Unpacking method exhaustiv list


Analyzis work made by G-RoM.
Some test were done by Beta Team of course ;).

Default Options (check dox).

Ŀ
Name             Method    Options                Section To remove after
Ĵ
BJFNT 1.x      *unknown*   Create new import.     Last one.              
                           Do not recompute obj.                         
Ĵ
ENC 0.1         Standard   Do not recompute obj.                         
Ĵ
HASIUK used      HASIUK    Default                None                   
by Activision   /NeoLite                                                 
Ĵ
LOUIS Cryptor   Standard   Default                Last section           
                           Do not recompute obj.                         
Ĵ
Manolo           Manolo    Rebuild Import Table   .manolo section        
Ĵ
NeoLite x.xx     HASIUK    Default                None                   
                /NeoLite                                                 
Ĵ
PECRYPT32         none                            Depend on version      
Ĵ
PELOAD          Standard   Do not recompute obj.  .peload section        
Ĵ
PELOCK            none                            last one               
Ĵ
PEPACK           PEPack    Rebuild Import Table   PEPACK!! section       
Ĵ
PESHiELD <0.2   PESHiELD   Do not recompute obj.  ANAKIN98 section       
Ĵ
Petite           Petite    Default                .petite section        
Ĵ
Petite          Petite 2   Create new import      .petite section        
                           U will need to fix                            
                           reloc pointer too.                            
Ĵ
Securom         Standard   Original CD required.  Better not touch ;)    
                           Do not recompute obj.                         
Ĵ
Shrinker 3.2   Shrinker32  Ignore Faults          .load object at least  
                           Rebuild Import Table                          
Ĵ
Shrinker 3.3   Shrinker33  Do not recompute obj.  None                   
                           Rebuild Import Table                          
Ĵ
STNPE 1.xx      Standard   Do not recompute obj.                         
Ĵ
TimeLock 3.x      Vbox     Create new import      WeiJunLi section       
               std/Dialog  Ignore Faults                                 
Ĵ
VBox            Vbox Std   Create new import      WeiJunLi section       
                           Ignore Faults                                 
                           Do not recompute obj.                         
Ĵ
VBox with TRY     Vbox     Create new import      WeiJunLi section       
    dialog       Dialog    Ignore Faults                                 
                           Do not recompute obj.                         
Ĵ
WWPack32<1.10  WWPACK32 I  Default                .WWP32 section         
Ĵ
WWPack32 1.10  WWPACK32 II Default                .WWP32 section         
Ĵ
WWPack32 1.11  WWPACK32 I  Default                .WWP32 section         


FOR VBOX : Validate the TRY button, THEN validate OK in ProcDump32
	   Application must be unwrapped totally ;).

NOTA: The "Do not recompute obj" is not necessary : u can leave this option
      checked, it only impact on produced PE size. Indeed, cryptors leaves
      object size untouched.

  For  unknown packer,  try  to use  the  Standard  Unpacker prior to try the
*unknown*  one, the  method  to return  to  original  code  is  used  by many
cryptors / packers. If  it fails, or <sigh!>  Hang up,  then  use the unknown
unpacker AND please note the  value displayed if it was successfully unpacked
This  address is  where the  return to original code is done. If you subtract
from this address the IMAGEBASE, and the OBJECT LOADER RVA, u will know where
to set the BPX. If u don't understand what I say Study PE Format ;).

Packer/Protector tested but not working (yet ?):


  PECRYPT32 : Ahem... I talked much with Random and told him many tips
   like how my import detection work, etc... Moreover there are several
   MTE in the code and Some IDT manipulations which cause the loader to
   not be traced totally. I personnally tested trace of 10 MILLIONS  of
   lines with an access violation error at the end. IN CONCLUSION : you
   can't trace it by using ProcDump... At least you can analyze a dump.
   The full support of PECRYPT32 will be done one day.... When I got or
   did a fully featured tracer or, may be if a  crazy guy can try to do
   it with the script language ;).

  PELock   : It contains some code that detect debug API, support for
   it will come with Ring 0 Tracer.

  PESHiELD 0.2 : Well I can't test it much coz it is quite incompati-
   ble with win98. But Support for it will come with Ring 0 Tracer too.

 Generally, always use specific unpackers/deprotectors because they handle
 perfectly the PE and restore it to its EXACT state before protection.

Final Words :


If u did a script to support a packer/protector, Send it to me.
If u have a cryptor/pecryptor I don't have... send it too ;)

Good Luck.
