hacnho Tutorials #10
Manual unpacking PECompact 2.0 Final ->Jeremy Collake
| Information | Unpacking for Newbie's |
| Target | unpackme.exe |
| Available | http://nhandan.info/hacnho/tuts/unpackme10_tuts.zip |
| Tools | OllyDbg 1.10c with plugin OllyDump 2.21.108, ImportREC 1.6 Final, LordPE 1.4. |
| Protection | PECompact 2.0 Final ->Jeremy Collake |
| Level | Standard |
| Category | Manual unpacking |
|
1. Introduction
|
| Nowadays, the newest packer is PECompact 2.0x. This packer is a commercial packer, so very easy for unpack it. I will explain the ways for unpack this packer. I use PECompact 2.0 Final, but this method can support version 2.x. |
|
2. Getting Started
|
|
Use PEiD and LordPE for get some PE Info.
EP: 1130 ,The value of flags this case is not needed, Image Base is always 400000, Import Table: 0000 and size is 00.
|
|
3. Finding the OEP
|
|
Load unpackme.exe into OllyDBG. And you still here:
Then, you press F9 two times and you see as follows:
Continued, You have to press ALT+M to open the Memory MAP of OllyDBG.
Continued, press SHIFT+F9. And you still here:
Then press SHITF+F9 3 times and you still here:
Next, press Ctrl+F12. And we see as follows:
Final, press Ctrl+F12 and we have:
Congratulations! Theo OEP we found is 401130 And now we calculate the real OEP of this unpackme by the formula: Real OEP:=OEP find in Olly- Image Base = 401130-400000 = 1130.
|
|
4. Dumping
|
|
At address 0041130 we go to menu
Plugin-->OllyDump-->Dump debugged process.
And then, just press Dump, save the unpacked file at
dumped.exe.
Don't run dumped.exe now, i will be crash...It must fix IAT.
|
|
5. Finding and
Fixing the Import Adress Table
|
|
Open ImpREC and select attached to active process and
choose unpackme.exe. Change the value in the OEP window
to the one we wrote down earlier (1130) then select
IATAutosearch then click Get Imports.
All Import Functions valid. Now, click fix dump to fix IAT the file dumped.exe. Use LordPE 1.4 by Y0da for Rebuild our Dumped_.exe
|
|
6. Testing Our
Unpacked file
|
|
Use PEiD for detect again:
|
|
7. Conclusion
|
|
Special thanx to R@dier for this template. My Greetz to: Deux, INFINITE, NVH(c),softcracker_vn, luucorp, Aaron, hhphong, R@dier, tlandn, Computer_Angel, k3nny, Ferrari, Zombie, RCA, CTL, Moonbaby, Neitsa, JAL, LeVuHoang, 777, LeonHart, Bin...and you ;-)! To be continued...
|