • 4 months later...
  • 8 months later...

Hi

You guys are genious. I have tried the unpackers and they worked well on on of my file BUT the problem is

that I can not see any Menu and dialong items in Resources and i get a message that Exe is still compressed :(

However I can see the Icons now which were compressed before. Sobasically Unpackers have onl unpacked Icons in the exe...

Any Idea. I am a newbie and am learning so am very confused...

Do any one of you have any new UNPECompact version that can do the job on new versions.

Thanks to all.

Link to comment
nickpalingcool
Hi

You guys are genious. I have tried the unpackers and they worked well on on of my file BUT the problem is

that I can not see any Menu and dialong items in Resources and i get a message that Exe is still compressed :(

However I can see the Icons now which were compressed before. Sobasically Unpackers have onl unpacked Icons in the exe...

Any Idea. I am a newbie and am learning so am very confused...

Do any one of you have any new UNPECompact version that can do the job on new versions.

Thanks to all.

thats because the compiled unpacker is packed by UPX, you need to unpack it first before open it in resource editor to work. its not because we are genius, u need learn to know something, and we are here for learn and share the knowledge.

Link to comment
Hi

You guys are genious. I have tried the unpackers and they worked well on on of my file BUT the problem is

that I can not see any Menu and dialong items in Resources and i get a message that Exe is still compressed :(

However I can see the Icons now which were compressed before. Sobasically Unpackers have onl unpacked Icons in the exe...

Any Idea. I am a newbie and am learning so am very confused...

Do any one of you have any new UNPECompact version that can do the job on new versions.

Thanks to all.

thats because the compiled unpacker is packed by UPX, you need to unpack it first before open it in resource editor to work. its not because we are genius, u need learn to know something, and we are here for learn and share the knowledge.

Thanks for quick reply and advise.

Did you mean that the EXE i want to uppack is compressed with UPX first and then recompressed with Pecompact ?

When I check my Exe with "exeinfope" it tells me that it is packed with " PEcompact ver.2.78a ~2.94 - www.bitsum.com "

I will appreciate your comments please. Please guide me how should I unpack.

Many Thanks

Link to comment
  • 2 weeks later...
Hi

You guys are genious. I have tried the unpackers and they worked well on on of my file BUT the problem is

that I can not see any Menu and dialong items in Resources and i get a message that Exe is still compressed :(

However I can see the Icons now which were compressed before. Sobasically Unpackers have onl unpacked Icons in the exe...

Any Idea. I am a newbie and am learning so am very confused...

Do any one of you have any new UNPECompact version that can do the job on new versions.

Thanks to all.

thats because the compiled unpacker is packed by UPX, you need to unpack it first before open it in resource editor to work. its not because we are genius, u need learn to know something, and we are here for learn and share the knowledge.

Thanks for quick reply and advise.

Did you mean that the EXE i want to uppack is compressed with UPX first and then recompressed with Pecompact ?

When I check my Exe with "exeinfope" it tells me that it is packed with " PEcompact ver.2.78a ~2.94 - www.bitsum.com "

I will appreciate your comments please. Please guide me how should I unpack.

Many Thanks

Hi Guys

I am still wating for some expert comments on my earlier request... Please reply

Thanks.

Link to comment

Hi , this is great tool thank you but I dont know if there is an easy way to fix the program after unpacking ,I did try it in PEcompact 2.x and the program dosnt work I get Run time error "floating point support not loaded"

Link to comment
  • 2 weeks later...
  • 1 year later...
  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...