Results 1 to 10 of 10

Thread: PECompact v1.67 Delphi DLL

Hybrid View

  1. #1

    Exclamation PECompact v1.67 Delphi DLL

    Hello folks. It's been a while =[

    I am trying to unpack a target protected with PECompact. At first I thought it was going to be easy, but it doesn't seem so now. Here's some info, so you get a picture on why this isn't a regular PECompact unpacking scheme :

    [ Showing what I have done ]

    1. Loaded the target in Olly, and from the looks of the EP, it's indeed an old PECompact (1.x) - PEiD says it's v1.67 :
    http://i9.tinypic.com/2hp29gp.jpg

    2. Setting a hardware breakpoint on access on ESP register, when reaching the PUSHAD, and running the .dll, leads me to this spot :
    http://i9.tinypic.com/47dj1vn.jpg

    3. Three more F8s, and I am at OEP :
    http://i10.tinypic.com/2uqekhy.jpg

    [ The problem ]

    When using OllyDump and trying to dump the application, I get this error : "Unable to read memory of debugged process (00400000...00423FFF)", followed by a "Bad DOS Signature!!" pop-up.

    [ Alternatives ]

    I've also tried normal unpackers, but they seem to not find a valid version of PECompact in the file. Also, used LordPE to dump the file at OEP, same error.


    Thanks for your replies.

    P.S. : I have masked the .dll name, for rules of RCE reasons. Also, the code is universal, as it can be found in any PECompact packed application. I've tried to post as general as I could so that I am not breaking rules...
    Last edited by SunBeam; September 25th, 2006 at 08:41.
    EXECryptor Add!ct

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Hi I am not clear about something:

    You mention that your target is a .dll

    How did you loaded it into Olly?

    OllyDump appears to want to dump the exe module around mem location 400000 if you look at the memory map, where is your .dll module located??

  3. #3
    I loaded it with LOADDLL, Olly's .dll loader...

    I did that. Tried to dump the .dll from memory at its location. Posting 2 more pics :
    http://i9.tinypic.com/2pyn6ae.jpg

    As you can see, EP = 89F000. If you look below, you'll see that PUSH. So : 89F000 + 16F4C = OEP :
    http://i9.tinypic.com/48m5rif.jpg

    Well, this is what OllyDump shows me :
    http://i9.tinypic.com/2a98luf.jpg

    And this is how memory map looks like :
    http://i10.tinypic.com/2ym6fth.jpg

    Now, if I try to dump, it says it can't read memory from 400000 till 423FFF, which, looking at the pics above, you can see that there is memory in that region. Even if I change address to 880000, where the .dll header is, I get same results. Can't read memory :|...
    EXECryptor Add!ct

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Please PM a link to your .dll
    I will take a look, so we are in the same page when we talk

  5. #5
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Just re-read a tut over at ARTeam, for unpacking an .ocx it recommends using LordPE when at the OEP.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  6. #6
    Thanks for the heads up, sigint33. It wasn't LordPE, but reading the tutorial, I learnt how to change file characteristics, to make Olly load the .dll as an .exe Now everything works. File is dumped, fixed, changed characteristics back, and working !

    Thanks everyone !

    P.S. : This is the tutorial I read, in case someone needs it :

    Unpacking PECompact 1.68-1.84 OCX Control by Ferrari
    EXECryptor Add!ct

  7. #7
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    I am glad It worked for you.

    I took a look at your file

    Just as an alternative: I used PE Tools 1.5

    Pick the loadDLL process,

    In the lower window find your target.dll

    Right-click on it and choose "dump full"

    Dumped without a problem.

  8. #8
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Nice info naides - I knew I was keeping PE Tools for something! I know RTFM!

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  9. #9
    nchanta
    Guest

    OllyDump and LoadDll

    When using OllyDump and LoadDll.exe you may find that you are unable to dump.

    This is because OllyDump gets the ImageBase of the main process, which is different for the loaded dll.

    To dump the dll properly, simply change the ImageBase to what you see in the Memory list (usually 0x01000000 or something similar) and it should dump fine...

    (or you can change the dll to load as an exe and dump that way )
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    It wasn't the "Dump Full" what the problem was, but "Dump at OEP". And I've tried changing Image Base and get same error. Only method is the one with changing characteristics
    EXECryptor Add!ct

Similar Threads

  1. Unpacker PECompact 1.2
    By Nacho_dj in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: January 15th, 2014, 17:17
  2. Full Delphi 6 and Delphi 7 Signature For IDA
    By TQN in forum Tools of Our Trade (TOT) Messageboard
    Replies: 28
    Last Post: June 25th, 2007, 11:20
  3. Full Delphi 6 and Delphi 7 IDA signature
    By TQN in forum OllyDbg Support Forums
    Replies: 2
    Last Post: September 16th, 2004, 01:50
  4. PECompact 2.01a script
    By Anonymous in forum OllyScript Plugin
    Replies: 6
    Last Post: April 30th, 2004, 09:44
  5. Unpack PECompact 1.84 - Have anyone can help me?
    By Zombie in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: March 21st, 2004, 12:56

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •