Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

PeCompact 2.X unpacking problem

This forum focuses on analyzing malware and any aspects of dealing with packer protections.
Locked
robson
Junior Member
Posts: 2
Joined: Mon Apr 08, 2013 11:24 am

PeCompact 2.X unpacking problem

Post by robson »

Hi everybody,

I have this problem and I hope that somebody more experienced will be able to point me in the right direction.
I successfully unpacked program on Windows XP packed with PECompact 2.X. Unpacked program runs on Windows XP fine, no issues. I copied it to Windows 7 32 bit and it fails to run there. After some investigation, I realized that the problem is that Image Base changes and invalidates some memory references in the program and causes unhandled exceptions. I tried to change the image base using LordPE editor to be what I believe it suppose to be, but when the program is loaded into memory it doesn’t use this image base as I would expect.

Please can somebody tell me how to fix this particular issue I am dealing with? How come it does work on Windows XP but not on Windows 7?

Thank you for your help.
Robson
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Assuming that the unpacked file isn't using XP hardcoded IAT addresses, you can try turning ASLR off. Open the file in CFF Explorer or other and under Optional Header/Dll Characteristics uncheck 'Dll can move'. It should then load at 0x400000.
Otherwise it could be a .reloc issue, see here for example
http://www.woodmann.com/forum/showthrea ... et-rebased
robson
Junior Member
Posts: 2
Joined: Mon Apr 08, 2013 11:24 am

Post by robson »

Kayaker wrote:Assuming that the unpacked file isn't using XP hardcoded IAT addresses, you can try turning ASLR off. Open the file in CFF Explorer or other and under Optional Header/Dll Characteristics uncheck 'Dll can move'. It should then load at 0x400000.
Otherwise it could be a .reloc issue, see here for example
http://www.woodmann.com/forum/showthrea ... et-rebased
I unchecked 'Dll can move', saved the updated application binary and the application works like a charm. Thank you.
Locked