How to trace PECompact2 packed exe?

[SofTROOP]

Hi all,

I tried to manually unpack the exe packed with PECompact2, but this thing seems like a beast to me, it setup a SEH, then raise an exception to execute the SEH handler code, and in the SEH handler code, it raises another SEH, and this process repeats times, does anyone know how to trace such programs ?

Thank you.

[ADDED] I've uploaded the PECompact v2 onto FTP for anyone who's interested in checking it.

It is very simple...

I've unpacked it with Olly.
1. Run prog with F9. Break on SEH (access violation)
2. View->Memory. Break on .code section. Run with Shift+F9. Breaking on 7XXXXX (usually).
3. Run till return (Ctrl+F12). Exit from function.
4. set break on jmp eax (it is nearby)
5. We are on OEP.

[SofTROOP]

Quote:

Originally Posted by mc707

2. View->Memory. Break on .code section. Run with Shift+F9. Breaking on 7XXXXX (usually).

I'm sorry I cant follow you, did you mean set a BP on .code section? I tried that but no luck (break on 101xxx, not on 7xxxxx). Could you please give some more detailed instructions?

Thank you.

[MaRKuS-DJM]

i wrote tutorial for beta, and now i edited for final.

[TQN]

Wow, MaRKuS-DJM. You are rock.
Thank for your tutor and crack file of PECompact 2.0

[SofTROOP]

Really appreciate

[CCDebuger]

You can use this script to Unpack PECompact 2.xx:

Quote:

/*
Script written by CCDebuger
Script : PECompact 2.x_No_ImportREC
Version : v0.1
date : 15-2-2009
Environment : OllyDbg 1.1, ODBGScript 1.65, WINXP, WIN2000
Option : Set OllyDbg to Ignore All Excepions Options
Tools : OllyDbg, ODBGScript 1.65
Thanks : Oleh Yuschuk - author of OllyDbg
SHaG - author of OllyScript
Epsylon3 - author of ODbgScript
hnhuqiong - author of ODbgScript
*/

var tmp1
var tmp2
var VirtualAlloc
var section
var iatloc
var VirtualFree
var imgbase
var signVA
var modsize
var dllreloc
var oep
var oeprva
var apiloc
var unpackname

msgyn "Please Ignore All Excepions Options. This script can only be used for PECompact 2.x EXE or DLL"
cmp $RESULT, 0
je exit
cmp $VERSION, "1.65"
jb errorver
bc
bphwcall
dbh
GMI eip, MODULEBASE //get imagebase
mov imgbase, $RESULT
gmi eip, MODULESIZE
mov modsize,$RESULT
mov tmp1, [imgbase+3C] //Get PE signature offset
add tmp1, imgbase //tmp1=signature VA
mov signVA, tmp1

// set VirtualAlloc breakpoint, back to the relevant location

gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
bp VirtualAlloc

VirtualAlloc_Next:
esto
rtu

/*
Search command sequences��
ADD EDI,EDX
MOV ECX,DWORD PTR DS:[EBX+8]
MOV EAX,ECX
*/
find eip, #03FA8B4B088BC1#
mov section, $RESULT
cmp section, 0
je VirtualAlloc_Next
bp section
bc VirtualAlloc
lc
eob logsection
esto

logsection:
log edi, "Section RVA = "
rtr

bc section
cob
log "Section RVA = 001000" //Add the first section
sto

isdll:
mov tmp1, [signVA + 5E], 2 //DLL flag
cmp tmp1, 1
je dll
mov unpackname, "Unpacked.exe"
jmp findIAT

dll:
/*
Search command sequences��
MOV EAX,DWORD PTR DS:[EDI+4]
MOV EBX,DWORD PTR DS:[EDI+8]
CMP EAX,EBX
JE SHORT 00AB0C12
*/
find eip, #8B47??8B5F??3BC374??#
mov dllreloc, $RESULT
cmp dllreloc, 0
je findIAT
add dllreloc, 0D
bp dllreloc
esto
bc
log esi, "Relocation RVA = "
mov [dllreloc + 2], 0EB, 1
/*
Search command sequences��
JMP SHORT 00AB0BC9
POP ESI
POP EDI
POP EBX
LEAVE
RETN 4
*/
find eip, #EB??5E5F5BC9C2????#
add $RESULT, 2
bp $RESULT
esto
bc
mov [dllreloc + 2], 074, 1
mov unpackname, "Unpacked.dll"

findIAT:
/*
Search command sequences��
MOV DWORD PTR DS:[ESI],EAX
MOV DWORD PTR DS:[EDX],EAX
*/
find eip, #89068902#
mov iatloc, $RESULT
cmp iatloc,0
je exit
asm iatloc, "mov eax,[edx]"
add iatloc, $RESULT
asm iatloc, "mov dword ptr [esi],eax"
bp iatloc

nextapi:
esto
esto
mov apiloc, [esi-4]
cmp apiloc, 800000
jae nextapi

log apiloc, "An API function address of IAT = "
div apiloc, 01000
mul apiloc, 01000
add apiloc, imgbase
//Find IAT Table, Imprecise, for reference only
find apiloc, #0000000000000000000000000000000000000000#
mov apiloc, $RESULT
add apiloc, 1
sub apiloc, imgbase
log apiloc, "IAT potential Ending Address RVA = "
bc iatloc
rtr
sto
find eip, #485E5F5BC9C2????# //set breakpoint in the return address
add $RESULT, 5
bp $RESULT
esto
bc
asm iatloc, "mov dword ptr [edx],eax"
sub iatloc, $RESULT
asm iatloc, "mov dword ptr [esi],eax"
gpa "VirtualFree", "kernel32.dll"
mov VirtualFree, $RESULT
BP VirtualFree

nextoep:
esto
rtu
rtr
sto
find eip, #5A5E5F595B5DFFE0#
mov oep, $RESULT
cmp oep, 0
je nextoep
bc VirtualFree
add oep, 6
bp oep
esto
sti
bc
mov oeprva, eip
sub oeprva, imgbase
log oeprva, "OEP RVA = "
cmt eip, "This is OEP"
mov [signVA + 3C], 1000 //FileAlignment set to 1000
mov [signVA + 54], 1000 //SizeofHeaders set to 1000
mov tmp1, 0
mov tmp1, [signVA + 6], 2 //Section number
mov tmp2, signVA
add tmp2, 0F8 //The first section

last:
cmp tmp1, 0
je lab1
mov [tmp2 + 10], [tmp2 + 8] //V.size equal R.size
mov [tmp2 +14], [tmp2 + 0C] //V.offset equal RW.offset
mov [tmp2 + 24], 0E00000E0 //set section flag
add tmp2, 28 //go to next section
sub tmp1, 1
jmp last

lab1:
mov [signVA + 28], oeprva //Fill OEP
dm imgbase, modsize, unpackname
msg "Has come to the OEP. Procedures have been saved as a dump file like Unpacked.exe or Unpacked.dll. OEP has been fixed, now please refer to the data in the log window, reconstruction sections and fix IAT RVA start address and size. If the DLL, please refer to relocation table RVA data in the log window, and then contrast sections of the RVA to fix it. After the reconstruction of the section, if necessary, resources must to be reconstruction."

exit:
ret

errorver:
msg "Run this script need ODbgScript ver 1.65 or high��Please update your ODbgScript plugin and try again."
ret

[SLV]

simply:
hr esp-4
f9f9f9