This topic was archived here:

https://web.archive.org/web/20230000000000fw_/https://www.zenhax.com/viewtopic.php?t=496

Ekey, posted Mon Jan 05, 2015 4:05 pm (2448)

---

I have problem with decompressing one section from EXE. Protector used LZMA compression. Quick structure

Code:

DWORD dwID; // APZP
DWORD dwSize; // Decompressed size > 12857344
DWORD dwZSize; // Compressed data size without header > 2237191

Next wee can see LZMA header like

Code:

5D 00 00 00 01 00 00 00 00 00 00 00 00 05 00 00 00 00

I fixed header to

Code:

5D 00 00 80 00 00 30 C4 00 00 00 00 00 00

Now

Code:

lzma d "2_axZ.section_header_fixed" "3_axZ.section_decompressed"

The problem is that decompressed size less of the size specified in the header => i got after decompress 10624885. But I am sure that the section is not fully unpacked, because dumped from memory variant section size just is ~12800000 -.

Section: here
Victim: here

Any ideas?

aluigi, posted Mon Jan 05, 2015 5:27 pm (2450)

---

I tried using lzma_dynamic and lzma2_dynamic on offset 0xc and various other offsets without luck.
The good thing of lzma_dynamic is that it tries ALL the available lzma modes (all those you see in quickbms.txt) so it should be able to get the working one in any case and without limits of uncompressed size.

Ekey, posted Mon Jan 05, 2015 7:00 pm (2455)

---

comtype scanner give no results... wtf..