Results 1 to 3 of 3

Thread: PeCompact 2.X unpacking problem

  1. #1

    PeCompact 2.X unpacking problem

    Hi everybody,

    I have this problem and I hope that somebody more experienced will be able to point me in the right direction.
    I successfully unpacked program on Windows XP packed with PECompact 2.X. Unpacked program runs on Windows XP fine, no issues. I copied it to Windows 7 32 bit and it fails to run there. After some investigation, I realized that the problem is that Image Base changes and invalidates some memory references in the program and causes unhandled exceptions. I tried to change the image base using LordPE editor to be what I believe it suppose to be, but when the program is loaded into memory it doesn’t use this image base as I would expect.

    Please can somebody tell me how to fix this particular issue I am dealing with? How come it does work on Windows XP but not on Windows 7?

    Thank you for your help.
    Robson
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Assuming that the unpacked file isn't using XP hardcoded IAT addresses, you can try turning ASLR off. Open the file in CFF Explorer or other and under Optional Header/Dll Characteristics uncheck 'Dll can move'. It should then load at 0x400000.
    Otherwise it could be a .reloc issue, see here for example
    http://www.woodmann.com/forum/showthread.php?14494-Pointers-in-unpacked-file-don-t-get-rebased

  3. #3
    Quote Originally Posted by Kayaker View Post
    Assuming that the unpacked file isn't using XP hardcoded IAT addresses, you can try turning ASLR off. Open the file in CFF Explorer or other and under Optional Header/Dll Characteristics uncheck 'Dll can move'. It should then load at 0x400000.
    Otherwise it could be a .reloc issue, see here for example
    http://www.woodmann.com/forum/showthread.php?14494-Pointers-in-unpacked-file-don-t-get-rebased
    I unchecked 'Dll can move', saved the updated application binary and the application works like a charm. Thank you.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. ELF - problem with unpacking
    By danci in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: November 19th, 2010, 09:57
  2. problem with resource section after unpacking
    By galack in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: September 18th, 2009, 04:53
  3. armadillo unpacking problem
    By fighter_81 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: February 3rd, 2005, 09:41
  4. Strange problem after unpacking
    By tazmanian in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: February 19th, 2003, 17:49
  5. problem after unpacking asprotect
    By loman in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: September 11th, 2002, 21:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •