Flag: Tornado! Hurricane!

OpenRCE Packer Database >> PECompact 2.x

Packer Name Packer Author Classification Analysis By Last Updated
PECompact 2.x Jeremy Collake Compressor quig June 15 2005
Allocation Anti-Debug Anti-Disassembly Section Name Sample
VirtualAlloc() + PE Header yes yes .text, .rsrc N/A
Notes
adds own err handler
throws error
patchs code
passes exception unhandled
next block is top level fx, allocates buffer
decodes next function block to low mem buffer
have to dump this block seperate, contains all loadlibrary stuff
frees buffer
jumps back to original entrypoint which was same as EP in PE header

Easy wat to get to the OEP:
Set a hardware breakpoint on the EP and wait to get back there after all the tricks.

Transfer Command
jmp eax  ;Back to original entry point defined in PE header  
Entry Point Signature
.text:00401219 start:
.text:00401219                 mov     eax, 426B64h         ;err handler address
.text:0040121E                 push    eax                  ;place on stack 
.text:0040121F                 push    large dword ptr fs:0 ;prev err handler
.text:00401226                 mov     large fs:0, esp      ;active err handler = struc to stack
.text:0040122D                 xor     eax, eax
.text:0040122F                 mov     [eax], ecx           ;throw error


.rsrc:00426B64 start           proc near
.rsrc:00426B64
.rsrc:00426B64 arg_0           = dword ptr  4
.rsrc:00426B64
.rsrc:00426B64                 mov     eax, 0FFBA5B0Dh
.rsrc:00426B69                 lea     ecx, [eax+88107Ah]
.rsrc:00426B6F                 mov     [ecx+1], eax        ; ecx = 426B87
.rsrc:00426B72                 mov     edx, [esp+arg_0]    ; patchs inst below ret
.rsrc:00426B76                 mov     edx, [edx+0Ch]
.rsrc:00426B79                 mov     byte ptr [edx], 0E9h
.rsrc:00426B7C                 add     edx, 5
.rsrc:00426B7F                 sub     ecx, edx
.rsrc:00426B81                 mov     [edx-4], ecx
.rsrc:00426B84                 xor     eax, eax
.rsrc:00426B86                 retn                    ; returns to ntdll.77f92538
.rsrc:00426B86 start           endp                    ;   did not process error passes
.rsrc:00426B86                                         ;   to next handler which was changed
.rsrc:00426B86                                         ;   now i think
.rsrc:00426B87 ; ---------------------------------------------------------------------------
.rsrc:00426B87                 mov     eax, 12345678h  ; patched above to mov eax, FFBA5B0D
.rsrc:00426B87                                         ; zwcontinue then searchs for next error
.rsrc:00426B87                                         ; handler and ends up here. (after int 2e)
.rsrc:00426B8C                 pop     large dword ptr fs:0
.rsrc:00426B93                 add     esp, 4
.rsrc:00426B96                 push    ebp
.rsrc:00426B97                 push    ebx
.rsrc:00426B98                 push    ecx
.rsrc:00426B99                 push    edi
.rsrc:00426B9A                 push    esi
.rsrc:00426B9B                 push    edx
              ....Some Stuff....
.rsrc:00426BBB                 call    eax             ; VirtualAlloc
.rsrc:00426BBD                 pop     edx
.rsrc:00426BBE                 mov     edi, eax
              ....Some Stuff....
.rsrc:00426BE5                 call    ecx             ; ecx = 426A92
              ....Some Stuff....
.rsrc:00426C09                 call    edi             ; edi = 2F01D0 (see region dump idb)
.rsrc:00426C09                                         ;   (loads all libraries and pointer table)
              ....Some Stuff....
rsrc:00426C1F                 call    dword ptr [ecx] ; Virtual Free
.rsrc:00426C21                 mov     eax, esi
.rsrc:00426C23                 pop     edx
.rsrc:00426C24                 pop     esi
.rsrc:00426C25                 pop     edi
.rsrc:00426C26                 pop     ecx
.rsrc:00426C27                 pop     ebx
.rsrc:00426C28                 pop     ebp
.rsrc:00426C29                 jmp     eax   ; OEP (same EP as in PE header but now to real exe)

Known Unpackers
// Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com
;--------------
/* 
//////////////////////////////////////////////////////////////
// PECompact 2.xx (Support all ver) OEP finder 
// Author: hacnho/VCT2k4 
// Email : hacnho@hotmail.com 
// Website: http://nhandan.info/hacnho 
// OS : WinXP Pro, OllyDbg 1.10 Final, OllyScript v0.85
// Date ReLeAsE: 14 July 2004
/////////////////////////////////////////////////////////////
*/

var CS
var CB
var Temp

sto 
findop eax, #C3# 
bp $RESULT 
esto 
esto

gmi eip, CODEBASE
mov CB, $RESULT 
log CB

gmi eip, CODESIZE 
mov CS, $RESULT 
log CS

bpwm CB, CS 
esto 
sto 
bpmc 
findop eip, #FFE0# 
mov Temp, $RESULT 
bp $RESULT 
esto 
jmp exit


Return: 
esto 
jmp exit

exit: 
cmp eip, Temp 
jne Return 
sto
log eip 
cmt eip, "This is the OEP! Found by hacnho/VCT2k4"
MSG "Dumped and fix IAT now! Thanx for using my Script...!"
ret

;---
 

There are 30,636 total registered users.


Recently Created Topics
Reversing opcode
Apr/24
Question about debbu...
Apr/16
IDA PRO Struct Point...
Apr/15
problems with pseudo...
Apr/04
Problem with ollydbg
Mar/22
Should binaries be n...
Mar/22
Ida pro on infineon ...
Mar/10
need help about an D...
Feb/25
Stop a VB6 Applicati...
Feb/13
Add one new segment,...
Jan/23


Recent Forum Posts
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin
Pydbg load() issue
phreak
Pydbg load() issue
netw0rm
How would you interp...
mbin
Pydbg load() issue
phreak


Recent Blog Entries
oleavr
Apr/17
frida.re 1.2.0 is out, with...

gareebnavas
Jan/21
Android Malware Analysis

oleavr
Dec/21
frida.github.io: scriptable...

chr1x
Nov/05
!apilookup - Win32 API Func...

hasherezade
Aug/24
Andromeda (W32/Kryptik.AX!t...

More ...


Recent Blog Comments
pedram on:
Dec/21
frida.github.io: scriptable...

NeOXQuiCk on:
Nov/26
DONGLE

maharlee on:
Nov/21
Cheap Nike Shoes NZ,Nike Sh...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit