How to find out how an exe was packed and how to unpack it?

[DavidXanatos]

So my progress so far:

With ScyllaHide I could get the application protected with the build 5 to start and run despite IDA being attached, although it runs super slowly.

The other application protected with Obsidium x64 V1.5 build 105 of which there is a 32 and 64 bit version however seams just to freeze when I attach IDA :/

Now, to why I tackle two apps at once, booth do the same (that is allowing one to remove components out of a windows installation image), I would like to extract the file/reg key lists for the components in order to make a open source application with similar functionality. Editing images is easy M$ provides the necessary tools, but knowing what files and registry entries to remove/modify is something to be found out. Windows 10 is a mess and I feal like the world needs such a tool being openly available.

Now to the x64dbg, really cool project.
However I couldn't get it to work, when I attach it to any of the 3 exe's I have, it ends um in a exception

Code:

EXCEPTION_DEBUG_INFO:
           dwFirstChance: 0
           ExceptionCode: C0000005 (EXCEPTION_ACCESS_VIOLATION)
          ExceptionFlags: 00000000
        ExceptionAddress: 0000000077112DD5 ntdll.0000000077112DD5
        NumberParameters: 2
ExceptionInformation[00]: 0000000000000001 Write
ExceptionInformation[01]: 0000000076F159C0 <kernel32.BaseThreadInitThunk> Inaccessible Address
Last chance exception on 0000000077112DD5 (C0000005, EXCEPTION_ACCESS_VIOLATION)!

and I can't make it ignore it, in IDA when the exception hit I had the option to pass it through to the application and ignore all subsequent exception of that type.

In x64dbg I have unchecked all break on check boxes in options ad trying to add last exception to the list of exceptions to be ignored, as well as adding a range of 0-ffffffff, but nothing I tried made it ignore said exception.

Am I missing some option or is that a missing feature?

In x64dbg in the Scylla window I found an option to dump the process from memory, that seamed to at least do something. Strangely making a memory dump with WinHex from eider of the apps fails. The dump can not be started, it crashes, however the dumps can be loaded into IDA so that's a start.
I also see long lists of reg keys and file paths, but no idea how they belong together.
Also at least the second (more problematic app) is loading some component lists from the installation image so to learn how that works it would be good to see it in action.


David X.