Unpacking tutorial

PeCompact 2.98.4

Author: Absolut zero
Date: 30. 1. 2009
Tools: OllyDbg
Import Rec




On entry point of the packer we see code, that install exception handler.
CTRL-G and go to adress at first line: 00473464 and place breakpoint here. Press F9



00473479: In EDX is adderss 00401016 where is writed value 0E9 opcode of
jmp instruction.
00473481: In ECX is destination of the jump.

Step trough the code with F7 untill you reach address 00473484. CTRL-G and go to
adress 00401016. There we can see our jmp instuction, which is jumping at address
00473487. Go there, set breakpoint and hit F9.


F8 till you reach call EAX. This is call to API function VirtualAlloc.



Scroll a little bit down and at the bottom is jmp EAX, which is jump to OEP. Place bp
on jmp EAX, F9 and F7. We are at OEP.




Now we can dump the file and reconstruct IAT with ImpRec.

The fastest way to reach OEP is set breakpoint on VirtualAlloc, F9, remove
breakpoint, run till user code Alt-F9 and then find jmp eax.


If there are redirected APIs we can use ImpRec plugin for PeCompact.



If you have not a plugin, you can fix APIs manualy, if you are crazy. In ImpRec right
click on missing API and select Disassemble/ HexView.




Then right click on function and select Get Import. This you must repeat for each
redirected function.

There are a better solutions: inline patch or olly script. I will show you both methods.


Inline patch

First we must find where is IAT build. In ImpRec we can see, that first redirected API
pointer is at RVA 00060260. Switch to Olly and in dump window go to address
00460260. Place hardware breakpoint on write dword here. Restart program. After
second breakpoint we are here.


This is place, where is build IAT.



In the stack window scroll up. At address 0012ff20 [EBP-40] is missing API. Now we
have enough information to make inline patch. Remove hardware breakpoint, set
new at address where is instruction mov dword ptr ds:[esi],eax and restart Olly.



We must assemble 4 lines.

00A1166A: jmp short 00A1167F jump to inline
00A1167F: mov eax, dword ptr ss:[ebp-40] take API from stack
00A11682: mov dword ptr ds:[esi],eax write API in IAT
00A11684: jump short 00A1166C return from inline

Remove breakpoint, run program and IAT is resolved.


Olly script

var module

bphwc // remove all hw breakpoints if any
gpa "VirtualAlloc","kernel32.dll" // gain address of VirtualAlloc
bp $RESULT // place breakpoint on VirtualAlloc
run // run till breakpoint
bc $RESULT // remove bp
rtu // run till user code
mov module,eax // save address of new allocated memory area
add module,166a // addres of instruction where is IAT build
bphws module, "x" // set breakpoint on that instruction
find eip, #ffe0# // find address of jmp eax jump to oep
bp $RESULT // place breakpoint on jump to oep
run

pokr:
cmp eip,module // place of IAT build?
jne oep // if no, IAT is repaired and we jump to oep
mov eax,[ebp-40] // else take API address from the stack
run
jmp pokr

oep:
sto // we are on jump eax, so jump to oep
bphwc module // remove hardware bp
an eip // analyze code