Unpacking problem
 

Tried unpacking Paltalk 5.0.71.494, packed with WWpack32 1.x, used Procdump, but on trying to run the file it wont start.
I found a tut on the net about removing the advertising that loads at startup and shutdown, which was on a slightly earlier version, but they unpacked it successfully with Procdump.
I can find the code to patch in the unpacked version, but the unpacked exe wont run patched or not.
Where do I go from here, I thought this one would be quite straightforward.
Yes, I know it is a pissy chat program, but I only use it to join in on a soccer chatroom for my club in the UK, and those ads are an annoyance.

@ Pompeyfan

here is your file unpacked,
try using Oly with OlyDump,


OEP: 40831E


Best Wishes

R@dier

Thanks, but the file that needs altering is the main Paltalk.exe, I know the Palnet.exe serves up the adds, but what you have to do is delete the Palnet.exe file altogether, then change the code in Paltalk.exe where it gives the error message about not finding Palnet.exe.
I tried manually unpacking Paltalk.exe in Olly, but got lost somewhere along the way.

I'll write some tutorials about unpacking in Ollydbg with the OllyDump plugin, I'm working on one now.

Can you post your file because the version of Paltalk.exe 5.1.73.523
I have is not packed

best Wishes
R@Dier

Okay, here is the main paltalk file, I tried to upload it here twice but it failed, so I've uploaded it to my website, and can be accessed at hxxp://members.optusnet.com.au/~vincewmb/Aussiepompeyfan/Paltalk.rar, certainly shows in Peid as being packed, and you cant see the string references in the packed file, thanks for your help.
Looking forward to the unpacking tut Nilrem:) , it is something I definitely want to learn to master.

I dumped the file at the oep, fixed the import table, The dumped file is working fine for me.

here some info for you

oep=4b30e6
iat rva=C1000
iat length=74c

Hi here is your file unpacked



hxxp://home.graffiti.net/unpacker/paltalk_unpacked.rar

best Wishes

R@dier

Here is a quick rundown

Load into Oly

0063D000 > 53 PUSH EBX
0063D001 55 PUSH EBP
0063D002 8BE8 MOV EBP,EAX <---------------F7 till here
0063D004 33DB XOR EBX,EBX
0063D006 EB 60 JMP SHORT Target.0063D068


goto dump window
Ctrl G enter the value of the esp register
set a breakpoint on hardware access dword on the address in the ESP register

press F9

0063D2CB 5D POP EBP
0063D2CC 5B POP EBX <---- you will stop here
0063D2CD -E9 145EE7FF JMP Target.004B30E6 <---- jump to OEP
0063D2D2 0000 ADD BYTE PTR DS:[EAX],AL

F7 until you hit the oep

004B30E6 55 PUSH EBP <--- OEP
004B30E7 8BEC MOV EBP,ESP
004B30E9 6A FF PUSH -1
004B30EB 68 70444C00 PUSH Target.004C4470
004B30F0 68 4C154B00 PUSH Target.004B154C


Use olydump plugin and enjoy your unpacked program


Best Wishes

R@dier

This forum, and the people here really rock, I really appreciate all your help, I've downloaded all the files, and info you have posted, and I'll go through it all later today:)

Okay, I seem to have trouble unpacking despite your terrific instructions, please see here hxxp://members.optusnet.com.au/~vincewmb/Aussiepompeyfan/Olly.htm on my website for details, can you think where I might have gone wrong?, I really want to learn this unpacking stuff.

You need to use Import Reconstructor to rebuild the headers etc.
hxxp://www.grinders.withernsea.com/tools/imprec_v1.6_final.rar
Now once you have dumped the file from olly (save it has unpacked or whatever just don't have it the exact same name as the programs), now load up imprec, and choose the program from the dropdown list that is running in Olly, now where it says OEP, enter the OEP you found, then click IAT AutoSearch, and then click Get Imports, and finally click Fix Dump and select the file that you dumped in olly (e.g. unpacked.exe).

Hope that helps.

Okay, I'll try that, thought I could either do it in Olly or Imprec, depending whether I leave the option ticked in Olly dump.

Yes you can but Imprec is a lot more reliable then Ollydump at doing that, so dump it again from Olly, but untick the box that says 'Rebuild Import'.

Being that I had the same trouble after unpacking with Procdump, should I have used Imprec after this too?

I don't use ProcDump so I'm not sure, but if you use Ollydump, then imprec that should work.

Okay, that worked a treat with Ollydump and Imprec, and I even rounded the job off with Lordpe, file runs now, so I can go to work on killing the ads.:)