this is what i posted on snd
well i coded based from my oepfind debug engine unpec2 in asm, but one problem that all those and even ollydump fail to dump.
you wanna try target and findout why?
try PECompact2.55 unpackme from snd(that pacman on screen). and tell me whats wrong
i know whats wrong thats why i will change dump by imagesize to section by section dump.
also to be true mad mickael fucked up ordinals, so far i havent encountered any exe that uses it, due bug there code will crash.
why?
oplait:
mov eax, CURRENTTHUNK
test eax, 0x80000000
jne ordinal
add eax, fmapview
ordinal:
MOV edx, FTHUNK
add edx, fmapview
mov ebx,[eax] //EBX == LA BONNE VALEUR
can you see read from memory in eax?
well ordinal is if most significant bit is set so 0x80000000
well but there will never be memory under address 0x8xxxxxxx
why?
due windows uses for programs 2GB space, but even there is no data to read.
we can expand space to 3GB by boot params large address aware or something like that but also PE exe has to be compiled with that param.
and from 0xC0000000 always is kernel.
edit:
ok here is my asm version of unpec2, whole code is mine, i just took places to break from mad mickael and optimized iat fixer, if on any file it will fail send it to me.
this one can now also unpack pecompact 2.55 unpackme.(i tested all unpackme from 2.40 till 2.78a and they work and compress with upx so nothing wrong with them)
why it failed before and fails for michael well its due header and 1st section most are after header so 401000
but here we have 410000 so 64kb not 4kb and rest 60kb is empty thats why we cant do readprocessmemory on whole imagesize due this area from 401000 till 410000 isnt allocated and api fails and dump is impossible, same is with ollydump, same bug. simple solution is to dump 4kb header but set in exe sizeofhader to 64kb and then copy from memory to dump section by section and now it works.
enjoy my first unpacker
