PESHiELD 0.2c2 Unpacker v1.00 by Unknown One/[TMG]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is my first unpacker for encrypted PE files and I made it to
improve my knowledge on PE files. It is DOS based and supports files
smaller than 60kb (exactly < fa00h bytes).  This limitation is because
I was so lazy to code it in win32asm (next version will be 32-bit and
the file size will be no problem ;) and my unpacker fits in only one
16-bit segment (it is COM file).

PESHiELD v0.2c2 is nearly 2 years old and I didn't found unpacker for
it on the web (many people said that there exist such unpacker but no
one sent it).  The only public unpackers I found for PESHiELDed files
are by G-RoM and Iczelion but they are for different versions.
Iczelion's unpacker supports only the last version (0.25) and I was
inspired by his code to make my unpacker.

Actually I dont know exactly for what version of PESHiELD is the
unpacker I wrote. I downloaded the archive with PE-Shield v0.2 beta 2
39KB from Aaron's (http://aaron.bentium.net/) site and the zip file has
this name: peshield02b2.zip

My unpacker works for files protected only with the version on Aaron's
site, so if it doesn't work with the version you have (0.2 beta2),
please mail me the protector or url where to download it. My e-mail
is: unknone@mail.com

Few words about the unpacker:
It is ungeneric unpacker (load file, decrypt as the PESHiELD layer
will do it, fix PE file and write to file OUT.EXE). Only the version
I got from Aaron's site is supported!

The use of unpacker is easy (no GUI hehe) - write on command line:
  unpes filename.exe
The unpacker read the file and try to decrypt it. If file is protected
with mutliple layers of PESHiELD it will be decrypted fully until
non-PESHiELD layer is reached. The file OUT.EXE will contain the unpacked
file.

The .reloc section is not restored (I failed in my attempts and after
reading Iczelion's docs of v0.25 unpacker I stopped trying). It is
mostly used in .DLL files and on all .EXE files I tested PESHiELD the
unpacker works perfect (except the size limit).

PESHiELD layers are not removed because this protector moves an icon
at it's layer and this requires resource rebuilding (i am too lazy to
do that) because if protector layer is removed, the icon will be
removed too.

The first decryption layer of PESHiELD envelope is mutated a little.
Iczelion's unpacker directly uses the code from PESHiELD which is very
dangerous if his unpacker recognizes different protector ;) I use
different method - emulating. There are only two instructions that are
changed in the decryption code (all registers are mutated) and their
recognition is quite easy (look at the comments).

Finally I want to thank all people who helped me and big thanks go to
Stonehead for his nice program MOW (macro nopper) which done the fake
macros cleaning work (doing that by hand is annoying).

ANAKiN, when the new versions of PESHiELD and PE-PACK will be released? :)

If you have some comments you can mail me at:
unknone@mail.com

Best regards,
Unknown One/[TMG]