PECompact 2

Hi,

I'm playing with my first Pecompact2 target.

After dumping/rebuilding it.. I run it.... what happened ?? ExitWindowEX hihi nice trick...

bref... I check the target and saw a lot of crippled code / Antidebug....

I prefer to ask PeCompact2 target in order to verify my dump methods, and/or perhaps if the target i wanna play is vicious

I think that these antidebug are "available" only with the retail version. If anyone has a notepad "pecompacted" : email it

Thanks

[MaRKuS-DJM]

pe compact is a packer and no protector. these antidebug must come from the program itself. there's no pe compact version with such features

[dyn!o]

Quote from PECompact help file:

Quote:

In addition to space savings, PECompact2 inherently makes it more difficult to reverse engineer your module(s). The compressed data is unreadable and not directly modifiable. PECompact2's default loader employs some basic anti-debugging code to aid in prevention of reverse engineering. In addition,PECompact2 supports Loader plug-ins. Therefore, third parties can create custom loaders after purchasing the loader SDK.

PeCompact main purpose is to compress and create custom operations before, during and after decompression. That are the features which differs from other compressors/protectors (it isn't a protector but let's compare them). If someone had developed a custom dll with anti-debug tricks and executed its functions inside compressed executable then it's possible to encounter things you are discussing. Anyway, such tricks are not hard, since you can always unpack the executable after all loaders do their job (because they must stay out of compressed PE and DLLs).

PeCompact2 internal "anti-debug" and "anti-reverse" tricks are very old and weak, not to say it doesn't really contain them (for instance: it's enough to change one byte to disable checksum verification and modify any range of compressed executable you want).

Regards.

[MaRKuS-DJM]

i think the checksum in PE Compact was removed in version 2. i was able to inline-patch such files without any checksum errors from PE Compact. maybe it has such antidebug... but i think these doesn't hit olly.
quetzaoalt said these antidebug happened after unpacking

[dyn!o]

Yes, in v2 checksum went renamed to CRC32 as external dll which is suggested to use instead of "code integrity check" option (available also in v2).

If I understood correctly then Quetzaoalt said about anti-debug and "crippled" code after unpacking. If that's right then we have three choices:

1. The software was protected with anti-debug tricks inside the source code and then, to fool potential cracker, compressed (not protected) with PeCompact2 since it allows dual compression on many packers.

2. The software was protected by an protector without checksum verification and then (to fool again) compressed with PeCompact (I saw such a behaviour few times... useless but people do that ).

3. He could made a wrong dump (wrong context, range, layer or even process - like Armadillo does).


Regards.