Hi,
I am basically having the same problem with two files protected with PeCompact as referenced in this thread:
Quote:
|
http://forum.exetools.com/showthread.php?t=12459&highlight=peCompact
|
In both files there are only two sections .text and .rsrc.
For one of the programs in question, I could get from the peHeader the actual VirtualSize for the Code Section as 16D800 and for the Data Section as 167000.
What I need to do is to edit the peHeader correctly to 3 sections (i.e. split the code section into code and data sections) when the program is at the OEP before dumping.
I am however having problems modifying the peHeader in Olly correctly before the dump. Then both LordPe or OllyDump still see only the two sections .text and .rsrc.
This is the peHeader of one of the programs:
Code:
004000F8 50 45 00 00>ASCII "PE" ; PE signature (PE)
004000FC 4C01 DW 014C ; Machine = IMAGE_FILE_MACHINE_I386
004000FE 0200 DW 0002 ; NumberOfSections = 2
00400100 F7AA9651 DD 5196AAF7 ; TimeDateStamp = 5196AAF7
00400104 00000000 DD 00000000 ; PointerToSymbolTable = 0
00400108 00000000 DD 00000000 ; NumberOfSymbols = 0
0040010C E000 DW 00E0 ; SizeOfOptionalHeader = E0 (224.)
0040010E 030D DW 0D03 ; Characteristics = EXECUTABLE_IMAGE|RUN_FROM_SWAP|32BIT_MACHINE|RELOCS_STRIPPED|800
00400110 0B01 DW 010B ; MagicNumber = PE32
00400112 09 DB 09 ; MajorLinkerVersion = 9
00400113 00 DB 00 ; MinorLinkerVersion = 0
00400114 00D81600 DD 0016D800 ; SizeOfCode = 16D800 (1497088.)
00400118 007C1600 DD 00167C00 ; SizeOfInitializedData = 167C00 (1473536.)
0040011C 00000000 DD 00000000 ; SizeOfUninitializedData = 0
00400120 00100000 DD 00001000 ; AddressOfEntryPoint = 1000
00400124 00100000 DD 00001000 ; BaseOfCode = 1000
00400128 00F01600 DD 0016F000 ; BaseOfData = 16F000
0040012C 00004000 DD 00400000 ; ImageBase = 400000
00400130 00100000 DD 00001000 ; SectionAlignment = 1000
00400134 00020000 DD 00000200 ; FileAlignment = 200
00400138 0500 DW 0005 ; MajorOSVersion = 5
0040013A 0000 DW 0000 ; MinorOSVersion = 0
0040013C 0000 DW 0000 ; MajorImageVersion = 0
0040013E 0000 DW 0000 ; MinorImageVersion = 0
00400140 0500 DW 0005 ; MajorSubsystemVersion = 5
00400142 0000 DW 0000 ; MinorSubsystemVersion = 0
00400144 00000000 DD 00000000 ; Reserved
00400148 00802E00 DD 002E8000 ; SizeOfImage = 2E8000 (3047424.)
0040014C 00040000 DD 00000400 ; SizeOfHeaders = 400 (1024.)
00400150 6B220C00 DD 000C226B ; CheckSum = C226B
00400154 0200 DW 0002 ; Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI
00400156 0080 DW 8000 ; DLLCharacteristics = 8000
00400158 00001000 DD 00100000 ; SizeOfStackReserve = 100000 (1048576.)
0040015C 00100000 DD 00001000 ; SizeOfStackCommit = 1000 (4096.)
00400160 00001000 DD 00100000 ; SizeOfHeapReserve = 100000 (1048576.)
00400164 00100000 DD 00001000 ; SizeOfHeapCommit = 1000 (4096.)
00400168 00000000 DD 00000000 ; LoaderFlags = 0
0040016C 10000000 DD 00000010 ; NumberOfRvaAndSizes = 10 (16.)
00400170 00000000 DD 00000000 ; Export Table address = 0
00400174 00000000 DD 00000000 ; Export Table size = 0
00400178 00381E00 DD 001E3800 ; Import Table address = 1E3800
0040017C B4030000 DD 000003B4 ; Import Table size = 3B4 (948.)
00400180 00E02D00 DD 002DE000 ; Resource Table address = 2DE000
00400184 8D7E0000 DD 00007E8D ; Resource Table size = 7E8D (32397.)
00400188 00000000 DD 00000000 ; Exception Table address = 0
0040018C 00000000 DD 00000000 ; Exception Table size = 0
00400190 00760B00 DD 000B7600 ; Certificate File pointer = B7600
00400194 28190000 DD 00001928 ; Certificate Table size = 1928 (6440.)
00400198 00000000 DD 00000000 ; Relocation Table address = 0
0040019C 00000000 DD 00000000 ; Relocation Table size = 0
004001A0 70FA1600 DD 0016FA70 ; Debug Data address = 16FA70
004001A4 1C000000 DD 0000001C ; Debug Data size = 1C (28.)
004001A8 00000000 DD 00000000 ; Architecture Data address = 0
004001AC 00000000 DD 00000000 ; Architecture Data size = 0
004001B0 00000000 DD 00000000 ; Global Ptr address = 0
004001B4 00000000 DD 00000000 ; Must be 0
004001B8 00000000 DD 00000000 ; TLS Table address = 0
004001BC 00000000 DD 00000000 ; TLS Table size = 0
004001C0 00000000 DD 00000000 ; Load Config Table address = 0
004001C4 00000000 DD 00000000 ; Load Config Table size = 0
004001C8 00000000 DD 00000000 ; Bound Import Table address = 0
004001CC 00000000 DD 00000000 ; Bound Import Table size = 0
004001D0 00000000 DD 00000000 ; Import Address Table address = 0
004001D4 00000000 DD 00000000 ; Import Address Table size = 0
004001D8 50371E00 DD 001E3750 ; Delay Import Descriptor address = 1E3750
004001DC 40000000 DD 00000040 ; Delay Import Descriptor size = 40 (64.)
004001E0 00000000 DD 00000000 ; COM+ Runtime Header address = 0
004001E4 00000000 DD 00000000 ; Import Address Table size = 0
004001E8 00000000 DD 00000000 ; Reserved
004001EC 00000000 DD 00000000 ; Reserved
004001F0 2E 74 65 78>ASCII ".text" ; SECTION <-------------Need to split this section and align properly to .text and .rdata
004001F8 00D02D00 DD 002DD000 ; VirtualSize = 2DD000 (3002368.) <----------(Code+Data)
004001FC 00100000 DD 00001000 ; VirtualAddress = 1000
00400200 00E00A00 DD 000AE000 ; SizeOfRawData = AE000 (712704.)
00400204 00040000 DD 00000400 ; PointerToRawData = 400
00400208 50454332 DD 32434550 ; PointerToRelocations = 32434550
0040020C 544F0000 DD 00004F54 ; PointerToLineNumbers = 4F54
00400210 0000 DW 0000 ; NumberOfRelocations = 0
00400212 0000 DW 0000 ; NumberOfLineNumbers = 0
00400214 20000060 DD 60000020 ; Characteristics = CODE|EXECUTE|READ
00400218 2E 72 73 72>ASCII ".rsrc" ; SECTION
00400220 00A00000 DD 0000A000 ; VirtualSize = A000 (40960.)
00400224 00E02D00 DD 002DE000 ; VirtualAddress = 2DE000
00400228 00920000 DD 00009200 ; SizeOfRawData = 9200 (37376.)
0040022C 00E40A00 DD 000AE400 ; PointerToRawData = AE400
00400230 00000000 DD 00000000 ; PointerToRelocations = 0
00400234 00000000 DD 00000000 ; PointerToLineNumbers = 0
00400238 0000 DW 0000 ; NumberOfRelocations = 0
0040023A 0000 DW 0000 ; NumberOfLineNumbers = 0
0040023C 200000E0 DD E0000020 ; Characteristics = CODE|EXECUTE|READ|WRITE
Any suggestion is appreciated.
Thanks TemPoMat
PS: I know there are universal Unpackers in the wide like Nacho_dj's Unpacker_PeCompact which successfully unpack this particular file.
The resulting size of the file is approx. 1MB larger than my manually unpacked one. This is however not the topic here.
I am interested in manually unpacking and properly fixing the unpack file to get raid of the "R6002 floating point error", which according to many sources on the internet is related in this case to the wrong characteristics of the .rdata section, which is totally missing or better to say hidden in the code section.