I'll cover the Steps on quick unpacking PEcompact since information on this packer is already available but only because it's an OCX file, I'm composing this tutorial specially for a member "Angel" from TSRh forums. Also I just finished a tutorial on ASPR and unpacking ASPR targets so I'm really pissed off. So lets finish this off quickly.

Unpacking this version of PECompact is similar to ASPACk. So if you get stuck somewhere you may refer my tutorial on ASPACK:

Download: http://grinders.withernsea.com/tutorials/aspack+system_mechanic.rar

There are three sections in the remaining of this tutorial:
1. Changing the Characteristics of OCX With PE Editor
2. Finding the Original Entry point & unpacking the program
3. Dumping our Unpacked target
4. Rebuilding our importable and fixing our ocx.

 

Now Ollydbg will load it as an executable file. But after unpacking you will have to change the Characteristics of the unpacked file back to original.

1106C000 > /EB 06 JMP SHORT PBBalloo.1106C008 <-----You are here
1106C002 |68 04350000 PUSH 3504
1106C007 |C3 RETN
1106C008 \9C PUSHFD
1106C009 60 PUSHAD
1106C00A E8 02000000 CALL PBBalloo.1106C011

Hit F7 key to execute JMP, PUSHFD, PUSHAD till you land at 1106C00A. Now see the value of "ESP = 0012FFA0"" register in the Registers window (Top Right hand side). Click on the ESP register, right click and click follow in dump. In the dump window (Bottom left hand side) you see this:

0012FFA0 E6 17 F5 77 78 17 F5 77 æ õwx õw
0012FFA8 F0 FF 12 00 C0 FF 12 00 ðÿ .Àÿ .

Select the first two bytes in your case. In my case it's "E6 17". It may be different in your case. Now Right click -> Breakpoint -> Hardware, on Access -> Click on "Word". Now hit F9 key once and land here:

1106D54F 9D POPFD <----- You land here
1106D550 50 PUSH EAX
1106D551 68 04350011 PUSH PBBalloo.11003504 <-- Push OEP
1106D556 C2 0400 RETN 4

We are close to the OEP now :-). So hit F7 four times to execute the RETN and land here:

11003504 5A POP EDX ; kernel32.77E814C7 <-- Land on OEP
11003505 68 D0A20511 PUSH PBBalloo.1105A2D0
1100350A 68 D4A20511 PUSH PBBalloo.1105A2D4
1100350F 52 PUSH EDX

If you want you may right click -> Search for -> All reference Text Strings and see all Text strings are decrypted.

So now lets dump the process. Don't close target in Olly and minimize it.

We now have our file dumped.ocx which will not work due to the import table being messed up.
Lets start ImpRec and get the imports.In ImpRec select attached to active process and choose our target program.

In Imprec click on options and refer this figure.

Enter OEP = 11003504 - 11000000 = 00003504

When there are no invalid imports all we have to do now is fix our dumped.ocx. Click on Fix Dump and select our dumped.ocx and we are done.
Our Dump will be saved as dumped_.ocx

Note: If you did not set that option "Fix EP to OEP" in Imprec, then you will have to use PE Editor to change the EP (Entry Point) to "00003504"

Finally open dumped_.ocx in LordPE and use PE Editor to change the characteristics back to 210E

You can test the unpacked OCX by downloading the full program and replacing the packed one with the unpacked OCX. Rename "dumped_.ocx" to "PBBalloon1.ocx"

Download Full Program: http://www.pablob.net/Products/PBBalloon/index.asp

Have fun, bye !

Still awake?!? As usual we try to summarize what we learnt during this tutorial..hope at least one of the points were new for you :)

1. Change characteristics of non-executable files like "ocx, dll etc" to that of executable files for unpacking and debugging with Ollydbg.

[MAIN TEAM]
| Nilrem | Enforcer | Ferrari | Pompeyfan(ex-member) | MaDMAn_H3rCuL3s | EJ12N | Kruger |
Shub-Nigurrath | Jdog45 |

[TRIAL MEMBERS]
| R@Dier |

*****************************

Exetools | Woodmann | VCT | TSRh | Sir JMI | SatyricOn | LaBBa | R@dier | Britedream | MarKuS-DJM | Hacnho | cl0ud (Mephisto) | Zest | Hobgoblin | Peroquin | GlObaL | Everyone we missed & you
Thanks to the authors of ASPR, Ollydbg, LordPE, Imprec, PEiD and PBBalloon
 

[^~=~ (.) Ferrari (.) ~=~^]