*************************************************************************************************
			    Manually Unpacking of PECompact V1.43
*************************************************************************************************

Author:		Jeremy Collake
Protection:	None
URL:		http://mud.sz.jsinfo.net/per/aaron/files/compressors/win/pecpt143.zip
Tools:		SoftICE V4.05
		ProcDump V1.6.2
		Hex-Editor


--->	Intro...

Welcome to my next Tutorial !!!
A Tutorial about Manually Unpacking of PECompact V1.43 :)
I hope i'll explain it very well.


--->	Let's Begin...

Included in this Zip File:

Tut25_MUP_PECompact V1.43.txt		: This Tutorial
PECompact_Notepad.exe			: Our Target "Encrypted" with PECompact V1.43

First thing we need to know is the OEP of the "Encrypted" program, so we can apply the "INT 3" trick ;)
To do this we open up "ProcDump" and click on "PE Editor".
Then select the "Encrypted" file and click on "Open".
Now you'll see under "Header Infos" the Entry Point.
It's = 0000AC5E

But it's the "Virtual Offset" we need the "Raw Offset" :)
So click on the button "Sections" and look at the second Section called ".rsrc".
Why the Second Section?
Look closely and you'll see that the Second Section begins at "00007000" and the third Section begins at "00010000".
So our OEP lies between them and that means that it belongs to the Second Section :)
I hope you'll get it.
But now you'll see that the Second Section has the "Virtual Offset" 00007000 and the "Raw Offset" 00002C00.
So how do we get our Real OEP ???

OEP = 0000AC5E - (00007000 - 00002C00)
OEP = 0000685E

Close ProcDump and open the "Encrypted" file into your Hex-Editor.
then go to that location you'll see this:

-------------------------------------------------------------------------------------------------------

EB06			<--- jmp 00006866
68CC100000		<--- push 000010CC
C3			<--- ret
9C			<--- pushfd
60			<--- pushad
E802000000		<--- call 0000686F
33C0			<--- xor eax, eax
...

-------------------------------------------------------------------------------------------------------

Now change this for our "INT 3" trick :)

EB06

into

CC06

Save the file and get into SoftICE (CTRL+D).
Then type "bpint 3" (to set the breakpoint on INT 3) and get out of SoftICE (CTRL+D).
Then start the "Encrypted" file and SoftICE should popup.
Now type "BC *" to clear the breakpoint and type/press:

D EIP	[enter]
ALT+D
EB
ALT+D

Now we can trace through the Code ;)
Just trace (or skip a few instruction with "bpx" believe me you will ;)) until you see something like this:

-------------------------------------------------------------------------------------------------------

68CC104000		<--- push 004010CC		<--- Our Real OEP
C3			<--- ret

-------------------------------------------------------------------------------------------------------

Now when you get over the "ret" your at the beginning of the REAL program ;)
Were going to use the "EBFE" trick here so the program will loop forever.
Just type this when your on the Offset "004010CC" :

d eip	[enter]
ALT+D
EBFE
ALT+D

Now we've put our trap ;) and now you can press (CTRL+D) to leave SoftICE.
Ok, open ProcDump and at the main window you'll see something like this:

"C:\windows\desktop\PECompact_Notepad.exe"

Right click on that and select "DUMP (full)".
Then enter the New Savename and Save the file at some location (i prefer desktop).
Now right click again on that line and select "Kill Task" to terminate the application.
Now we need to change the OEP in the New File to our original OEP (000010CC).
So open the New File in ProcDump (use the button "PE Editor") and change the Entry Point to this:

0000AC5E

into

000010CC		(without the Image Base)

Then click "Ok" and close ProcDump but wait we almost forgot to change the "EBFE" back ;)
So open the New File into your Hex-Editor and go to the OEP (000010CC) and change this:

EBFE

into

558B

Save the file and run it, it works !!! :P
But there's still some F**king Code down below in the file ;)
Just go to the end of the file (to be precisly 0000C5C0) and cut everything till the end of the file then save it and
the file is even smaller then the existing Notepad :P
That's it, PECompact V1.43 Manually Unpacked ;)


--->	Greetings...

Everyone from TrickSoft			(www.TrickSoft.net)
Everyone from Cracking4Newbies		(www.Cracking4Newbies.com)
Everyone from Keygenning4Newbies	(Keygenning4Newbies.cjb.net)
And You...

			Don't trust the Outside, trust the InSiDe !!!

					  Cya...

					CoDe_InSiDe

Email:	code.inside@home.nl