Because PECompact has two shelling methods, I also read DiKeN's "PECompact's OEP simple search method", so I want to study it in depth.
This is the result of 98 notepad.exe's PECompact (JCALG1) compression.
0040AB20> EB 06 jmp short NOTEPAD.0040AB28 <= The First Command
0040AB22 68 CC100000 PUSH 10CC <===== this is the RVA address of the program's original OEP
This is the result of 98 notepad.exe's PECompact (aPLib) compression.
0187: 0040AB1F 68EB0668CC push dword CC6806EB <= The First Command
0187: 0040AB24 1000 ADC [EAX], AL
0187: 0040AB26 00C3 add bl, AL
0187: 0040AB28 9C PUSHF
0187: 0040AB29 60 PUSHA
In this way, you cannot use DiKeN's "PECompact's OEP's simple search method" to find the program's OEP.
So I tracked it manually and made a record:
Notepad.exe uses PECompact (JCALG1) to compress
0187: 0040 AAFF 65EB06 jmp short 0040AB08
0187: 0040AB02 68CC100000 push dword 10CC
0187: 0040AB07 C3 RET
0187: 0040AB08 9C PUSHF
0187: 0040AB09 60 PUSHA
0187: 0040AB0A E802000000 CALL 0040AB11 // press F8 here to continue.
0187: 0040AB0F 33C0 xor eax, EAX
0187: 0040AB11 8BC4 mov eax, ESP
0187: 0040AB13 83C004 add eax, BYTE + 04
......
Press F12. Here we are.
0187: 0040AB77 F3A5 REP MOVSD
0187: 0040AB79 8BFB mov edi, EBX
0187: 0040AB7B C3 RET // cursor stops here
0187: 0040AB7C BDCF400000 mov ebp, 40CF
0187: 0040AB81 8BF7 mov esi, EDI
......
Press F12.
0187: 0040D551 68CC104000 push dword 004010CC
0187: 0040D556 C20400 RET 04 // return to OEP!
0187: 0040D559 8BB55B974000 mov esi, [EBP + 0040975B]
Directly Makepe at OEP.
Notepad.exe uses PECompact (aPLib) for compression
0187: 0040AB1F 68EB0668CC push dword CC6806EB
0187: 0040AB24 1000 ADC [EAX], AL
0187: 0040AB26 00C3 add bl, AL
0187: 0040AB28 9C PUSHF
0187: 0040AB29 60 PUSHA
0187: 0040AB2A E802000000 CALL 0040AB31 // After F8 is entered
0187: 0040AB2F 33C0 xor eax, EAX
0187: 0040AB31 8BC4 mov eax, ESP
......
Press F12
0187: 0040AB97 F3A5 REP MOVSD
0187: 0040AB99 8BFB mov edi, EBX
0187: 0040AB9B C3 RET // stop here
0187: 0040AB9C BDCF400000 mov ebp, 40CF
......
Then press F12
0187: 0040D54F 9D POPF
0187: 0040D550 50 PUSH EAX
0187: 0040D551 68CC104000 push dword 004010CC
0187: 0040D556 C20400 RET 04 // return OEP again. Why is it so simple?
Here, I find that programs compressed by PECompact cannot be used even if they are dumped by PROCDUMP or LordPE.
For Dump programs, you must modify the entry address.
I remember that it was illegal to use PROCDUMP to Dump when I took off the PECompact shell. By the way, I used TRW to talk about it. I have a little bit of experience as follows:
Remember to enter Faults on in TRW, and then use PROCDUMP to shell it, And then TRW will jump out.
0187: 004055C3 8B7D10 mov edi, [EBP + 10]
0187: 004055C6 56 PUSH ESI
0187: 004055C7 51 PUSH ECX
0187: 004055C8 ac lodsb // stop here, so the f5.
0187: 004055C9 AE SCASB
0187: 004055CA 750B JNZ 004055D7
0187: 004055CC 803F00 cmp byte [EDI], 00
Then re-run